Bug 1409 - Samba does not use the system keytab
Samba does not use the system keytab
Status: CLOSED FIXED
Product: Samba 3.0
Classification: Unclassified
Component: net utility
3.0.5
All All
: P3 normal
: none
Assigned To: Jeremy Allison
Quality Assurance Contact
http://www.pppl.gov/~dperry/patches/k...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2004-05-29 13:28 UTC by Dan Perry
Modified: 2005-08-24 10:20 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Dan Perry 2004-05-29 13:28:50 UTC
Samba 3.0.x does not store the kerberos keytab entries in the default file 
system keytab, making it impossible for other services on the system (i.e. 
openssh, openldap, ksu, etc) to function.   In the URL field above I've 
specified a link to a patch that I've been working on that fixes this issue.

The patch will not modify the existing internals of smbd or net, but will 
supplement those binaries by making them write out a keytab when doing things 
like joining a machine to a domain.   In addition, the patch will change smbd 
to try to verify a kerberos message in addition to doing the routines that were 
previously in kerberos_verify().  The reason for this change is that with a 
file based keytab, samba can store both the current kvno entries and the 
previous kvno entries.   This is useful because if a machine's password is 
changed, the clients that have existing kerberos session keys will be unable to 
connect until those session keys time out or the client reboots.   Keeping the 
old entries in the keytab is what microsoft does to avoid this problem.   
Again, this behavior is implemented in a way so the smbd process will try to 
use the system keytab, and if that fails, it will run the previous kerberos 
verification routine.
Comment 1 Dan Perry 2004-06-02 18:21:33 UTC
I've updated the URL of the keytab patch to reflect some minor hcnages that 
I've made in the past few days - see the samba technical list for details.
Comment 2 Gerald (Jerry) Carter 2004-10-25 11:03:50 UTC
This was included in 3.0.6
Comment 3 Gerald (Jerry) Carter 2005-02-07 09:47:47 UTC
originally against 3.0.5pre1 (which became 3.0.6pre1 due to security release))
Comment 4 Gerald (Jerry) Carter 2005-08-24 10:20:33 UTC
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.