Catching more principals in ads_keytab_verify_ticket()

Thu Mar 3 12:46:19 GMT 2005

Jeremy Allison wrote:

>Ok, this is why I *hate* the krb5 principal code. If you guys are
>working on this, please also give me something that addresses bug
>2414 here :
>
>https://bugzilla.samba.org/show_bug.cgi?id=2414
>
>"When joining an Active Directory when subdomains are being used, the servicePrincipalNames inserted 
>in AD are incorrectly generated. 
>
>.....
>
>How to fix: basically, SPNs should be generated from FQDN, rather than HOSTNAME.ADREALM (or in 
>addition to)."
>
>I *hate* kerberos so much :-).
>  
>
Jeremy,
I had this bug on fqdn != REALM.
https://bugzilla.samba.org/show_bug.cgi?id=1651
Resolved by samba-3.0.8pre1-fqdn.patch from Nalin Dahyabhai.

But the following ldap.c section of the proposed patch that fixed it for 
me never made it into svn.  As you can see, it adds HOST & CIFS fqdn to 
servicePrincipalName.

To test this on your current bug, I have a subdomain called 
dyn.ldxnet.com that I put a RH9 2.4.20-28.9 into, then joined the 
NT.LDXNT.COM realm after deleting krb5.keytab, updating krb5.conf, 
updating samba to svn 5575 (with the additional ldap.c patch) and making 
sure DNS really pointed to the subdomain.  Worked like a champ.
My AD realm (& domain) is nt.ldxnet.com

I just can't stress enough that DNS must be perfect for not only 
unix/samba but Win2003 AD to work.  You know, like proper glue for any 
delegations.

About Micael's patch - I understand he wants to have samba pick up 
manually added keytab entries that aren't necessarily pre-defined in a 
list.  On the other hand, for those of us that want samba to manage the 
keytab, any AD variations MUST be defined in a list or it won't work.  
That's where the log jam is.

Regards, Doug

Index: libads/ldap.c
===================================================================

--- libads/ldap.c       (revision 5575)
+++ libads/ldap.c       (working copy)
@@ -1436,6 +1436,15 @@
                               ads->config.realm);
        strlower_m(&psp2[5]);
        servicePrincipalName[3] = psp2;
+       strlower_m(my_fqdn);
+       if (strcmp(my_fqdn, &psp2[5]) != 0) {
+               psp3 = talloc_asprintf(ctx, "CIFS/%s", my_fqdn);
+               strlower_m(&psp3[5]);
+               servicePrincipalName[4] = psp3;
+               psp4 = talloc_asprintf(ctx, "HOST/%s", my_fqdn);
+               strlower_m(&psp4[5]);
+               servicePrincipalName[5] = psp4;
+       }
 
        /* Ensure servicePrincipalName[4] and [5] are unique. */
        strlower_m(my_fqdn);

----------------------------------------
Documentation of the join and management of the keytab
[doug at lex doug]$ dnsdomainname
dyn.ldxnet.com
[doug at lex doug]$ cat /etc/resolv.conf
search dyn.ldxnet.com nt.ldxnet.com ldxnet.com nt.scwa.gov scwa.gov 
scwa.ca.gov
nameserver 192.168.200.25
nameserver 192.168.200.30
[doug at lex doug]$ more /etc/hosts
192.168.200.10  lex.dyn.ldxnet.com lex
...
[doug at lex doug]$ host lex
lex.dyn.ldxnet.com has address 192.168.200.10
[doug at lex doug]$ host 192.168.200.10
10.200.168.192.in-addr.arpa domain name pointer lex.dyn.ldxnet.com.
[doug at lex doug]$

 more /etc/krb5.conf
[libdefaults]
 dns_lookup_realm = false
 dns_lookup_kdc = false
 default_realm = NT.LDXNET.COM
 default_keytab_name = FILE:/etc/krb5.keytab
 default_tgs_enctypes = rc4-hmac des-cbc-md5
 default_tkt_enctypes = rc4-hmac des-cbc-md5
 permitted_enctypes = rc4-hmac des-cbc-md5

[realms]
 NT.LDXNET.COM = {
  kdc = ranger1.nt.ldxnet.com:88
  admin_server = ranger1.nt.ldxnet.com:749
 }

[domain_realm]
 .nt.ldxnet.com = NT.LDXNET.COM
 nt.ldxnet.com = NT.LDXNET.COM
 gate.ldxnet.com = NT.LDXNET.COM
 ldxnet.com = NT.LDXNET.COM
 lex.dyn.ldxnet.com = NT.LDXNET.COM
 .dyn.ldxnet.com = NT.LDXNET.COM
 .ldxnet.com = NT.LDXNET.COM

....

[root at lex root]# klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- 
--------------------------------------------------------------------------
   2 host/lex.dyn.ldxnet.com at NT.LDXNET.COM (ArcFour with HMAC/md5)
   2 host/lex.dyn.ldxnet.com at NT.LDXNET.COM (DES cbc mode with RSA-MD5)
   2 cifs/lex.dyn.ldxnet.com at NT.LDXNET.COM (ArcFour with HMAC/md5)
   2 cifs/lex.dyn.ldxnet.com at NT.LDXNET.COM (DES cbc mode with RSA-MD5)
   2 lex$@NT.LDXNET.COM (ArcFour with HMAC/md5)
   2 lex$@NT.LDXNET.COM (DES cbc mode with RSA-MD5)
   2 LEX$@NT.LDXNET.COM (ArcFour with HMAC/md5)
   2 LEX$@NT.LDXNET.COM (DES cbc mode with RSA-MD5)
   2 host/lex at NT.LDXNET.COM (ArcFour with HMAC/md5)
   2 host/lex at NT.LDXNET.COM (DES cbc mode with RSA-MD5)
   2 host/LEX at NT.LDXNET.COM (ArcFour with HMAC/md5)
   2 host/LEX at NT.LDXNET.COM (DES cbc mode with RSA-MD5)
   2 host/LEX.dyn.ldxnet.com at NT.LDXNET.COM (ArcFour with HMAC/md5)
   2 host/LEX.dyn.ldxnet.com at NT.LDXNET.COM (DES cbc mode with RSA-MD5)
   2 HOST/lex at NT.LDXNET.COM (ArcFour with HMAC/md5)
   2 HOST/lex at NT.LDXNET.COM (DES cbc mode with RSA-MD5)
   2 HOST/LEX at NT.LDXNET.COM (ArcFour with HMAC/md5)
   2 HOST/LEX at NT.LDXNET.COM (DES cbc mode with RSA-MD5)
   2 HOST/lex.dyn.ldxnet.com at NT.LDXNET.COM (ArcFour with HMAC/md5)
   2 HOST/lex.dyn.ldxnet.com at NT.LDXNET.COM (DES cbc mode with RSA-MD5)
   2 HOST/LEX.dyn.ldxnet.com at NT.LDXNET.COM (ArcFour with HMAC/md5)
   2 HOST/LEX.dyn.ldxnet.com at NT.LDXNET.COM (DES cbc mode with RSA-MD5)
   2 cifs/lex at NT.LDXNET.COM (ArcFour with HMAC/md5)
   2 cifs/lex at NT.LDXNET.COM (DES cbc mode with RSA-MD5)
   2 cifs/LEX at NT.LDXNET.COM (ArcFour with HMAC/md5)
   2 cifs/LEX at NT.LDXNET.COM (DES cbc mode with RSA-MD5)
   2 cifs/LEX.dyn.ldxnet.com at NT.LDXNET.COM (ArcFour with HMAC/md5)
   2 cifs/LEX.dyn.ldxnet.com at NT.LDXNET.COM (DES cbc mode with RSA-MD5)
   2 CIFS/lex at NT.LDXNET.COM (ArcFour with HMAC/md5)
   2 CIFS/lex at NT.LDXNET.COM (DES cbc mode with RSA-MD5)
   2 CIFS/LEX at NT.LDXNET.COM (ArcFour with HMAC/md5)
   2 CIFS/LEX at NT.LDXNET.COM (DES cbc mode with RSA-MD5)
   2 CIFS/lex.dyn.ldxnet.com at NT.LDXNET.COM (ArcFour with HMAC/md5)
   2 CIFS/lex.dyn.ldxnet.com at NT.LDXNET.COM (DES cbc mode with RSA-MD5)
   2 CIFS/LEX.dyn.ldxnet.com at NT.LDXNET.COM (ArcFour with HMAC/md5)
   2 CIFS/LEX.dyn.ldxnet.com at NT.LDXNET.COM (DES cbc mode with RSA-MD5)
   2 cifs/lex.NT.LDXNET.COM at NT.LDXNET.COM (ArcFour with HMAC/md5)
   2 cifs/lex.NT.LDXNET.COM at NT.LDXNET.COM (DES cbc mode with RSA-MD5)
   2 host/lex.NT.LDXNET.COM at NT.LDXNET.COM (ArcFour with HMAC/md5)
   2 host/lex.NT.LDXNET.COM at NT.LDXNET.COM (DES cbc mode with RSA-MD5)

smb.conf
[global]
        workgroup = FOREST
        realm = NT.LDXNET.COM
        security = ADS
        use kerberos keytab = yes
        winbind trusted domains only = yes
...

