We currently have a large Kerberos infrastructure in place. As part of
this we have Kerberized SSH in place. We have created a tool to create
computer type accounts in Active Directory. We set the userPrincpalName
to host/HOSTNAME@REALM and the servicePrincipalName to host/HOSTNAME.
(This seems to function much like the "net ads join" command.) We then
set the password for the computer and write out a Kerberos keytab file
to /etc/krb5.keytab to allow Kerberos authentication with SSH. =20

The "net ads join" command doesn't seem to create a keytab, but rather
creates the secrets.tdb file which appears to store the password used to
create the computer account. =20

This leads me to my two questions:

1- Would it be possible to modify samba to use a stored keytab
instead of the secrets.tdb file? Does the samba server actually need
the password, or would a Kerberos keytab with the key be sufficient.
2- Would I be able to grab the password out of the secrets.tdb file
and create a keytab file? My main concern here is does the password
change often?



Daniel Wachdorf=20
Sandia National Laboratories=20
Cyber Security Technologies=20