[Fwd: Re: [PATCH] keytab management for ADS mode.]

[Jeremy Allison]

On Wed, Jan 28, 2004 at 02:34:09PM -0500, Rakesh Patel wrote:

> You will see both host/machine and host/machine.domain.  Also, "net ads 
> join" registered machines with the dns attribute
> [forgot the exact name right now] with the NetBIOS name, whereas the XP 
> and Win2K3 servers are automatically utilizing
> the FQDN.

I'm not sure this is true. I have a machine called w2ktest2-sfu.mixed (fqdn on an
isolated vmware session) joined as w2ktest2-sfu$, and queries for a principal of
w2ktest2-sfu.mixed in the realm fail. Only w2ktest2-sfu$ works.

> As I posted on the list, XP desktops when contacting smbd with the 
> patch, will obtain cifs/machine-fqdn at REALM
> service keys, however obtain NetBIOS machine$@REALM keys for interaction 
> with Win2K CIFS services

I haven't seen this. How do you reproduce this.

> Using machine$@REALM and adding it to the keytab would eliminate the use 
> of a  NULL server name to
> compensate for any NetBIOS named requests.  But we will need to stick to 
> FQDN when registering the host/machine at REALM,
> cifs/machine at REALM principals in the keytab and when registering the 
> machine in AD for the dns name attribute [whatever
> it is called] - after all, even Microsoft registers the FQDN in the dns 
> name attribute.

That may be in the LDAP database, but try querying the krb5 kdc database
and only the NETBIOS$ name seems to be there, not the fqdn.

> For the "keytab use" feature, as Andrew Bartlett mentioned, it is not 
> complete.  I need to functionalize the code to obtain keytab
> credentials and ensure it use used in place of 
> secrets_fetch_machine_password()/krb5_get_init_creds_password().

I don't like the keytab use parameter. I would much rather gate
everything on the "keytab file" parameter. If this param exists
then a keytab should automatically be used. The extra parameter
is just confusing.

Jeremy.