[Samba] Re: Kerberos with delegated domain
Robert LeBlanc
robert at leblancnet.us
Wed Jun 3 16:35:52 GMT 2009
On Fri, May 29, 2009 at 5:38 PM, Robert LeBlanc <robert at leblancnet.us>wrote:
>
> On Fri, May 29, 2009 at 2:33 PM, Robert LeBlanc <robert at leblancnet.us>wrote:
>
>> Ok, here is the set-up. We have a domain that is the main domain, it
>> handles DHCP and DNS for domain.edu. The DNS for domain.edu has NS
>> records to delegate domain.local to our Active Directory.
>>
>> I am able to bind a machine just fine to the Active Directory without
>> having to change any of the client DNS settings (which poing to
>> domain.edu). File services work fine. I'm trying to work out single
>> sign-on with OpenSSH server. I can get it working to itself just fine using
>> either hostname, hostname.domain.local and hostname.edu where hostname is
>> the name of the machine that is sshing to itself. When I have two machines
>> set-up exactly the same, it doesn't work.
>>
>> I've sniffed the traffic and I can see that Kerberos goes through both
>> domains looking for a principle that matches. The problem is that the
>> reverse DNS always sends back hostname.domain.edu, but the service
>> principles are hostname.domain.local. I'm guessing Kerberos uses the rDNS to
>> generate the service principle.
>>
>> Is there some way to have winbind register both FQDNs as service
>> principals automatically on join? If not, how would I add a service
>> principal to the keytab that winbind generates? Or, how can I get Kerberos
>> to use the short version of principal that does not include
>> domain.[edu|local]. I'mreally new to Kerberos at this level and I've spent
>> about a week getting this far.
>>
>> Thanks,
>> Robert
>>
>
> I've tried setting up a mapping in the domain_realm section of
> /etc/krb5.conf like:
>
> .domain.com = DOMAIN.LOCAL
>
> but that didn't help. Then I found for the libdefaults section:
>
> rdns = no
>
> and that seems to work. It seems to use just the short name which winbind
> does populate in the keytab. I don't think anyone outside of our area could
> spoof the short name because they won't have access to the computer object
> in the AD. A computer with the same name would have a different key so it
> wouldn't match. Is there anything I'm missing that I should be conserned
> about?
>
> Thanks,
> Robert
>
>
> The saga continues....
I've found that I can add service principals to the keytab using net ads
keytab add host/hostname.domain.edu and according to everything that I've
read this should edit the servicePrincipalName field of the computer
account. This is not the case for us however. When a computer is joined to
the domain using net ads join -U administrator, it seems to create the SPNs,
issuing the add command results in no new SPNs being added to the computer
account. I performed a net ads keytab flush -U administrator and it removed
all the SPNs from the computer account, now I can't get them back. A net ads
keytab create -U administrator regenerated a local keytab, but no SPNs were
added to the computer account.
The administrator account is not a domain admin account, but has full
control over the computer object. I've added the SPN manually into the
computer account and everything was working fine, but I'd like to do this
client side. The domain is a MS 2008 AD running in 2003 mode.
Anyone have suggestions of what I may try to figure this problem out?
Thanks,
Robert LeBlanc
More information about the samba
mailing list