On Sun, Mar 02, 2003 at 01:44:22AM +0100, Love wrote: > >> - Using a keytab file would solve the problem below. Using /etc/krb5.keytab > >> is bad idea, how about a own keytab for samba ? Doing hoops of strace stuff > >> seems, well, strange.
> > Why is using /etc/krb5.keytab a bad idea? The only reason I've ever seen > > for using separate keytabs is if you want different services to run in > > separate security contexts. Samba has to run as root, so > > /etc/krb5.keytab seems appropriate to me (as much as any keytab is > > appropriate -- there seem to still be some issues with using the keytab > > at all). > What is it that limit samba to root ? When I use samba with afs beeing root > will certenly not help samba access files, what else do samba need. While you wouldn't need to be root to gain access to a user's AFS-based files, uid-based access control is at the core of Samba's current implementation. Using an alternative keytab is only a benefit if this changes. > This is not what I free is the important part of my mail. And the only > reason why I did the comment was that the comment in the samba code that > did hoops to store the key in the auth context instead of just using a > keytab. Well, it's the part I felt I could comment on, since I don't know the Samba Kerberos code all that well. :) It is my understanding that the key is being stored in the secrets file instead of in a keytab because Samba also needs to have the plaintext password for salting, so until this is addressed, storing the keys in a keytab would only serve to confuse admins familiar with traditional Unix keytab handling. Or has this been addressed when I wasn't looking? -- Steve Langasek postmodern programmer
pgp00000.pgp
Description: PGP signature
