[Samba] Kerberos Keytab Code Update in 3.0.23
Doug VanLeuven
roamdad at sonic.net
Tue Jul 18 18:24:25 GMT 2006
Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Doug,
>
>> File a bug report if you believe this to be true. I'm
>> not at 3.0.23 right now and don't have the time to try it
>> here. I wouldn't want to lose this. I did see a mention
>> they dropped support of joins from machines where
>> the domain differs from the realm, but haven't had
>> time to check this. There has been a rewrite of the
>> ads join code since 3.0.22.
>
> Doug,
>
> You should probably review my comments to Scott. Keytab
> support is being rewritten, not dropped.
I was saying dns domain not equal realm dropped
and rewrite ads join code
>
>> Just that windows doesn't guarantee case in names.
>>
>> For example, on my login, the current tickets show up as
>> HOST/foo at BAR.COM
>> host/foo.bar.com at BAR.COM
>> HOST/FOO1 at BAR.COM
>> HOST/FOO1.bar.com at BAR.COM
>
> Your tickets where? From kerbtray.exe? Or on a Unix box?
kerbtray & klist
> I just an not seeing this case permutation you claim.
NT40 sidhistory migration to 2000 AD
then standard 2000 AD upgraded to 2003 standard AD
then 2003 standard upgraded to 2003 enterprise.
> What is the list of SPNs for that Samba account in AD?
samba 3.0.23, created account in AD
SPN's
CIFS/stor
CIFS/stor.nt.ldxnet.com
HOST/STOR
HOST/stor.nt.ldxnet.com
klist on 2003 server
Server: cifs/Stor.nt.ldxnet.com at NT.LDXNET.COM
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 7/18/2006 18:53:02
Renew Time: 7/25/2006 8:53:02
> Can you tell what applications are generating these requests
> so I can reproduce it?
Domain controller browsing to stor's shares.
>
> PS: I asked out Apache guy (at Centeris) who is working
> with mod_auth_kerb and he claims that krb5 authentication
> to http://SerVer.ExaMple.COM still gets a ticket for
> HTTP/server.example.com which supports my theory about
> tickets based on SPN values.
Yes, it works with rc4-hmac. But it's been coming back to me.
It didn't work with des-cbc-md5 until the permutations were
added. How soon we forget. It's really difficult to test
des-only now. Have to join with rc4, then hand edit with
adsi.exe in the AD, then remove the rc4 from krb5.conf
and reboot the machine to purge the caches, because samba
set's the des-only on a compile time flag.
For information, here's the list of tickets on the domain
controller after browsing an older, running samba server
joined years ago, and a win2000 workstation:
Cached Tickets: (6)
Server: krbtgt/NT.LDXNET.COM at NT.LDXNET.COM
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 7/18/2006 18:53:02
Renew Time: 7/25/2006 8:53:02
(win2000 workstation)
Server: cifs/Elm at NT.LDXNET.COM
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 7/18/2006 18:53:02
Renew Time: 7/25/2006 8:53:02
(FC3 - krb5 1.3.6)
Server: cifs/Stor.nt.ldxnet.com at NT.LDXNET.COM
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 7/18/2006 18:53:02
Renew Time: 7/25/2006 8:53:02
(Domain controller)
Server: ldap/ranger1.nt.ldxnet.com/nt.ldxnet.com at NT.LDXNET.COM
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 7/18/2006 18:53:02
Renew Time: 7/25/2006 8:53:02
(FC4 - long running samba currently at 3.0.23pre2-SVN-build-15985)
Server: cifs/gate.nt.ldxnet.com at NT.LDXNET.COM
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 7/18/2006 18:53:02
Renew Time: 7/25/2006 8:53:02
(Domain controller)
Server: host/ranger1.nt.ldxnet.com at NT.LDXNET.COM
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 7/18/2006 18:53:02
Renew Time: 7/25/2006 8:53:02
Regards, Doug
More information about the samba
mailing list