setting dNSHostName at join

Gerald (Jerry) Carter jerry at samba.org
Tue Feb 27 02:30:55 GMT 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Guenther and I caught up later...

(8:03:29 PM) gd: coffeedude: I need to check back with
	my customer, but they kepp telling me, that they
	are not allowed to set dnsHostName (by LDAP security
	descriptor) but nicely do krb5 auth in the domain
	after joining.
(8:04:39 PM) gd: coffeedude: and where do you think we need
	a fqdn when using kerberos? (without a system keytab)
(8:05:00 PM) gd: coffeedude: we can *always* kinit
	as netbiosname$@realm.de.
(8:05:11 PM) gd: coffeedude: that is at least my understanding.
(8:05:57 PM) gd: coffeedude: so it is not required for the SPNs.
	Do I miss something?

(8:06:06 PM) coffeedude: The keytab has nothing to do with
	it.  How can a Windows client get a service ticket
	for an account with no SPN ?
(8:06:29 PM) coffeedude: gd: Just show me a trace of a Windows
	client doing Krb5 auth in the session setup with no SPN set.
(8:06:35 PM) coffeedude: for the target server of course in AD.
(8:07:10 PM) coffeedude: NTLM will continue to work of course,
	but that defeats the purpose of security =a ds.
(8:07:11 PM) gd: you mean for us as a smbd as a domain member?
(8:07:53 PM) coffeedude: gd: Yes.  Just show me a trace of
	a Windows client going \\server\share and sending
	Krb5 in the session setup if the Samba host has not
	SPN set in AD.
(8:08:06 PM) coffeedude: And no dNSHostName attribute
(8:08:35 PM) coffeedude: gd: I'm not trying to be stubborn
	on this, I just need proof in order to accept the POV.

(8:09:05 PM) gd: coffeedude: sure, no problem, I'll try to get
	such a trace

(8:09:47 PM) coffeedude: gd: Thinking a bit more, a Windows
	client might succeed even it it cannot write to
	the dNSHostName
(8:10:02 PM) coffeedude: if the value is already set
	properly.  That I could understand.
(8:10:18 PM) coffeedude: gd: and If you have traces, I'll
	be glad to change my tune.

(8:11:35 PM) gd: coffeedude: my customer has valid DNS,
	just the DNS entries replicate very slowly to
	the subdomains. (They are not using the builtin
	DNS in AD but an external one). Windows seems
	to be happy with that.

(8:11:56 PM) coffeedude: gd: it's not a question of valid DNS.
(8:12:55 PM) coffeedude: gd: Ahh....I think I see what you
	are saying now.  I still need to see a trace to
	understand it.  I'm still a bit skeptical of your
	customer (no offense).
(8:13:14 PM) coffeedude: gd: but I've been wrong before.....
(8:13:59 PM) coffeedude: gd: if I'm wrong, then we should
	simply bracket the set spn and hostname in a WITH_
	DNS_UPDATES block.

(8:14:01 PM) gd: coffeedude: sure, just relating to the
	first issue: name2fqdn fails as the replication
	is not finished yet. (they prepare their dns
	for joining machines).
(8:14:37 PM) gd: coffeedude: I made all that now dependent
	from the name2fqdn lookup success (converting
	to BOOL). still testing...

(8:15:13 PM) coffeedude: gd: if you can show me the session
	setup trace, then we'll figure it.  If however, I'm
	right about the krb5, then we have to know our fwdn
	in order to join (can be configured in /etc/hosts).







cheers, jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFF45ffIR7qMdg1EfYRAs53AKDjaCid0Wcn9yl50GVcxFX0thQhtwCdFA12
rUcuLqD5Ylw0CbMivMftxZ4=
=2gwW
-----END PGP SIGNATURE-----


More information about the samba-technical mailing list