[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Should krbtgt be in a keytab, rather than hdb?

I'm working on Samba4's KDC, and it occurs to me that when the KDC is
receiving a TGS-REQ, it should be checking the incoming packet against a
keytab, rather than hdb.

It seems that the receipt of the TGS-REQ is much more like an
application server than the issuing of tickets.  

In particular, I was thinking about the issue of key changes.  With a
keytab, both kvno and kvno-1 can be stored, allowing the krbtgt and more
importantly the inter-realm trust keys to be changed.  

I don't fully understand how inter-realm trusts work, but I think this
would also allow different keys in each direction, something that I
think Microsoft does.

Andrew Bartlett 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net

This is a digitally signed message part