Samba-3.0.7-1.3E Active Directory Issues
roamdad at sonic.net
Thu Oct 14 22:21:51 GMT 2004
Nalin Dahyabhai wrote:
>I recently spent a chunk of time looking at this, too. From what I can
>tell, your patch is very much on the right track. My tests point to AD
>salting passwords which are used for generating keys with salts which
>differ from the ones Samba is using.
>Specifically, for a host "sparky.example.com" joined to a domain named
>"AD.EXAMPLE.COM", the salt which AD uses is produced by giving the
>principal-to-salt function "host/sparky.ad.example.com at AD.EXAMPLE.COM".
>This salt is apparently used when generating keys for any service which
>runs on sparky.
If you want to join a computer whose DNS domain is different than the
REALM, please see this bug report
so sparky would join as HOST/sparky.ad.example.com at AD.EXAMPLE.COM which
won't work with the native kerberos. Should be
HOST/sparkey.example.com at AD.EXAMPLE.COM with a domain name mapping of
sparky.example.com = AD.EXAMPLE.COM in /etc/krb5.conf.
Since I filed the bug report, the workaround I'm using with success is:
1. add the machine to the AD
2. add sparkey.ad.example.com to the ad.example.com DNS domain
3. use MS adsi edit to add HOST/sparky.example.com and
CIFS/sparkey.example.com to servicePrincipalName in ADS for the machine.
I add the DNS record after the join otherwise my samba managed keytab
ends up as sparky.ad.example.com instead of sparky.example.com which
isn't what a reverse DNS lookup would do.
My 2 cents.
More information about the samba-technical