userPrincipalName and FQDN - _yet again_

Rakesh Patel rapatel.rocky at gmail.com
Sat Apr 9 18:59:28 GMT 2005 

We had a discussion on the requirement to use FQDNs for the UPN for 
computer accounts
in November and in December I had posted simple patches for 3.0.9 that 
addressed it.

Unfortunately it is still the case that the UPN is _explicitly_ set to 
non-fqdn (even if hostname/dns are
set to be fully qualified) upon a net ads join.  The end result is that 
when the keytab is generated
even with the most expansive set of keys that are created, a basic 
Kerberos operation such as
"kinit -k" to initialize a credentials cache from the keytab will fail, 
as the Windows KDC will not
permit any initial principal name other than the settings for the UPN 
and sam account name.

To review old thread:

http://lists.samba.org/archive/samba-technical/2004-November/038199.html
http://lists.samba.org/archive/samba-technical/2004-December/038566.html

Example:

Hostname: rockylinux.rockycorp.local

dn: CN=rockylinux,CN=Computers,DC=rockycorp,DC=local
sAMAccountName: rockylinux$
dNSHostName: rockylinux.rockycorp.local
userPrincipalName: HOST/rockylinux at ROCKYCORP.LOCAL
servicePrincipalName: CIFS/rockylinux.rockycorp.local
servicePrincipalName: CIFS/rockylinux
servicePrincipalName: HOST/rockylinux.rockycorp.local
servicePrincipalName: HOST/rockylinux


[root at rockylinux Desktop]# kinit -k
kinit(v5): Client not found in Kerberos database while getting initial 
credentials

[[root at rockylinux Desktop]# kinit -k host/rockylinux
[root at rockylinux Desktop]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: host/rockylinux at ROCKYCORP.LOCAL

Valid starting     Expires            Service principal
04/09/05 14:53:16  04/10/05 00:53:16  krbtgt/ROCKYCORP.LOCAL at ROCKYCORP.LOCAL
        renew until 04/10/05 14:53:16

Changing the hostname does not alter the situation [nor does adjusting 
host lookups in /etc/hosts or dns]:

[root at rockylinux Desktop]# hostname
rockylinux.rockycorp.local
[root at rockylinux Desktop]# hostname rockylinux
[root at rockylinux Desktop]# kinit -k
kinit(v5): Client not found in Kerberos database while getting initial 
credentials
[root at rockylinux Desktop]#

More information about the samba-technical mailing list