SPNEGO in Samba - Longhorn Server interop issues... - KRB5.CONF
Gerald (Jerry) Carter
jerry at samba.org
Mon Jul 23 14:19:39 GMT 2007
-----BEGIN PGP SIGNED MESSAGE-----
> How about use the the servicePricipalName attribute from
> Active Directory for the target HOST.
The SPN doesn't contain the realm. You need to search for
(dNSHostName=$fqdn) in GC and then you could deduce the realm
from the DN by converting the RFC2247 DC syntax back to a dns
domain. However, this wouldn't really work well for cross
realm trusts as you can't tell the difference between a host
in another forest and one that is just not in AD.
> Todd Stecher-4 wrote:
>> I have this all working (against NT4, W2000, 2003, 2008), but our
>> implementation has taken a dependency to start adding the default
>> realm to krb5.conf when making outbound CIFS request from a Samba
>> server (e.g. RPC).
>> This is because before these changes we used to rely on the principal
>> returned in the spnego negtokeninit message (which had the form host/
>> machinename.domain.com at domain.com). However, now the principals
>> we're passing into the kerberos libraries are of the form host/
>> machinename.domain.com (no info after the @ sign). This means it has
>> to fall back on the default realm value provided in krb5.conf for
>> realm location.
>> Is it fairly normal for people to add in the default realm into
>> krb5.conf when running in ADS mode? Any suggestions on a "better"
>> way to divine the service's realm, if its not available in the SPNEGO
Todd, If I understand you correctly, using the default realm
from krb5.conf means that we break when contacting a server
via a cross realm trust, no?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v126.96.36.199 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the samba-technical