summaries krb5 keytab requirements
Gerald (Jerry) Carter
jerry at samba.org
Fri May 19 15:41:39 GMT 2006
-----BEGIN PGP SIGNED MESSAGE-----
I'm trying to wrap my head around all of the past issues
that have caused our krb5 code to look like it does today
(with hopes of cleaning things up). These are my random
thoughts. Please correct me if I am wrong on any point.
We only need to derive the Salt for DES keys if we are in an
AD domain and if the account has the USE_DES_KEYS flags set.
Otherwise, service tickets are always encrypted with RC4-HMAC.
This will make a lot of of the loops in derive_salting_for_principal()
go away. The principals names used for salting DES keys are:
The CIFS/machine principal name is unnecessary in AD (even though
clients ask for it): http://support.microsoft.com/kb/326985/en-us
dNSHostName & SPN
See this on the relationship between the dNSHostName and SPN
values and the "VAlidated write" access permission.
This does not require a UPN, but can use the sAMAccountName
SPN case insensitivity from Windows XP clients in MIT realms
I'm not really sure what to do here. The real fix it seems
would be to simply canonicalize the SPN by the TGS before granted
in the service ticket. It seems that string a vast amount of
possible SPNs in /etc/krb5.keytab is really ugly.
- -- cheers, jerry
$ cat ~/.signature
Samba ------- http://www.samba.org
Centeris ----------- http://www.centeris.com
"What man is a man who does not make the world better?" --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the samba-technical