[Samba] Kerberos Keytab Code Update in 3.0.23

Scott Armstrong scottbird7 at hotmail.com
Fri Jul 14 10:48:25 GMT 2006 

Jerry,
>I'll have to check on the semantic checking for
>the UPN attribute. I'd rather (for safety's sake)
>just give it a value:  host/${dNSHostName} attribute.
>That way we know we are consistent.
The previous behavior was: host/${hostname}@REALM although I disagreed with
that format. I believe you've got the right value: host/${dNSHostName}@REALM

>Yeah but the previous default required you to have more
>rights that Windows client required so we got slammed for
>that.

Unfortunately there are many cases where DC Group Policies are cranked down
such that only Domain Admins can add/remove machines anyway.

Here's a thought; why not split the two functions?
Adding the machine to the domain (net ads join) handles just what is
necessary for that.
Creating the keytab (net ads keytab create) handles those specific
functions.
Adding additional service principals (net ads keytab add princ1 princ2 ...)
places these principals in other keytabs so the admin can move them to the
appropriate location and set permissions. An example of how this might work
would be that the service principal for http is placed in apache's home with
appropriate permissions so mod_auth_kerb functions using client auth.
Another might be to create a service principal for ldap and place it in /etc
with ownership ldap:nscd so nss_ldap can be configured with sasl gssapi and
proxy auth while maintaining nscd functionality.
If Samba needs some off-the-wall formats for its Kerberos principals in
order to respond to requests for \\HoStNaMe.DOMAIN\Share then create them in
memory on-the-fly as before the keytab management functions were added.
The only other issue that you may have addressed before - why waste the
effort of creating principals using all the encryption types that the client
supports when the only ones that will succeed are those that the server
supports?
Of course it would be nice if all the distributions of Linux, Solaris, AIX,
etc. had versions of kerberos that support rc4-hmac...
Thanks,
Scott

-----Original Message-----
From: Gerald (Jerry) Carter [mailto:jerry at samba.org] 
Sent: Thursday, July 13, 2006 5:35 PM
To: Scott Armstrong
Cc: 'Doug VanLeuven'; samba at lists.samba.org
Subject: Re: [Samba] Kerberos Keytab Code Update in 3.0.23

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Scott Armstrong wrote:

>> Or I could add a switch to 'net ads join' that said 
>> "create the UPN".  I don't really want to make it
>> default behavior.  Would that be acceptable?
>
> That would be fine although if you can allow the format 
> of the hostname to be controllable that would be a bonus. I
> think allowing as much as possible to be done at the
> time the machine account is created is best.

I'll have to check on the semantic checking for
the UPN attribute. I'd rather (for safety's sake)
just give it a value:  host/${dNSHostName} attribute.
That way we know we are consistent.

> It's pretty labor intensive to have to log onto the
> Windows DC afterward and run ADSIEdit in order to achieve
> the same result that was the default before the code rewrite.

Yeah but the previous default required you to have more
rights that Windows client required so we got slammed for
that.





cheers, jerry
=====================================================================
Samba                                    ------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
"What man is a man who does not make the world better?"      --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFEtrxtIR7qMdg1EfYRAvi4AJ0VrM6Y1GstFg9eN4z9F1I04ChC5ACg3AyS
y8sHkxCVnMo9FyFDFDqACH8=
=Etdm
-----END PGP SIGNATURE-----

More information about the samba mailing list