On Sat, 2003-03-22 at 06:15, Matt Peterson wrote: > Hi, > > In situations where people are operating in a "kerberized" environment where > Win2k is the KDC, machine objects will have already been created for machines > that are participating in the kerberos realm. > > Am I wrong in thinking that there is an interoperability problem with the > current "net" utility implementation? It appears as though the "net ads > join", and net ads chostpass" commands operate with out regard to the fact > that there may be other applications that rely on keytab files with host > principals and passwords that have already been set. > > Indeed, this is the case for installations where Win2k kerberos interop is > already being used. When trying to configure Samba 3.0 in these > environments, "net ads join", and net ads chostpass" will happily change the > machine account password with out allowing any way for keytab based > applications to update their keytab with tne new host principal password.
Yes. This is a problem. In the past I have favored a 'krb5 keytab write' option that would write our password out into the standard keytab, but there were good reasons not to. The problem is, I can't remember what they were. Mostly 'if somebody changed our password under us' stuff. > Samba could allow for a much greater degree of interopablity with other > kerberized applications if there were some way of getting and setting the > machine account password in the secrets.tdb. This way host principal > passwords in external keytab files could be syncronized with the password > being used by samba from the secrets.tdb. > > Perhaps this is an overly simplistic approach, but it is possible that many > potential interoperablity conflicts could be solved by providing "net > getmachinepw" and "net setmachinepw" commands. Since the machine account > password is stored in clear text already, these new commands would be very > easy add. Patches welcome, the last 2 we should have, no matter the long term solution. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net
signature.asc
Description: This is a digitally signed message part