summaries krb5 keytab requirements

Gerald (Jerry) Carter jerry at samba.org
Fri May 19 15:41:39 GMT 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'm trying to wrap my head around all of the past issues
that have caused our krb5 code to look like it does today
(with hopes of cleaning things up).  These are my random
thoughts.  Please correct me if I am wrong on any point.


Salting
=======
We only need to derive the Salt for DES keys if we are in an
AD domain and if the account has the USE_DES_KEYS flags set.
Otherwise, service tickets are always encrypted with RC4-HMAC.
This will make a lot of of the loops in derive_salting_for_principal()
go away.  The principals names used for salting DES keys are:
http://marc.theaimsgroup.com/?l=samba-technical&m=110005392723944&w=2


SPN values
==========
The CIFS/machine principal name is unnecessary in AD (even though
clients ask for it): http://support.microsoft.com/kb/326985/en-us


dNSHostName & SPN
=================
See this on the relationship between the dNSHostName and SPN
values and the "VAlidated write" access permission.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/control_access_rights.asp


kinit -k
========
This does not require a UPN, but can use the sAMAccountName


SPN case insensitivity from Windows XP clients in MIT realms
============================================================
http://marc.theaimsgroup.com/?l=samba-technical&m=110933962414367&w=2

I'm not really sure what to do here.  The real fix it seems
would be to simply canonicalize the SPN by the TGS before granted
in the service ticket.  It seems that string a vast amount of
possible SPNs in /etc/krb5.keytab is really ugly.




- -- cheers, jerry

$ cat ~/.signature
=====================================================================
Samba                                    ------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
"What man is a man who does not make the world better?"      --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFEbeczIR7qMdg1EfYRAsoeAKDjuH/YCszEqV0VRrWBS4fMmK5hEACfcGxl
d+aS9da75wNaY+uH41j36Ws=
=KXKI
-----END PGP SIGNATURE-----

More information about the samba-technical mailing list