Catching more principals in ads_keytab_verify_ticket()

Sat Feb 26 12:15:31 GMT 2005

On Fri, 25 Feb 2005, Doug VanLeuven wrote:
> I'm still using this section of samba-3.0.8pre1-fqdn.patch that you 
> posted that never seemed to make it into the distribution.  It seems to 
> be covering my servers that don't have the same realm and DNS domain in 
> conjunction with the keytab principal iteration patch.  I'm not using 
> XP, but I haven't noticed 2k being denied anything.
> 
>         servicePrincipalName[3] = psp2;
> +       strlower_m(my_fqdn);
> +       if (strcmp(my_fqdn, &psp2[5]) != 0) {
> +               psp3 = talloc_asprintf(ctx, "CIFS/%s", my_fqdn);
> +               strlower_m(&psp3[5]);
> +               servicePrincipalName[4] = psp3;
> +               psp4 = talloc_asprintf(ctx, "HOST/%s", my_fqdn);
> +               strlower_m(&psp4[5]);
> +               servicePrincipalName[5] = psp4;
> +       }
> 
> If host/name.REALM was just added to the existing array for an
> additional combination, I don't think that would break anythig existing.  
> It does look pretty bizzare when one does klist -ek, but it's all
> working, right now, for me.  I'd really, really hate to have to go thru
> that again.
> 
> Mike, you haven't really said if your domain and realm are the same or
> not or if it's just a case variation.

That code is in ldap.c and from what I can tell applies only when you have
an Active Directory DC.  I'm using a WinXP workstation joined to a
Kerberos realm via Ksetup - no AD DCs anywhere on the network.

My domain and realm are different, though it's only on a test network so
this isn't a huge barrier.  The major problem for me is the case
variability; the method I'm proposing to fix this problem just happens to
also makes it easy to cope with realm != domain.

I'm working on a patch at the moment.

Michael