servicePrincipalName and local Kerberos interoperability with keytab
Doug VanLeuven
roamdad at sonic.net
Sun Aug 15 09:53:08 GMT 2004
Hello,
This gets to be more than one page, so first the issue.
servicePrincipalName in AD needs to have the actual DNS name of the host
for local Kerberos utilities to work where samba creates and maintains
the keyfile. Either in addition to, or instead of, using the DNS equivalent
of the Realm. I have workarounds (see below)
There are some solid reasons I don't want to move all the unix servers into
a delegated DNS zone for AD. Can't, in some instances.
In libads/ldap.c
ads_add_service_principal_name()
and
ads_add_machine_acct()
psp = talloc_asprintf(ctx, "HOST/%s.%s",
machine_name,
ads->config.realm);
It seems this might be a much larger issue than changing the initial setup.
And, although the Windows and Kerberos documentaton appear to suggest
the DNS domain need not be the same as the Realm, I don't have the depth of
experience to know that to be true. What has been true is the
DNSdomain=Realm
for all the joined Windows clients.
If I just submitted a patch to add an additional principal name using
the real fqdn
when it wasn't the same as the host+realm, it would seem like a kludge
that's
missing some fundamental point.
And changing the realm to the DNS domain in the servicePrincipalName
could break a fundamental assumption.
Thanks everyone for everything. I just love that I can add unix Kerberos
authentication and utilities in the same moment as upgrading samba from
2.2.x.
And it looks like a masterpiece.
Do you still take pizza? Once upon a time in a land far, far away ...
The gory details:
RH9
Linux gate.ldxnet.com 2.4.20-28.9smp #1 SMP Thu Dec 18 13:37:36 EST 2003
i686 i686 i386 GNU/Linux
krb5-1.3.4-i686-pc-linux pre-compiled binary from MIT
gcc-3.2.2-5
openldap-devel-2.0.27-8
bind-9.2.1-16
samba-3_0 svn revision 1824
Windows 2000 standard server native mode domain.
All current security fixes & updates.
smb.conf
workgroup = FOREST
realm = NT.LDXNET.COM
security = ADS
use kerberos keytab = yes
winbind trusted domains only = yes
idmap backend = ad:ldap://ranger1.nt.ldxnet.com
(small change to make it work, added for completeness)
krb5.conf
[realms]
NT.LDXNET.COM = {
kdc = ranger1.nt.ldxnet.com:88
admin_server = ranger1.nt.ldxnet.com:749
default_domain = nt.ldxnet.com
}
[domain_realm]
.nt.ldxnet.com = NT.LDXNET.COM
nt.ldxnet.com = NT.LDXNET.COM
gate.ldxnet.com = NT.LDXNET.COM
ldxnet.com = NT.LDXNET.COM
.ldxnet.com = NT.LDXNET.COM
DNS
Legacy unix domain
ldxnet.com IN SOA gate.ldxnet.com (the samba 3.0 machine)
NS gate.ldxnet.com
Microsoft AD domain, delegated & glued
nt.ldxnet.com IN SOA ranger1.nt.ldxnet.com
NS ranger1.nt.ldxnet.com
Partial list from /etc/krb5.keytab generated by samba
0 host/gate.ldxnet.com at NT.LDXNET.COM
0 cifs/gate.ldxnet.com at NT.LDXNET.COM
The host and service principal names get added to servicePrincipalName as
HOST/gate
HOST/gate.nt.ldxnet.com
CIFS/gate
CIFS/gate.nt.ldxnet.com
but
dNSHostName: gate.ldxnet.com;
This prevents the local Kerberos from finding the host gate.ldxnet.com
in the KDC database.
I have two (2) workarounds. Each worked alone on seperate linux machines.
1. Use ktpass on the DC to generate the host/gate.ldxnet.com mapping to
the gate$ machine account
This adds to altSecurityIdentities:
Kerberos:host/gate.ldxnet.com;Kerberos:cifs/gate.ldxnet.com
I'm still waiting to see if this expires. Not added to /etc/krb5.keytab.
2. Manually edit servicePrincipalName and add
Host/gate.ldxnet.com;CIFS/gate.ldxnet.com
This worked instantaneously.
In either case, it also seemed advantageous to add the linux names to
the nt.ldxnet.com zone.
More information about the samba-technical
mailing list