Patch: System keytab usage improvements

[Rakesh Patel]

James, Garrick wrote:

>>>>Does anyone know whether Samba changes its machine 
>>>>        
>>>>
>>account password 
>>    
>>
>>>>periodically when in ADS mode?  How often?  Can the frequency be 
>>>>tuned in smb.conf?  Dan, does your patch change any of this 
>>>>behavior?
>>>>        
>>>>
>>>I'll check this out in the code, although my guess would be 
>>>      
>>>
>>it changes 
>>    
>>
>>>it on the same time frequency that it does for an RPC 
>>>      
>>>
>>password change.
>>
>>Currently, we don't.  Only way to change it is with a cron 
>>based 'net ads changetrustpw' command.
>>    
>>
>
>That's what are plan was if Samba didn't do it by itself already--we
>just didn't want to be doing it in cron if Samba was already doing it.
>Thanks for the information.
>
>  
>

Just one reminder - besides ensuring that you update the keytab when ever
doing the "net ads changetrustpw", you might want to make sure to update
any credentials cache that you use for system purposes. It only applies for
cache files that contain the TGT for the host principal/key of course.

[I use one for nss_ldap/nscd, though I just realized it will not need a 
refresh
since I am not obtaining the TGT for it - just an LDAP service key for 
the AD server,
as I need to make it readable for all processes and therefore do not 
want a TGT
in it for security reasons.]


>>>Thanks a *LOT* for this work. It is *much* appreciated !
>>>      
>>>
>>Strongly seconded,
>>    
>>
>
>A resounding third round of appreciation to Dan and the others who
>developed this patch (all I did was some testing).  I think it is
>crucial functionality for Samba to be able to co-exist with other
>kerberos based tools on the system.  Thank you, thank you, thank you!
>
>-Garrick James
>  
>
Thanks to the Samba team for all their ongoing efforts!

Rakesh Patel.