Bug 1409 - Samba does not use the system keytab
Summary: Samba does not use the system keytab
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: net utility (show other bugs)
Version: 3.0.5
Hardware: All All
: P3 normal
Target Milestone: none
Assignee: Jeremy Allison
QA Contact: Quality Assurance Contact
URL: http://www.pppl.gov/~dperry/patches/k...
Depends on:
Reported: 2004-05-29 13:28 UTC by Dan Perry
Modified: 2005-08-24 10:20 UTC (History)
2 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Dan Perry 2004-05-29 13:28:50 UTC
Samba 3.0.x does not store the kerberos keytab entries in the default file 
system keytab, making it impossible for other services on the system (i.e. 
openssh, openldap, ksu, etc) to function.   In the URL field above I've 
specified a link to a patch that I've been working on that fixes this issue.

The patch will not modify the existing internals of smbd or net, but will 
supplement those binaries by making them write out a keytab when doing things 
like joining a machine to a domain.   In addition, the patch will change smbd 
to try to verify a kerberos message in addition to doing the routines that were 
previously in kerberos_verify().  The reason for this change is that with a 
file based keytab, samba can store both the current kvno entries and the 
previous kvno entries.   This is useful because if a machine's password is 
changed, the clients that have existing kerberos session keys will be unable to 
connect until those session keys time out or the client reboots.   Keeping the 
old entries in the keytab is what microsoft does to avoid this problem.   
Again, this behavior is implemented in a way so the smbd process will try to 
use the system keytab, and if that fails, it will run the previous kerberos 
verification routine.
Comment 1 Dan Perry 2004-06-02 18:21:33 UTC
I've updated the URL of the keytab patch to reflect some minor hcnages that 
I've made in the past few days - see the samba technical list for details.
Comment 2 Gerald (Jerry) Carter (dead mail address) 2004-10-25 11:03:50 UTC
This was included in 3.0.6
Comment 3 Gerald (Jerry) Carter (dead mail address) 2005-02-07 09:47:47 UTC
originally against 3.0.5pre1 (which became 3.0.6pre1 due to security release))
Comment 4 Gerald (Jerry) Carter (dead mail address) 2005-08-24 10:20:33 UTC
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.