Catching more principals in ads_keytab_verify_ticket()
Jeremy Allison
jra at samba.org
Fri Feb 25 19:52:12 GMT 2005
On Fri, Feb 25, 2005 at 01:52:14PM +0000, Michael Brown wrote:
> Greetings,
>
> I'm encountering a problem with a WinXP workstation and Samba 3.0.11
> server in a Kerberos realm with an MIT KDC. Specifically, the WinXP
> workstation is requesting and obtaining a service ticket for
> cifs/name.REALM at REALM, which is not one of the combinations tried in
> libads/kerberos_verify.c:ads_keytab_verify_ticket(). The list of
> combinations attempted currently comprises:
>
> name$
> NAME$
> host/name at REALM
> host/NAME at REALM
> host/fqdn at REALM
> host/Fqdn at REALM
> HOST/name at REALM
> HOST/NAME at REALM
> HOST/fqdn at REALM
> HOST/Fqdn at REALM
> cifs/name at REALM
> cifs/NAME at REALM
> cifs/fqdn at REALM
> cifs/Fqdn at REALM
> CIFS/name at REALM
> CIFS/NAME at REALM
> CIFS/fqdn at REALM
> CIFS/Fqdn at REALM
>
> Deleting the principal cifs/name.REALM from the KDC results in the WinXP
> workstation falling back to NTLM, which is not desirable since the KDC is
> the only password database. Creating a keytab entry for cifs/name.REALM
> is easy, but Samba currently won't try to use it; it tries only the
> combinations listed above.
>
>
> I'd like to propose a slightly different structure for
> ads_keytab_verify_ticket(), as follows:
>
> allowed_principal_formats[] = {
> name$
> host/name
> host/fqdn
> host/name.REALM
> cifs/name
> cifs/fqdn
> cifs/name.REALM
> }
>
> for each principal in keytab {
> for each format in allowed_principal_formats {
> if ( strcasecmp ( principal, format ) ) {
> if ( krb5_rd_req ( principal ) succeeds ) {
> auth_ok = True;
> break;
> }
> }
> }
> }
>
> This would get as close to case-insensitivity to principal names as an MIT
> KDC allows (i.e. the principal on the KDC still has to exactly match the
> case that the workstations request, but the Samba server will then happily
> use the principal, regardless of case), and also allows for the case where
> the DNS domainname is not the same as the Kerberos realm name.
>
> I'm happy to code this up and submit a patch. Does anyone have any
> comments, suggestions or reasons why this might be a really bad idea?
It sounds ok to me, but be warned, this is kerberos code - here be
dragons. I've yet to integrate a krb5 patch that didn't have problems
with valgrind or memory leaks :-). But if the people using the keytab
support in Samba agree I'm happy to integrate it.
Jeremy.
More information about the samba-technical
mailing list