[Samba] Re: Kerberos with delegated domain

Robert LeBlanc robert at leblancnet.us
Fri May 29 23:38:44 GMT 2009 

On Fri, May 29, 2009 at 2:33 PM, Robert LeBlanc <robert at leblancnet.us>wrote:

> Ok, here is the set-up. We have a domain that is the main domain, it
> handles DHCP and DNS for domain.edu. The DNS for domain.edu has NS records
> to delegate domain.local to our Active Directory.
>
> I am able to bind a machine just fine to the Active Directory without
> having to change any of the client DNS settings (which poing to domain.edu).
> File services work fine. I'm trying to work out single sign-on with OpenSSH
> server. I can get it working to itself just fine using either hostname,
> hostname.domain.local and hostname.edu where hostname is the name of the
> machine that is sshing to itself. When I have two machines set-up exactly
> the same, it doesn't work.
>
> I've sniffed the traffic and I can see that Kerberos goes through both
> domains looking for a principle that matches. The problem is that the
> reverse DNS always sends back hostname.domain.edu, but the service
> principles are hostname.domain.local. I'm guessing Kerberos uses the rDNS to
> generate the service principle.
>
> Is there some way to have winbind register both FQDNs as service principals
> automatically on join? If not, how would I add a service principal to the
> keytab that winbind generates? Or, how can I get Kerberos to use the short
> version of principal that does not include domain.[edu|local]. I'mreally new
> to Kerberos at this level and I've spent about a week getting this far.
>
> Thanks,
> Robert
>

I've tried setting up a mapping in the domain_realm section of
/etc/krb5.conf like:

.domain.com = DOMAIN.LOCAL

but that didn't help. Then I found for the libdefaults section:

rdns = no

and that seems to work. It seems to use just the short name which winbind
does populate in the keytab. I don't think anyone outside of our area could
spoof the short name because they won't have access to the computer object
in the AD. A computer with the same name would have a different key so it
wouldn't match. Is there anything I'm missing that I should be conserned
about?

Thanks,
Robert

More information about the samba mailing list