Catching more principals in ads_keytab_verify_ticket()

Sat Feb 26 01:08:12 GMT 2005

Jeremy Allison wrote:

>On Fri, Feb 25, 2005 at 01:52:14PM +0000, Michael Brown wrote:
>  
>
>><snip>
>>
>>I'd like to propose a slightly different structure for 
>>ads_keytab_verify_ticket(), as follows:
>>
>>  allowed_principal_formats[] = {
>>    name$
>>    host/name
>>    host/fqdn
>>    host/name.REALM
>>    cifs/name
>>    cifs/fqdn
>>    cifs/name.REALM
>>  }
>>
>>  for each principal in keytab {
>>    for each format in allowed_principal_formats {
>>      if ( strcasecmp ( principal, format ) ) {
>>	if ( krb5_rd_req ( principal ) succeeds ) {
>>          auth_ok = True;
>>          break;
>>        }
>>      }
>>    }
>>  }
>>
>>This would get as close to case-insensitivity to principal names as an MIT
>>KDC allows (i.e. the principal on the KDC still has to exactly match the
>>case that the workstations request, but the Samba server will then happily 
>>use the principal, regardless of case), and also allows for the case where 
>>the DNS domainname is not the same as the Kerberos realm name.
>>
>>I'm happy to code this up and submit a patch.  Does anyone have any
>>comments, suggestions or reasons why this might be a really bad idea?
>>    
>>
>
>It sounds ok to me, but be warned, this is kerberos code - here be
>dragons. I've yet to integrate a krb5 patch that didn't have problems
>with valgrind or memory leaks :-). But if the people using the keytab
>support in Samba agree I'm happy to integrate it.
>
>Jeremy.
>  
>
Jeremy,
I'm still using this section of samba-3.0.8pre1-fqdn.patch that you 
posted that never seemed to make it into the distribution.  It seems to 
be covering my servers that don't have the same realm and DNS domain in 
conjunction with the keytab principal iteration patch.  I'm not using 
XP, but I haven't noticed 2k being denied anything.

        servicePrincipalName[3] = psp2;
+       strlower_m(my_fqdn);
+       if (strcmp(my_fqdn, &psp2[5]) != 0) {
+               psp3 = talloc_asprintf(ctx, "CIFS/%s", my_fqdn);
+               strlower_m(&psp3[5]);
+               servicePrincipalName[4] = psp3;
+               psp4 = talloc_asprintf(ctx, "HOST/%s", my_fqdn);
+               strlower_m(&psp4[5]);
+               servicePrincipalName[5] = psp4;
+       }

If host/name.REALM was just added to the existing array for an 
additional combination, I don't think that would break anythig 
existing.  It does look pretty bizzare when one does klist -ek, but it's 
all working, right now, for me.  I'd really, really hate to have to go 
thru that again.

Mike, you haven't really said if your domain and realm are the same or 
not or if it's just a case variation.

Regards, Doug