SPNEGO in Samba - Longhorn Server interop issues... - KRB5.CONF

Gerald (Jerry) Carter jerry at samba.org
Mon Jul 23 14:19:39 GMT 2007

Hash: SHA1

eddietse wrote:
> How about use the the servicePricipalName attribute from 
> Active Directory for the target HOST.

The SPN doesn't contain the realm.  You need to search for
(dNSHostName=$fqdn) in GC and then you could deduce the realm
from the DN by converting the RFC2247 DC syntax back to a dns
domain.  However, this wouldn't really work well for cross
realm trusts as you can't tell the difference between a host
in another forest and one that is just not in AD.

> Todd Stecher-4 wrote:
>> I have this all working (against NT4, W2000, 2003, 2008), but our  
>> implementation has taken a dependency to start adding the default  
>> realm to krb5.conf when making outbound CIFS request from a Samba  
>> server (e.g. RPC).
>> This is because before these changes we used to rely on the principal  
>> returned in the spnego negtokeninit message (which had the form host/ 
>> machinename.domain.com at domain.com).  However, now the principals  
>> we're passing into the kerberos libraries are of the form host/ 
>> machinename.domain.com (no info after the @ sign).  This means it has  
>> to fall back on the default realm value provided in krb5.conf for  
>> realm location.
>> Is it fairly normal for people to add in the default realm into  
>> krb5.conf when running in ADS mode?  Any suggestions on a "better"  
>> way to divine the service's realm, if its not available in the SPNEGO  
>> message?

Todd, If I understand you correctly, using the default realm
from krb5.conf means that we break when contacting a server
via a cross realm trust, no?

cheers, jerry

Version: GnuPG v1.4.2.2 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the samba-technical mailing list