[Fwd: Re: [PATCH] keytab management for ADS mode.]

Jeremy Allison jra at samba.org
Wed Jan 28 18:47:07 GMT 2004 

On Sun, Jan 25, 2004 at 04:02:46PM -0500, Rakesh Patel wrote:
> 
> Hi..   now that I have had some testing done for both Windows and 
> non-Windows KDC
> environments,  I'd like to see Heimdal tested along with Windows2000 (I 
> used Windows 2003/.NET
> and it has key version numbers while Win2000 does not).  Also would be 
> nice to have
> someone test a non-Windows KDC used with full Win2K domain/AD.
> 
> I was also wondering if anyone had looked into having a Fedora desktop 
> join a Win2K domain/AD
> and download the user profile to determine which shares to "automount"  
> similarly to a 2000/XP desktop.
> The idea being kerberos credentials would be used for the SMB/CIFS 
> access.  I noticed nautilus is
> linked with the mit gssapi_krb5 library ,but I searched the sources and 
> did not find any krb or gssapi calls.
> Ideally if nautilus used smb:// with kerberos credentials, it would have 
> the same transparency that we can
> now provide from the Win2000/XP desktops to unix/Win2k file servers.
> 
> The only other major concern I have is testing with winbind and other 
> Samba functionality that was added.
> Since I am not utilziing winbind or other facilities for uid/username 
> mapping,  there are chances additional
> work will be required in those areas of the Samba code.
> 
> Any suggestions/testing assistance would be appreciated. :-) 

Ok, I'm (finally, sorry for the delay) integrating this patch and
testing it and I think I have a problem.

The patch changes the Samba server code to generate host principal
names in the keytab of the form :

host/fqdn at REALM

this is a change from the previous :

HOST/NETBIOSNAME at REALM

A W2K KDC doesn't seem to generate mappings from a principal of 
NETBIOSNAME at REALM -> fqdn at REALM by default.

Now an smbd server will still generate a principal name of
NETBIOSNAME at REALM to give back to the client, and the client
then requests a ticket for that server. The patch changes the
kerberos_verify code to allways specify NULL as the server
name, thus bypassing this problem (of the client having a
service ticket for NETBIOSNAME at REALM instead of fqdn at REALM)
- the key is extracted from the keytab (or secrets.tdb) and
is the same, so the client specified name doesn't matter.

I'm not sure if this is the right thing to do. Can we discuss
this further please before I apply this ?

Jeremy.

More information about the samba-technical mailing list