[PATCH] samba3-keytab

Phil Mayers p.mayers at imperial.ac.uk
Mon Sep 15 09:40:49 GMT 2003

On Wed, Sep 03, 2003 at 11:23:35AM +1000, Luke Howard wrote:
> This patch does not work if there is a keytab but no secrets.tdb.
> The attach patch (to Guenther's patch) fixes this.
> Also, not that this requires a HOST/foo principal in the keytab.
> Most keytabs have host/foo.bar.tld, and most Kerberos libraries
> enforce case-sensitive comparison of principal names.

Yes - bloody Microsoft. The (erroneous) assumption that all your hosts'
DNS entries are in the root DNS zone is really annoying, although the
case sensitivity is solveable since AD will return all kinds of stuff e.g.

[user at wildfire0 user]$ kvno HOST/ads1
HOST/ads1 at REALM.ORG: kvno = 0

[user at wildfire0 user]$ kvno host/ads1
host/ads1 at REALM.ORG: kvno = 0

[user at wildfire0 user]$ kvno HOST/ads1.realm.org
HOST/ads1.realm.org at REALM.ORG: kvno = 0

[user at wildfire0 user]$ kvno host/ads1.realm.org
host/ads1.realm.org at REALM.ORG: kvno = 0

[user at wildfire0 user]$ klist
Ticket cache: FILE:/tmp/krb5cc_uid
Default principal: user at REALM.ORG

Valid starting     Expires            Service principal
09/15/03 10:23:35  09/15/03 18:23:36  krbtgt/REALM.ORG at REALM.ORG
09/15/03 10:23:49  09/15/03 11:23:49  HOST/ads1 at REALM.ORG
09/15/03 10:23:53  09/15/03 11:23:53  host/ads1 at REALM.ORG
09/15/03 10:23:56  09/15/03 11:23:56  HOST/ads1.realm.org at REALM.ORG
09/15/03 10:24:01  09/15/03 11:24:01  host/ads1.realm.org at REALM.ORG

[user at wildfire0 user]$ kvno HOST/ads1.domain.realm.org
HOST/ads1.domain.realm.org at REALM.ORG: Server not found in Kerberos
database while getting credentials

...has anyone tried adding extra servicePrincipalNames to the Active
Directory? Hmm:

[root at wildfire0 bin]# ldapmodify -h icads2.realm.org 
SASL/GSSAPI authentication started
SASL installing layers
dn: CN=wildfire0,OU=Computers,OU=Realm,DC=realm,DC=org
changetype: modify
add: servicePrincialName
servicePrincipalName: HOST/wildfire0.domain.realm.org

modifying entry "CN=wildfire0,OU=Computers,OU=Realm,DC=realm,DC=org
ldap_modify: Constraint violation
        additional info: 0000200B: AtrErr: DSID-03151F6D, #1:
        0: 0000200B: DSID-03151F6D, problem 1005 (CONSTRAINT_ATT_TYPE),
data 0, Att 90303 (servicePrincipalName)

ldif_record() = 19

Can anyone decipher that?



| Phil Mayers                              |
| Network & Infrastructure Group           |
| Information & Communication Technologies |
| Imperial College                         |

More information about the samba-technical mailing list