From: | "Christopher D. Clausen" <cclausen@acm.org> |
To: | <kfw-bugs@mit.edu> |
Subject: | REQ: in-registry keytab support |
Date: | Mon, 15 Oct 2007 19:53:12 -0500 |
Hello wonderful Kerberos people,
I'd like to request a new format/support for keytabs to be stored in the
Windows Registry. This would enable me to use Group Policy to push
specific registry keys (and therefore keytabs) to groups of machines
that need to share a specific key, either a cluster of machines serving
web pages (HTTP/clustername) or some similar function. It will also
allow me to push a dummy keytab simply to validate that the KDC itself
isn't being spoofed or perhaps for some type of authenticated DNS or
LDAP look-ups that need to be performed by the SYSTEM account.
In some instances, admins may want to use Group Policy to permanently
assign a keytab to a group of machines in this way. If the machine ever
gets reinstalled, the keytab will be automatically re-applied to the
machine via Group Policy once the computer is joined to the domain.
This would completely eliminate the need to keep track of versions and
distribution of actual keytab files in addition to allowing the keytab
for an entire cluster of machines to be changed all at once. No older
versions around messing things up.
I believe that OpenAFS for Windows will soon have support for
authenticated anonymous access to a cell and this same procedure can be
used to distribute a keytab that the OpenAFS client could use for
anonymous authentication. Having all anonymous connections
authenticated allows for encryption and the ability to get rid of
IP-based ACLs. This is very useful for things like software
distribution using GPO or other methods that require the SYSTEM account
to read data out of AFS.
<<CDC
--
Christopher D. Clausen
I'd like to request a new format/support for keytabs to be stored in the
Windows Registry. This would enable me to use Group Policy to push
specific registry keys (and therefore keytabs) to groups of machines
that need to share a specific key, either a cluster of machines serving
web pages (HTTP/clustername) or some similar function. It will also
allow me to push a dummy keytab simply to validate that the KDC itself
isn't being spoofed or perhaps for some type of authenticated DNS or
LDAP look-ups that need to be performed by the SYSTEM account.
In some instances, admins may want to use Group Policy to permanently
assign a keytab to a group of machines in this way. If the machine ever
gets reinstalled, the keytab will be automatically re-applied to the
machine via Group Policy once the computer is joined to the domain.
This would completely eliminate the need to keep track of versions and
distribution of actual keytab files in addition to allowing the keytab
for an entire cluster of machines to be changed all at once. No older
versions around messing things up.
I believe that OpenAFS for Windows will soon have support for
authenticated anonymous access to a cell and this same procedure can be
used to distribute a keytab that the OpenAFS client could use for
anonymous authentication. Having all anonymous connections
authenticated allows for encryption and the ability to get rid of
IP-based ACLs. This is very useful for things like software
distribution using GPO or other methods that require the SYSTEM account
to read data out of AFS.
<<CDC
--
Christopher D. Clausen