Hi, In situations where people are operating in a "kerberized" environment where Win2k is the KDC, machine objects will have already been created for machines that are participating in the kerberos realm.
Am I wrong in thinking that there is an interoperability problem with the current "net" utility implementation? It appears as though the "net ads join", and net ads chostpass" commands operate with out regard to the fact that there may be other applications that rely on keytab files with host principals and passwords that have already been set. Indeed, this is the case for installations where Win2k kerberos interop is already being used. When trying to configure Samba 3.0 in these environments, "net ads join", and net ads chostpass" will happily change the machine account password with out allowing any way for keytab based applications to update their keytab with tne new host principal password. Samba could allow for a much greater degree of interopablity with other kerberized applications if there were some way of getting and setting the machine account password in the secrets.tdb. This way host principal passwords in external keytab files could be syncronized with the password being used by samba from the secrets.tdb. Perhaps this is an overly simplistic approach, but it is possible that many potential interoperablity conflicts could be solved by providing "net getmachinepw" and "net setmachinepw" commands. Since the machine account password is stored in clear text already, these new commands would be very easy add. Comments? -- Matt