Catching more principals in ads_keytab_verify_ticket()
Michael Brown
mbrown at fensystems.co.uk
Sat Feb 26 12:15:31 GMT 2005
On Fri, 25 Feb 2005, Doug VanLeuven wrote:
> I'm still using this section of samba-3.0.8pre1-fqdn.patch that you
> posted that never seemed to make it into the distribution. It seems to
> be covering my servers that don't have the same realm and DNS domain in
> conjunction with the keytab principal iteration patch. I'm not using
> XP, but I haven't noticed 2k being denied anything.
>
> servicePrincipalName[3] = psp2;
> + strlower_m(my_fqdn);
> + if (strcmp(my_fqdn, &psp2[5]) != 0) {
> + psp3 = talloc_asprintf(ctx, "CIFS/%s", my_fqdn);
> + strlower_m(&psp3[5]);
> + servicePrincipalName[4] = psp3;
> + psp4 = talloc_asprintf(ctx, "HOST/%s", my_fqdn);
> + strlower_m(&psp4[5]);
> + servicePrincipalName[5] = psp4;
> + }
>
> If host/name.REALM was just added to the existing array for an
> additional combination, I don't think that would break anythig existing.
> It does look pretty bizzare when one does klist -ek, but it's all
> working, right now, for me. I'd really, really hate to have to go thru
> that again.
>
> Mike, you haven't really said if your domain and realm are the same or
> not or if it's just a case variation.
That code is in ldap.c and from what I can tell applies only when you have
an Active Directory DC. I'm using a WinXP workstation joined to a
Kerberos realm via Ksetup - no AD DCs anywhere on the network.
My domain and realm are different, though it's only on a test network so
this isn't a huge barrier. The major problem for me is the case
variability; the method I'm proposing to fix this problem just happens to
also makes it easy to cope with realm != domain.
I'm working on a patch at the moment.
Michael
More information about the samba-technical
mailing list