[Samba] Kerberos Keytab Code Update in 3.0.23

Scott Armstrong scottbird7 at hotmail.com
Thu Jul 13 18:12:25 GMT 2006 

Jerry,
Things still worked fine for existing domain members. I only noticed it
because I added a new system to the domain. Lines 962-964 of utils/net_ads.c
have comments about the upn but it's never being added. I rarely program in
"C" so this may not be the best way to do it but I modified line 977 to
        if (!(host_upn = talloc_asprintf(ctx, "host/%s@%s", my_fqdn,
ads_s->config.realm)))
and added the following
        ads_mod_str(ctx, &mods, "userPrincipalName", host_upn);
following line 988.
I used the convention which I'm accustomed to which is that the host should
be added in fqdn form since I was modifying the code myself.
i.e. host/foo.bar.com at BAR.COM
If you want to mimic the previous behavior you would use the short,
lowercase host name instead of the fqdn.
I've also been adding "permitted_enctypes = rc4-hmac des-cbc-md5" to
/etc/krb5.conf because it makes no sense to me to add encryption types to
the keytab that the server doesn't support.
I've also performed a little pruning of the service principals in
libads/kerberos_keytab.c to eliminate all the case variations as I believe
this should be handled dynamically if it's needed.
Thanks,
Scott

-----Original Message-----
From: Gerald (Jerry) Carter [mailto:jerry at samba.org] 
Sent: Thursday, July 13, 2006 1:47 PM
To: Doug VanLeuven
Cc: Scott Armstrong; samba at lists.samba.org
Subject: Re: [Samba] Kerberos Keytab Code Update in 3.0.23

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Doug,

> File a bug report if you believe this to be true.  I'm 
> not at 3.0.23 right now and don't have the time to try it
> here.  I wouldn't want to lose this. I did see a mention
> they dropped support of joins from machines where
> the domain differs from the realm, but haven't had 
> time to check this. There has been a rewrite of the
> ads join code since 3.0.22.

Doug,

You should probably review my comments to Scott. Keytab
support is being rewritten, not dropped.

> Just that windows doesn't guarantee case in names.
> 
> For example, on my login, the current tickets show up as
> HOST/foo at BAR.COM
> host/foo.bar.com at BAR.COM
> HOST/FOO1 at BAR.COM
> HOST/FOO1.bar.com at BAR.COM

Your tickets where?  From kerbtray.exe?  Or on a Unix box?
I just an not seeing this case permutation you claim.
What is the list of SPNs for that Samba account in AD?
Can you tell what applications are generating these requests
so I can reproduce it?

PS: I asked out Apache guy (at Centeris) who is working
with mod_auth_kerb and he claims that krb5 authentication
to http://SerVer.ExaMple.COM still gets a ticket for
HTTP/server.example.com which supports my theory about
tickets based on SPN values.





chers, jerry
=====================================================================
Samba                                    ------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
"What man is a man who does not make the world better?"      --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFEtocjIR7qMdg1EfYRAmaeAJ9GtQm5jl3Tu6cnCrYMzUXYvYBOzwCguqEu
3SzBl9P3VkVi/P2rxzUMn58=
=zrFO
-----END PGP SIGNATURE-----

More information about the samba mailing list