[PATCH] heimdal fixes for the new keytab code

Gerald (Jerry) Carter jerry at samba.org
Thu Jul 8 03:08:10 GMT 2004

Hash: SHA1

On Wed, 7 Jul 2004, Rakesh Patel wrote:

> I'm not sure what spns are created in AD from the latest version of the
> patch, however the host keytab always needs host/fqdn at REALM for normal
> kerberos clients to function. When joining the machine to the AD domain,

The problem is the different that than is needed for the keytab service 
principal and the one apparently that can be used for kinit.

> AD has a large number of automatic "aliases" for the machines principal
> name and either pregenerates each version of the key or most likely
> dynamically generates the kerberos key. SPNs such as "host$",
> "HOST/machine", etc. are part of that list. It is an AD attribute and I
> have seen it in the past - the list of acceptable SPNs is lengthy.
> Since Samba code automatically handles requests in a similar manner by
> using the password from secrets.tdb, it does not need to worry about
> which SPNs need to be added to the system keytab.

It seems that you can only perform SASL binds using the userPrincipalName 
value and not the servicePrincipalName.  At least that's what my tests 
seemed to imply.

The other curious thing is that a normal XP box joined to the domain does 
not have the (optional) userPrincipalName attribure.  Only the 
servicePrincipalName.  So I'm assuming the difference is due to the 
userAccountFlags we set but I haven't had time to track that down yet
to be 100% certain.

> As far as a later question about CIFS/machine - I am not sure where that
> came from. I suggest checking a registered file server to see if
> CIFS/machine is one of the SPNs for any file servers. If not, that
> should probably be removed. I don't recall the name of the attribute
> listing the "aliases" for the SPN, but the values for that attribute
> should also be checked in case CIFS is listed in there.

I haven't found it anywhere so far.  Still looking though.

cheers, jerry
- ----------------------------------------------------------------------
Hewlett-Packard            ------------------------- http://www.hp.com
SAMBA Team                 ---------------------- http://www.samba.org
GnuPG Key                  ---- http://www.plainjoe.org/gpg_public.asc
"...a hundred billion castaways looking for a home." ----------- Sting 
Version: GnuPG v1.2.0 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/


More information about the samba-technical mailing list