Catching more principals in ads_keytab_verify_ticket()

Doug VanLeuven roamdad at sonic.net
Thu Mar 10 13:13:16 GMT 2005 

Jeremy Allison wrote:

>Ok, this is why I *hate* the krb5 principal code. If you guys are
>working on this, please also give me something that addresses bug
>2414 here :
>
>https://bugzilla.samba.org/show_bug.cgi?id=2414
>
>"When joining an Active Directory when subdomains are being used, the servicePrincipalNames inserted 
>in AD are incorrectly generated. 
>
>.....
>
>How to fix: basically, SPNs should be generated from FQDN, rather than HOSTNAME.ADREALM (or in 
>addition to)."
>
>I *hate* kerberos so much :-).
>  
>
2003 kdc = ranger1.nt.ldxnet.com (fqdn)
rc4-hmac krb = gate.ldxnet.com (fqdn)
des-cbc-md5 = lex.dyn.ldxnet.com (fqdn)

MIT kerberos 1.3.5

The principal names reported as hits by kerberos_verify.c on 
gate.ldxnet.com are:
HOST/gate at NT.LDXNET.COM
HOST/GATE at NT.LDXNET.COM
cifs/gate.nt.ldxnet.com at NT.LDXNET.COM
cifs/gate at NT.LDXNET.COM

The principal names reported by lex.dyn.ldxnet.com are:
lex$@NT.LDXNET.COM
cifs/Lex.nt.ldxnet.com at NT.LDXNET.COM
cifs/Lex.nt.ldxnet.com at NT.LDXNET.COM

Looks like the cifs names are:
gate.realm at REALM
Lex.realm at REALM

neither of which are generated in kerberos_keytab.c for out of realm 
domains.  Plus the 2003 kdc decided to upcase just the first letter of 
the Lex hostname.  First time I've seen that.

How do you feel about having a prefab list that covers the most common 
cases including cifs/<host>.<realm>@<REALM> and adding a global option 
to add to the list in smb.conf?  This would give some flexibility to 
adjust to whatever case variations MS throws at us.

use kerberos keytab = yes
keytab principals = cifs/Lex.nt.ldxnet.com

Even without the global option, updating the static list to include 
cifs/<host>.<realm>@<REALM> might help fix bug 2414.  I've got a patch 
for just that part right now.

Also, I mention adding HOST/<fqdn> to the servicePrincipalName in AD so 
native unix utilities work when they go looking for the standard 
kerberos format of host/<fqdn>@<REALM>.  Here's root's klist on lex 
after an rlogin to a klogind and smbclient sessions.  Samba doesn't seem 
to need it, but klogind does.  This is salted des too.

[root at lex xinetd.d]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: root at NT.LDXNET.COM

Valid starting     Expires            Service principal
03/10/05 02:20:20  03/10/05 12:20:23  krbtgt/NT.LDXNET.COM at NT.LDXNET.COM
        renew until 03/11/05 02:20:20
03/10/05 02:20:25  03/10/05 12:20:23  host/lex.dyn.ldxnet.com at NT.LDXNET.COM
        renew until 03/11/05 02:20:20
03/10/05 02:31:41  03/10/05 12:20:23  gate$@NT.LDXNET.COM
        renew until 03/11/05 02:20:20
03/10/05 02:32:18  03/10/05 12:20:23  ranger1$@NT.LDXNET.COM
        renew until 03/11/05 02:20:20

Regards, Doug

More information about the samba-technical mailing list