[PATCH] heimdal fixes for the new keytab code

Gerald (Jerry) Carter jerry at samba.org
Wed Jul 7 15:10:09 GMT 2004 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Guenther Deschner wrote:

| * Joining ADS (w2k3 in my case) with current 3_0 svn with
| security = ads (no unix keytab involved)
|
| mthelena:~ # net ads join -U administrator%secret -d0
| Using short domain name -- W2K3TEST
| Joined 'MTHELENA' to realm 'W2K3TEST.SERNET.DE'
|
| * lets see what principals were created

....

OK.  So it's the userPincipalName that we have to use
to get a TGT.  The problem then is the cononicalization
of the name.  We have to use the servicePrincipalName
for the keytab and the userPrincipalName for obtaining
a TGT.  Makes sense I guess.

For the record,

# ldapsearch  -Y GSSAPI -h spud.ad.plainjoe.org \
~   -b "DC=ad,DC=plainjoe,DC=org" -LLL "(userPrincipalName=*)" \
~   | egrep '(dn|PrincipalName)'

## normal user

dn: CN=Biddle,CN=Users,DC=ad,DC=plainjoe,DC=org
userPrincipalName: biddle at ad.plainjoe.org

## Samba joined using security = domain

dn: CN=jelly,CN=Computers,DC=ad,DC=plainjoe,DC=org
userPrincipalName: HOST/jelly at AD.PLAINJOE.ORG

## samba joined using security = ads

dn: CN=shaggy,CN=Computers,DC=ad,DC=plainjoe,DC=org
servicePrincipalName: CIFS/shaggy.ad.plainjoe.org
servicePrincipalName: CIFS/shaggy
servicePrincipalName: HOST/shaggy.ad.plainjoe.org
servicePrincipalName: HOST/shaggy
userPrincipalName: HOST/shaggy at AD.PLAINJOE.ORG


Strangely enough, the XP boxes joined to the domain only have

servicePrincipalName: HOST/XPTEST
servicePrincipalName: HOST/xptest.ad.plainjoe.org

no CIFS/....entry

The DC for the domain only has

servicePrincipalName: DNS/spud.ad.plainjoe.org
servicePrincipalName: HOST/spud.ad.plainjoe.org/AD
servicePrincipalName: HOST/SPUD
servicePrincipalName: HOST/spud.ad.plainjoe.org
servicePrincipalName: HOST/spud.ad.plainjoe.org/ad.plainjoe.org
servicePrincipalName: GC/spud.ad.plainjoe.org/ad.plainjoe.org
servicePrincipalName:
LDAP/b4adf850-defa-4267-8d18-e52d274dd979._msdcs.ad.plai
~ njoe.org
servicePrincipalName: LDAP/spud.ad.plainjoe.org/AD
servicePrincipalName: LDAP/SPUD
servicePrincipalName: LDAP/spud.ad.plainjoe.org
servicePrincipalName: LDAP/spud.ad.plainjoe.org/ad.plainjoe.org
servicePrincipalName:
NtFrs-88f5d2bd-b646-11d2-a6d3-00c04fc9b232/spud.ad.plain
~ joe.org
servicePrincipalName:
E3514235-4B06-11D1-AB04-00C04FC2DCD2/b4adf850-defa-4267-
~ 8d18-e52d274dd979/ad.plainjoe.org

Where does the CIFS/...entry come into play ?

(jerry heads off to search msdn)....




cheers, jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFA7BJRIR7qMdg1EfYRAriNAJ4lE83j19SEmmFoCfIvA53TLXq3QACgrbHs
MjP38cXR7Z6HbNN6Er6Pv5I=
=YGBe
-----END PGP SIGNATURE-----

More information about the samba-technical mailing list