[Fwd: Re: [PATCH] keytab management for ADS mode.]
Jeremy Allison
jra at samba.org
Wed Jan 28 22:16:20 GMT 2004
On Wed, Jan 28, 2004 at 02:34:09PM -0500, Rakesh Patel wrote:
> You will see both host/machine and host/machine.domain. Also, "net ads
> join" registered machines with the dns attribute
> [forgot the exact name right now] with the NetBIOS name, whereas the XP
> and Win2K3 servers are automatically utilizing
> the FQDN.
I'm not sure this is true. I have a machine called w2ktest2-sfu.mixed (fqdn on an
isolated vmware session) joined as w2ktest2-sfu$, and queries for a principal of
w2ktest2-sfu.mixed in the realm fail. Only w2ktest2-sfu$ works.
> As I posted on the list, XP desktops when contacting smbd with the
> patch, will obtain cifs/machine-fqdn at REALM
> service keys, however obtain NetBIOS machine$@REALM keys for interaction
> with Win2K CIFS services
I haven't seen this. How do you reproduce this.
> Using machine$@REALM and adding it to the keytab would eliminate the use
> of a NULL server name to
> compensate for any NetBIOS named requests. But we will need to stick to
> FQDN when registering the host/machine at REALM,
> cifs/machine at REALM principals in the keytab and when registering the
> machine in AD for the dns name attribute [whatever
> it is called] - after all, even Microsoft registers the FQDN in the dns
> name attribute.
That may be in the LDAP database, but try querying the krb5 kdc database
and only the NETBIOS$ name seems to be there, not the fqdn.
> For the "keytab use" feature, as Andrew Bartlett mentioned, it is not
> complete. I need to functionalize the code to obtain keytab
> credentials and ensure it use used in place of
> secrets_fetch_machine_password()/krb5_get_init_creds_password().
I don't like the keytab use parameter. I would much rather gate
everything on the "keytab file" parameter. If this param exists
then a keytab should automatically be used. The extra parameter
is just confusing.
Jeremy.
More information about the samba-technical
mailing list