SPNEGO in Samba - Longhorn Server interop issues... - KRB5.CONF
Gerald (Jerry) Carter
jerry at samba.org
Mon Jul 23 14:19:39 GMT 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
eddietse wrote:
> How about use the the servicePricipalName attribute from
> Active Directory for the target HOST.
The SPN doesn't contain the realm. You need to search for
(dNSHostName=$fqdn) in GC and then you could deduce the realm
from the DN by converting the RFC2247 DC syntax back to a dns
domain. However, this wouldn't really work well for cross
realm trusts as you can't tell the difference between a host
in another forest and one that is just not in AD.
> Todd Stecher-4 wrote:
>>
>> I have this all working (against NT4, W2000, 2003, 2008), but our
>> implementation has taken a dependency to start adding the default
>> realm to krb5.conf when making outbound CIFS request from a Samba
>> server (e.g. RPC).
>>
>> This is because before these changes we used to rely on the principal
>> returned in the spnego negtokeninit message (which had the form host/
>> machinename.domain.com at domain.com). However, now the principals
>> we're passing into the kerberos libraries are of the form host/
>> machinename.domain.com (no info after the @ sign). This means it has
>> to fall back on the default realm value provided in krb5.conf for
>> realm location.
>>
>> Is it fairly normal for people to add in the default realm into
>> krb5.conf when running in ADS mode? Any suggestions on a "better"
>> way to divine the service's realm, if its not available in the SPNEGO
>> message?
Todd, If I understand you correctly, using the default realm
from krb5.conf means that we break when contacting a server
via a cross realm trust, no?
cheers, jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGpLj7IR7qMdg1EfYRAt+tAJ48LmsLilg2nXhLLnRe4uM/6rBygQCdGm9L
pVnuyIeCQa/47CCpmr/IV7Y=
=j26Y
-----END PGP SIGNATURE-----
More information about the samba-technical
mailing list