[Samba] Kerberos Keytab Code Update in 3.0.23

Doug VanLeuven roamdad at sonic.net
Tue Jul 25 10:32:50 GMT 2006 

Gerald (Jerry) Carter wrote:

> Yup.  That's what I meant.  I'll try to repro your results
> on Monday (if all goes well).  Thanks.

I started up a machine that was on the shelf.
This one had been joined as rc4.
I edited krb5.conf and userAccountControl for des only

My DHCP registers machines in dyn.ldxnet.com and in-addr.arpa
which are dynamically updatable on linux.
Then the workstations register an A record in nt.ldxnet.com
which is DNS managed by windows 2003 server.

I've been adding the dyn.ldxnet.com names to servicePrincipalName
because it seems I get best results in mixed DNS domains.
Like Mark Twain said "After a cat's been burnt on a hot
stove, won't sit on a cold one either."

Windows 2003 is Capitalizing the first letter in kerbtray
and klist, but the salt listed by ethereal is lowercase.

Browsing from windows domain machines work and smbclient -k
works after kinit.
This combination runs des only.  Not that old either.
Maybe you could back trace the changes.
Check out the keytab listing below.
Let me know if there is a stress test for this you'd like me to run.

Thats all for tonight - Doug

Linux lex 2.6.12-1.1381_FC3
Samba version 3.0.21pre3-SVN-build-11739
krb5-workstation-1.3.6-7
openldap-2.2.29-1.FC3

/etc/krb5.conf
[libdefaults]
  dns_lookup_realm = false
  dns_lookup_kdc = true
  default_realm = NT.LDXNET.COM
  default_keytab_name = FILE:/etc/krb5.keytab
  default_tgs_enctypes = des-cbc-md5 des-cbc-crc
  default_tkt_enctypes = des-cbc-md5 des-cbc-crc
  permitted_enctypes = des-cbc-md5 des-cbc-crc

[root at lex ~]# klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
    3 host/lex.nt.ldxnet.com at NT.LDXNET.COM (DES cbc mode with RSA-MD5)

(Yes, I edited out all but one entry.  At first glance
it looks like you're right)

[root at lex ~]# kinit
Password for root at NT.LDXNET.COM:
[root at lex ~]# smbclient -k -Llex
OS=[Unix] Server=[Samba 3.0.21pre3-SVN-build-11739]

         Sharename       Type      Comment
         ---------       ----      -------
         print$          Disk      Printer Drivers
         test            Disk      Temporary file space
         temp            Disk      Temporary file space
         IPC$            IPC       IPC Service ("lex")
         ADMIN$          IPC       IPC Service ("lex")
         root            Disk      Home Directories
OS=[Unix] Server=[Samba 3.0.21pre3-SVN-build-11739]

         Server               Comment
         ---------            -------

         Workgroup            Master
         ---------            -------
         FOREST               RANGER1

ldp.exe on domain controller, entry for des-only lex workstation
Getting 1 entries:
 >> Dn: CN=lex,CN=Computers,DC=nt,DC=ldxnet,DC=com
	5> objectClass: top; person; organizationalPerson; user; computer;
	1> cn: lex;
	1> distinguishedName: CN=lex,CN=Computers,DC=nt,DC=ldxnet,DC=com;
	1> instanceType: 0x4 = ( IT_WRITE );
	1> whenCreated: 11/24/2005 00:27:22 Pacific Standard Time Pacific Daylight Time;
	1> whenChanged: 07/24/2006 12:08:07 Pacific Standard Time Pacific Daylight Time;
	1> uSNCreated: 931987;
	1> uSNChanged: 1128498;
	1> name: lex;
	1> objectGUID: fa853706-780c-46ac-aaf8-deffbdd4cc20;
	1> userAccountControl: 0x211000 = ( UF_WORKSTATION_TRUST_ACCOUNT | UF_DONT_EXPIRE_PASSWD | 
UF_USE_DES_KEY_ONLY );
	1> badPwdCount: 0;
	1> codePage: 0;
	1> countryCode: 0;
	1> badPasswordTime: 01/01/1601 00:00:00 UNC ;
	1> lastLogoff: 01/01/1601 00:00:00 UNC ;
	1> lastLogon: 07/25/2006 02:45:36 Pacific Standard Time Pacific Daylight Time;
	1> localPolicyFlags: 0;
	1> pwdLastSet: 11/24/2005 00:27:22 Pacific Standard Time Pacific Daylight Time;
	1> primaryGroupID: 515;
	1> objectSid: S-1-5-21-484763869-746137067-1343024091-1234;
	1> accountExpires: 09/14/30828 02:48:05 UNC ;
	1> logonCount: 30;
	1> sAMAccountName: lex$;
	1> sAMAccountType: 805306369;
	1> operatingSystem: Samba;
	1> operatingSystemVersion: 3.0.21pre3-SVN-build-11739;
	1> dNSHostName: lex.dyn.ldxnet.com;
	1> userPrincipalName: HOST/lex at NT.LDXNET.COM;
	6> servicePrincipalName: HOST/lex.dyn.ldxnet.com; CIFS/lex.dyn.ldxnet.com; 
CIFS/lex.nt.ldxnet.com; CIFS/lex; HOST/lex.nt.ldxnet.com; HOST/lex;
	1> objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=nt,DC=ldxnet,DC=com;
	1> isCriticalSystemObject: FALSE;
	1> lastLogonTimestamp: 07/24/2006 12:08:07 Pacific Standard Time Pacific Daylight Time;
-----------

More information about the samba mailing list