Some notes on "Implement 'update keytab' for winbind and tools"
Andrew Bartlett
abartlet at samba.org
Fri Dec 22 04:21:15 UTC 2023
Hi Pavel,
For some reason this felt better as a mailing list post than just a MR
update.
I'm really sorry to give a chunky bit of feedback right as I go on
leave, I'm sure is quite frustrating and you will probably want some
clarification.
Sadly I hadn't been paying attention to
https://gitlab.com/samba-team/samba/-/merge_requests/1999
As Christmas is next week, I'll be stepping away from Samba mail and
GitLab.
I do trust metze to continue to give you good feedback if you want to
push this through while I've stepped away - please don't write me down
as blocking this - but I'm also keen to try and help get a good 'update
keytab for other things' solution for all of Samba, using our keys or
gMSA keys.
For others not yet paying attention, Samba will soon have client and
server support for "Group Managed Service Accounts", which are extra
"service" accounts for a server, with auto-rotating passwords,
disclosed only to the main machine account. No more long-term secrets
for the DB that were not so random on the sysadmin's keyboard!
They are perfect for this use case (IMAP or SSH server on a member
server), because they provide cryptographic isolation with each other.
I've started with extending "samba-tool domain exportkeytab" with as
that is what I know and fitted in with the pattern, but that might not
be the only/best way (too dependent on the AD DC for one).
https://gitlab.com/samba-team/samba/-/merge_requests/3454
I'll be back after a good summer break, if you have the time to wait,
or are still able to continue more work after taking the most painful
edges off the current situation.
Merry Christmas and have a Happy New Year,
Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead https://catalyst.net.nz/services/samba
Catalyst.Net Ltd
Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company
Samba Development and Support: https://catalyst.net.nz/services/samba
Catalyst IT - Expert Open Source Solutions
More information about the samba-technical
mailing list