Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (8.12.9) with ESMTP id l9G43GHW020639; Tue, 16 Oct 2007 00:03:16 -0400 (EDT) Received: from pch.mit.edu (pch.mit.edu [127.0.0.1]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id l9G43B2t015244; Tue, 16 Oct 2007 00:03:11 -0400 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id l9G0vY9e005670 for ; Mon, 15 Oct 2007 20:57:34 -0400 Received: from mit.edu (M24-004-BARRACUDA-3.MIT.EDU [18.7.7.114]) by pacific-carrier-annex.mit.edu (8.13.6/8.9.2) with ESMTP id l9G0vPp7019842 for ; Mon, 15 Oct 2007 20:57:25 -0400 (EDT) Received: from smtp107.sbc.mail.mud.yahoo.com (smtp107.sbc.mail.mud.yahoo.com [68.142.198.206]) by mit.edu (Spam Firewall) with SMTP id 6644DB13C13 for ; Mon, 15 Oct 2007 20:57:24 -0400 (EDT) Received: (qmail 87488 invoked from network); 16 Oct 2007 00:57:23 -0000 Received: from unknown (HELO CDCHOME) (chrisclausen@sbcglobal.net@76.199.12.124 with login) by smtp107.sbc.mail.mud.yahoo.com with SMTP; 16 Oct 2007 00:57:22 -0000 X-Ymail-Osg: VmIDgRUVM1m0z45kR8.yc4Mr0dK9vQ9YZEyj79a3JN7zmo7CLnTwhOvFnmkRyQhdQjJPMatNNg-- Message-ID: From: "Christopher D. Clausen" To: Subject: REQ: in-registry keytab support Date: Mon, 15 Oct 2007 19:53:12 -0500 X-Priority: 3 X-Msmail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.3790.3959 X-Mimeole: Produced By Microsoft MimeOLE V6.00.3790.4133 X-Rfc2646: Format=Flowed; Original X-Spam-Score: 4.057 X-Spam-Level: **** (4.057) X-Spam-Flag: NO X-Scanned-BY: MIMEDefang 2.42 X-Mailman-Approved-At: Tue, 16 Oct 2007 00:03:10 -0400 X-Beenthere: kfw-bugs@mit.edu X-Mailman-Version: 2.1.6 Precedence: list List-ID: public entry point for KfW RT queue List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: kfw-bugs-bounces@mit.edu Errors-To: kfw-bugs-bounces@mit.edu X-RT-Original-Encoding: iso-8859-1 Content-Length: 1660 Hello wonderful Kerberos people, I'd like to request a new format/support for keytabs to be stored in the Windows Registry. This would enable me to use Group Policy to push specific registry keys (and therefore keytabs) to groups of machines that need to share a specific key, either a cluster of machines serving web pages (HTTP/clustername) or some similar function. It will also allow me to push a dummy keytab simply to validate that the KDC itself isn't being spoofed or perhaps for some type of authenticated DNS or LDAP look-ups that need to be performed by the SYSTEM account. In some instances, admins may want to use Group Policy to permanently assign a keytab to a group of machines in this way. If the machine ever gets reinstalled, the keytab will be automatically re-applied to the machine via Group Policy once the computer is joined to the domain. This would completely eliminate the need to keep track of versions and distribution of actual keytab files in addition to allowing the keytab for an entire cluster of machines to be changed all at once. No older versions around messing things up. I believe that OpenAFS for Windows will soon have support for authenticated anonymous access to a cell and this same procedure can be used to distribute a keytab that the OpenAFS client could use for anonymous authentication. Having all anonymous connections authenticated allows for encryption and the ability to get rid of IP-based ACLs. This is very useful for things like software distribution using GPO or other methods that require the SYSTEM account to read data out of AFS. <