[Samba] Re: Kerberos with delegated domain

Robert LeBlanc robert at leblancnet.us
Wed Jun 3 18:14:05 GMT 2009 

On Wed, Jun 3, 2009 at 10:35 AM, Robert LeBlanc <robert at leblancnet.us>wrote:

>
>
> On Fri, May 29, 2009 at 5:38 PM, Robert LeBlanc <robert at leblancnet.us>wrote:
>
>>
>> On Fri, May 29, 2009 at 2:33 PM, Robert LeBlanc <robert at leblancnet.us>wrote:
>>
>>> Ok, here is the set-up. We have a domain that is the main domain, it
>>> handles DHCP and DNS for domain.edu. The DNS for domain.edu has NS
>>> records to delegate domain.local to our Active Directory.
>>>
>>> I am able to bind a machine just fine to the Active Directory without
>>> having to change any of the client DNS settings (which poing to
>>> domain.edu). File services work fine. I'm trying to work out single
>>> sign-on with OpenSSH server. I can get it working to itself just fine using
>>> either hostname, hostname.domain.local and hostname.edu where hostname
>>> is the name of the machine that is sshing to itself. When I have two
>>> machines set-up exactly the same, it doesn't work.
>>>
>>> I've sniffed the traffic and I can see that Kerberos goes through both
>>> domains looking for a principle that matches. The problem is that the
>>> reverse DNS always sends back hostname.domain.edu, but the service
>>> principles are hostname.domain.local. I'm guessing Kerberos uses the rDNS to
>>> generate the service principle.
>>>
>>> Is there some way to have winbind register both FQDNs as service
>>> principals automatically on join? If not, how would I add a service
>>> principal to the keytab that winbind generates? Or, how can I get Kerberos
>>> to use the short version of principal that does not include
>>> domain.[edu|local]. I'mreally new to Kerberos at this level and I've spent
>>> about a week getting this far.
>>>
>>> Thanks,
>>> Robert
>>>
>>
>> I've tried setting up a mapping in the domain_realm section of
>> /etc/krb5.conf like:
>>
>> .domain.com = DOMAIN.LOCAL
>>
>> but that didn't help. Then I found for the libdefaults section:
>>
>> rdns = no
>>
>> and that seems to work. It seems to use just the short name which winbind
>> does populate in the keytab. I don't think anyone outside of our area could
>> spoof the short name because they won't have access to the computer object
>> in the AD. A computer with the same name would have a different key so it
>> wouldn't match. Is there anything I'm missing that I should be conserned
>> about?
>>
>> Thanks,
>> Robert
>>
>>
>> The saga continues....
>
> I've found that I can add service principals to the keytab using net ads
> keytab add host/hostname.domain.edu and according to everything that I've
> read this should edit the servicePrincipalName field of the computer
> account. This is not the case for us however. When a computer is joined to
> the domain using net ads join -U administrator, it seems to create the SPNs,
> issuing the add command results in no new SPNs being added to the computer
> account. I performed a net ads keytab flush -U administrator and it removed
> all the SPNs from the computer account, now I can't get them back. A net ads
> keytab create -U administrator regenerated a local keytab, but no SPNs were
> added to the computer account.
>
> The administrator account is not a domain admin account, but has full
> control over the computer object. I've added the SPN manually into the
> computer account and everything was working fine, but I'd like to do this
> client side. The domain is a MS 2008 AD running in 2003 mode.
>
> Anyone have suggestions of what I may try to figure this problem out?
>
> Thanks,
> Robert LeBlanc
>
This seems to be quite the one sided conversation, but I hope that it will
help someone, or that someone can help me. I've set-up an new Debian Lenny
machine and joined it to a MS 2003 Domain that I am Domain Admin on, still
no luck. I'm guess that it is something that I'm doing wrong rather than a
problem with Samba. Now to figure what it is that I'm doing wrong.

Tried Samba 3.2.5 against MS 2003 domain as Domain Admin
Tried Samba 3.3.4 against MS 2008 domain (not domain Admin) and MS 2003
domain as Domain Admin

The next reply will probably be from me, see me soon!

Robert

More information about the samba mailing list