The Samba-Bugzilla – Bug 1409
Samba does not use the system keytab
Last modified: 2005-08-24 10:20:33 UTC
Samba 3.0.x does not store the kerberos keytab entries in the default file
system keytab, making it impossible for other services on the system (i.e.
openssh, openldap, ksu, etc) to function. In the URL field above I've
specified a link to a patch that I've been working on that fixes this issue.
The patch will not modify the existing internals of smbd or net, but will
supplement those binaries by making them write out a keytab when doing things
like joining a machine to a domain. In addition, the patch will change smbd
to try to verify a kerberos message in addition to doing the routines that were
previously in kerberos_verify(). The reason for this change is that with a
file based keytab, samba can store both the current kvno entries and the
previous kvno entries. This is useful because if a machine's password is
changed, the clients that have existing kerberos session keys will be unable to
connect until those session keys time out or the client reboots. Keeping the
old entries in the keytab is what microsoft does to avoid this problem.
Again, this behavior is implemented in a way so the smbd process will try to
use the system keytab, and if that fails, it will run the previous kerberos
I've updated the URL of the keytab patch to reflect some minor hcnages that
I've made in the past few days - see the samba technical list for details.
This was included in 3.0.6
originally against 3.0.5pre1 (which became 3.0.6pre1 due to security release))
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.