Catching more principals in ads_keytab_verify_ticket()

Doug VanLeuven roamdad at
Sat Feb 26 22:53:31 GMT 2005

Michael Brown wrote:

>On Sat, 26 Feb 2005, Michael Brown wrote:
>>My domain and realm are different, though it's only on a test network so
>>this isn't a huge barrier.  The major problem for me is the case
>>variability; the method I'm proposing to fix this problem just happens
>>to also makes it easy to cope with realm != domain.
>>I'm working on a patch at the moment.
> <>
> Patch against current SVN attached. Compiles cleanly with no warnings,
> works when I test it.

Hi Mike,
Since that section of code went in, the noise level has gone to almost 
zero.  There's no telling, really, which variations do the trick for all 
environments.  When I mentioned I thought it wouldn't hurt to add a 
variation to cover your discovery I had in mind something more like the 
following.  This adds two entries to the keytab and the verify routines.

If I understood you correctly, you want this - name.REALM at REALM
  27 cifs/gate.NT.LDXNET.COM at NT.LDXNET.COM (ArcFour with HMAC/md5)
  27 cifs/gate.NT.LDXNET.COM at NT.LDXNET.COM (DES cbc mode with RSA-MD5)
  27 host/gate.NT.LDXNET.COM at NT.LDXNET.COM (ArcFour with HMAC/md5)
  27 host/gate.NT.LDXNET.COM at NT.LDXNET.COM (DES cbc mode with RSA-MD5)
To add to these style entries - fqdn at REALM
  27 host/ at NT.LDXNET.COM (ArcFour with HMAC/md5)
  27 host/ at NT.LDXNET.COM (DES cbc mode with RSA-MD5)
  27 cifs/ at NT.LDXNET.COM (ArcFour with HMAC/md5)
  27 cifs/ at NT.LDXNET.COM (DES cbc mode with RSA-MD5)

Regards, Doug

Index: libads/kerberos_keytab.c
--- libads/kerberos_keytab.c    (revision 5575)
+++ libads/kerberos_keytab.c    (working copy)
@@ -443,7 +443,7 @@
        fstring my_fqdn, my_Fqdn, my_name, my_NAME;
        char *p_fqdn;
        int i, found = 0;
-       char **oldEntries = NULL, *princ_s[18];;
+       char **oldEntries = NULL, *princ_s[20];;
        ret = ads_keytab_add_entry(ads, "host");
        if (ret) {
@@ -490,6 +490,8 @@
        asprintf(&princ_s[15], "CIFS/%s@%s", my_NAME, lp_realm());
        asprintf(&princ_s[16], "CIFS/%s@%s", my_fqdn, lp_realm());
        asprintf(&princ_s[17], "CIFS/%s@%s", my_Fqdn, lp_realm());
+       asprintf(&princ_s[18], "cifs/%s.%s@%s", my_name, lp_realm(), 
+       asprintf(&princ_s[19], "host/%s.%s@%s", my_name, lp_realm(), 
        for (i = 0; i < sizeof(princ_s) / sizeof(princ_s[0]); i++) {
                if (princ_s[i] != NULL) {
Index: libads/kerberos_verify.c
--- libads/kerberos_verify.c    (revision 5575)
+++ libads/kerberos_verify.c    (working copy)
@@ -45,7 +45,7 @@
        fstring my_fqdn, my_name;
        fstring my_Fqdn, my_NAME;
        char *p_fqdn;
-       char *host_princ_s[18];
+       char *host_princ_s[20];
        krb5_principal host_princ;
        int i;
@@ -92,6 +92,8 @@
         asprintf(&host_princ_s[15], "CIFS/%s@%s", my_NAME, lp_realm());
         asprintf(&host_princ_s[16], "CIFS/%s@%s", my_fqdn, lp_realm());
         asprintf(&host_princ_s[17], "CIFS/%s@%s", my_Fqdn, lp_realm());
+        asprintf(&host_princ_s[18], "cifs/%s.%s@%s", my_name, 
lp_realm(), lp_realm());
+        asprintf(&host_princ_s[19], "host/%s.%s@%s", my_name, 
lp_realm(), lp_realm());
        /* Now try to verify the ticket using the key associated with 
each of
         * the principals which we think clients will expect us to be

More information about the samba-technical mailing list