[PATCH] Fix salt principal generation for keytabs

Andreas Schneider asn at samba.org
Wed Apr 15 04:17:19 MDT 2015


I've run into an issue with MIT Kerberos that the keytab for bind dns used a 
different salting principal as the KDC. So libkrb5 failed to decrypt tickets.

In source4/auth/kerberos/srv_keytab.c the function salt_principal generates a 
principal in the form:
    host/<SAMAccountName-Without-$>.realm at REALM
This is correct for computer accounts, but user accounts like the
account we use to create the dns keytab for.
Samba generates the following salt principals on startup:
setup_kerberos_keys: principal Administrator at CHGDCPASSWORD.SAMBA.EXAMPLE.COM
setup_kerberos_keys: principal krbtgt at CHGDCPASSWORD.SAMBA.EXAMPLE.COM
setup_kerberos_keys: host principal 
chgdcpass.chgdcpassword.samba.example.com at CHGDCPASSWORD.SAMBA.EXAMPLE.COM
setup_kerberos_keys: principal dns-chgdcpass at CHGDCPASSWORD.SAMBA.EXAMPLE.COM
So the salt principal created for dns-chgdcpass was not correct.

The attached patch fixes it.

However the question is:

a) Should dns-chgdcpass be a computer account?
   See source4/setup/secrets_dns.ldif
b) Why does it work with Heimdal with and without the patch? What magic does
   Heimdal that the salt matches or does it ignore it?


	-- andreas

Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             asn at samba.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-s4-auth-Fix-salt-principal-generation-for-keytabs.patch
Type: text/x-patch
Size: 3841 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150415/1928b220/attachment.bin>

More information about the samba-technical mailing list