[Samba] Kerberos Keytab Code Update in 3.0.23

Doug VanLeuven roamdad at sonic.net
Fri Jul 14 00:58:48 GMT 2006


>> No offense intended, but what is the purpose of
>> adding the variations of case especially with respect to
>> the FQDN?
> 
> Too much guessing IMO.

True.  Very true.  But I'll chime in with "we got there after
numerous authentication failures at different sites".
It always seemed there had to be a different way, because the
MS writeup of creating a user account, generating a keytab,
and exporting to the target system prior to the join worked
with only 1 entry.  A UPN.  I tried real hard, but was unable
to ever generate a keytab UPN on a machine account.

I argued it was overkill at the time, but Redhat's
enterprise issues went away.  It was one of their people
did the basic patch with Jeremy heavily editing.

> 
>> When I look at the tickets that are the result of
>> making connections from one Win2K3 server to another,
>> the principals simply reflect the form of the
>> requests - ie \\FOO yields principal cifs/FOO at BAR.COM,
>> \\foo.bar.com yields principal cifs/foo.bar.com at BAR.COM
>> What am I missing?
> 
> My experience has been that the principals in the
> service ticket match the SPN values in AD.  I don't
> see all of this case permutation people are claiming.
> 
> The patch is a work in progress so any feedback would
> be appreciated.

Jerry,
Give me a couple days to get samba current across multiple
servers, then I'll remove and re-add one of the old problem
servers and diagnose what I get.  I may even go so far
as to create a brand new server in vm and join it and
access it from various unix and windows A/D platforms.

Am I right in understanding the rewrite will require the
in-addr.arpa to resolve to the same dns domain as
the realm?

Ticket case variations are what show up when clients access
the samba servers using klist or kerbtray.  It could be a case
of because they exist, they get used.  Except for the first
letter upcase, all others downcase.  I traced that using ethereal,
patched samba to generate it in the keytab, and things
started working.  I remember distinctly.  Unless Jeremy
did something behind the scenes at the same time that I
downloaded using svn.  As in private/secrets.tdb.  Magic there.

FWIW - my experience with windows is that it was written
with a certain amount of heuristics, in that a learned behavior
will continue to be used until it fails at which time the
code falls into a different procedure that, if successful,
will be used until it fails, etc.  This is why users document
different behaviors in what appears on the surface the
same environment.

Regards, Doug


More information about the samba mailing list