[Samba] Kerberos Keytab Code Update in 3.0.23

Gerald (Jerry) Carter jerry at samba.org
Thu Jul 20 22:25:09 GMT 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Doug,

>>> I was saying dns domain not equal realm dropped
>>> and rewrite ads join code
>>
>> No it wasn't.  I run with this on a daily basis.
>> Perhaps something else is attributing to your failures.
>>
> First, I'm not having failures.  I was commenting information
> I believed I read.  So what did you mean in this post:
> http://marc.theaimsgroup.com/?l=samba&m=115193492903190&w=2
...
> Did you mean if one joins with non-admin credentials
> it no longer works, but if one's credentials are
> administrative it still works?
> 
> I understand previously joined machines still work.
> 
> Not trying to be a wise guy, just trying to understand.

No problem.  I spent a couple of days just staring at
traces and reading to try to track down the corner cases.
It's pretty confusing.

The best thing to do is to read here:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/control_access_rights.asp

and then use ADSIedit to view the default security
descriptor on a machine account object.

A non-admin (and the machine itself) only has validated-write
access to the dNSHostName and servicePrincipalName
attributes.  This means that the dNSHostName value has to
be with the AD realm and the SPN has to match the dNSHostName.
Try to join a WinXP box to a domain using a non-admin account
with the dns suffix outside of the AD realm and you will see
what I mean.  It fails to joins and tells you to contact the
administrator to relax the rules (or something similar).
If you are a domain admin, the you have full control to these
attributes and can do whatever you like.

Samba 3.0.22 did all the ads join operations using LDAP
requests which required you to be a Domain Admins.  As part
of the join, the machine SID was given full control over the
object in AD so again you could do whatever you liked with
'net ads keytab add -P'.

The code in 3.0.23 uses a mixture of RPC and LDAP just like
Windows 2000/XP.  The advantage is that a non-admin can
now join a Samba box to a domain given the same privileges
as required by Windows.  The disadvantage is that we can no
longer assume we have admin rights to set any property we
like.  This is why for example, we no longer try to create
a UPN by default (although I added a new option to net ads
join in 3.0.23a that will do that) or set the operatingSystem
attribute value.

Hope this helps clear up some of the confusion.

Note that I've added in a fair amount of new code in 3.0.23a
for

(a) deriving the DES salt
(b) generating the keytab file
(c) optionally creating the UPN as part of the join.

Please give it a whirl and let me know how it goes.
Our Krb5 code is over 3 years old spreading about
multiple MIT and heimdal versions.  It's time for some
spring cleaning but I don't want to loose functionality
if we can help it.





cheers, jerry
=====================================================================
Samba                                    ------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
"What man is a man who does not make the world better?"      --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFEwALEIR7qMdg1EfYRAqxYAKCEtHnMHWcM0jfe8rEW+qMDHtq+/ACgqoSp
8h+xhVsePFFBKvjfXYisoXQ=
=540H
-----END PGP SIGNATURE-----

More information about the samba mailing list