[krbdev.mit.edu #5821] REQ: in-registry keytab support

["Christopher D. Clausen" via RT]

Hello wonderful Kerberos people,

I'd like to request a new format/support for keytabs to be stored in the 
Windows Registry.  This would enable me to use Group Policy to push 
specific registry keys (and therefore keytabs) to groups of machines 
that need to share a specific key, either a cluster of machines serving 
web pages (HTTP/clustername) or some similar function.  It will also 
allow me to push a dummy keytab simply to validate that the KDC itself 
isn't being spoofed or perhaps for some type of authenticated DNS or 
LDAP look-ups that need to be performed by the SYSTEM account.

In some instances, admins may want to use Group Policy to permanently 
assign a keytab to a group of machines in this way.  If the machine ever 
gets reinstalled, the keytab will be automatically re-applied to the 
machine via Group Policy once the computer is joined to the domain. 
This would completely eliminate the need to keep track of versions and 
distribution of actual keytab files in addition to allowing the keytab 
for an entire cluster of machines to be changed all at once.  No older 
versions around messing things up.

I believe that OpenAFS for Windows will soon have support for 
authenticated anonymous access to a cell and this same procedure can be 
used to distribute a keytab that the OpenAFS client could use for 
anonymous authentication.  Having all anonymous connections 
authenticated allows for encryption and the ability to get rid of 
IP-based ACLs.  This is very useful for things like software 
distribution using GPO or other methods that require the SYSTEM account 
to read data out of AFS.

<<CDC
-- 
Christopher D. Clausen