setting dNSHostName at join
Gerald (Jerry) Carter
jerry at samba.org
Tue Feb 27 02:30:55 GMT 2007
-----BEGIN PGP SIGNED MESSAGE-----
Guenther and I caught up later...
(8:03:29 PM) gd: coffeedude: I need to check back with
my customer, but they kepp telling me, that they
are not allowed to set dnsHostName (by LDAP security
descriptor) but nicely do krb5 auth in the domain
(8:04:39 PM) gd: coffeedude: and where do you think we need
a fqdn when using kerberos? (without a system keytab)
(8:05:00 PM) gd: coffeedude: we can *always* kinit
(8:05:11 PM) gd: coffeedude: that is at least my understanding.
(8:05:57 PM) gd: coffeedude: so it is not required for the SPNs.
Do I miss something?
(8:06:06 PM) coffeedude: The keytab has nothing to do with
it. How can a Windows client get a service ticket
for an account with no SPN ?
(8:06:29 PM) coffeedude: gd: Just show me a trace of a Windows
client doing Krb5 auth in the session setup with no SPN set.
(8:06:35 PM) coffeedude: for the target server of course in AD.
(8:07:10 PM) coffeedude: NTLM will continue to work of course,
but that defeats the purpose of security =a ds.
(8:07:11 PM) gd: you mean for us as a smbd as a domain member?
(8:07:53 PM) coffeedude: gd: Yes. Just show me a trace of
a Windows client going \\server\share and sending
Krb5 in the session setup if the Samba host has not
SPN set in AD.
(8:08:06 PM) coffeedude: And no dNSHostName attribute
(8:08:35 PM) coffeedude: gd: I'm not trying to be stubborn
on this, I just need proof in order to accept the POV.
(8:09:05 PM) gd: coffeedude: sure, no problem, I'll try to get
such a trace
(8:09:47 PM) coffeedude: gd: Thinking a bit more, a Windows
client might succeed even it it cannot write to
(8:10:02 PM) coffeedude: if the value is already set
properly. That I could understand.
(8:10:18 PM) coffeedude: gd: and If you have traces, I'll
be glad to change my tune.
(8:11:35 PM) gd: coffeedude: my customer has valid DNS,
just the DNS entries replicate very slowly to
the subdomains. (They are not using the builtin
DNS in AD but an external one). Windows seems
to be happy with that.
(8:11:56 PM) coffeedude: gd: it's not a question of valid DNS.
(8:12:55 PM) coffeedude: gd: Ahh....I think I see what you
are saying now. I still need to see a trace to
understand it. I'm still a bit skeptical of your
customer (no offense).
(8:13:14 PM) coffeedude: gd: but I've been wrong before.....
(8:13:59 PM) coffeedude: gd: if I'm wrong, then we should
simply bracket the set spn and hostname in a WITH_
(8:14:01 PM) gd: coffeedude: sure, just relating to the
first issue: name2fqdn fails as the replication
is not finished yet. (they prepare their dns
for joining machines).
(8:14:37 PM) gd: coffeedude: I made all that now dependent
from the name2fqdn lookup success (converting
to BOOL). still testing...
(8:15:13 PM) coffeedude: gd: if you can show me the session
setup trace, then we'll figure it. If however, I'm
right about the krb5, then we have to know our fwdn
in order to join (can be configured in /etc/hosts).
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v188.8.131.52 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the samba-technical