[Samba] Authenticating Samba 3.4.2 vs WinServer 2008R2

Douglas E. Engert deengert at anl.gov
Wed Oct 14 07:54:03 MDT 2009



ravi channavajhala wrote:
> To my understanding, windows treat principal names as case insensitive.
> Kerberos treats them as case sensitive.  MIT Kerberos version - 1.7 is
> supposed to have fixed this.
> 
> The way to get around this is to add uppercase SPN names into the Kerberos
> keytab. 

Not exactly. Windows AD will accept any case and return the principal in the ticket
using the case requested by the caller.

A service principal usually consists of three parts, service,  hostname  and realm.
The service should be entered in the correct case, for example: host, ldap or HTTP.
The hostname should be the FQDN in lower case, and the realm should be the AD domain
name in uppercase.

Case becomes an issue to a unix service if the case of the principal in the
ticket does not match the case in keytab. It is also an issue when creating a keytab
file using DES or AES as the key is derived from a password and a salt. The salt
is is the concatenation of  "host"||lowercase(samAccountName)||uppercase(AD domain name)
(Archfour does not use a salt.)

> 
> Regards,
> /rkc
> 
> -----Original Message-----
> From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
> On Behalf Of Bober, Mark
> Sent: Wednesday, October 14, 2009 12:17 AM
> To: samba at lists.samba.org
> Subject: Re: [Samba] Authenticating Samba 3.4.2 vs WinServer 2008R2
> 
> DNS, /etc/hosts, all that is correct, on the Samba box, the client, and the
> 2008 AD server.
> 
> It still works perfectly if you use \\128.252.x.x in the URI instead of the
> name.
> 
> What is the functional difference between accessing a URI via IP rather than
> the hostname or FQDN?
> 
> Mark
> 
> 
> -----Original Message-----
> From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
> On Behalf Of Dirk Jakobsmeier
> Sent: Tuesday, October 13, 2009 12:04 AM
> To: samba at lists.samba.org
> Subject: Re: [Samba] Authenticating Samba 3.4.2 vs WinServer 2008R2
> 
> Hello Mark,
> 
> Am Montag 12 Oktober 2009 16:56:35 schrieb Bober, Mark:
>> Here's some things from log level 99:
>>
>> [2009/10/12 09:43:53, 10] lib/util.c:2626(name_to_fqdn)
>>   name_to_fqdn: lookup for HOSTNAME -> hostname.domain.wustl.edu.
>> [2009/10/12 09:43:53, 10]
>> libads/kerberos_verify.c:220(ads_keytab_verify_ticket)
>>   ads_keytab_verify_ticket:
>> krb5_rd_req_return_keyblock_from_keytab(host/hostname.domain.wustl.edu at D
>> OMAIN.WUSTL.EDU) failed: Wrong principal in request
>>  [2009/10/12 09:43:53, 10]
>> libads/kerberos_verify.c:220(ads_keytab_verify_ticket)
>>   ads_keytab_verify_ticket:
>> krb5_rd_req_return_keyblock_from_keytab(host/hostname at DOMAIN.WUSTL.EDU)
>> failed: Wrong principal in request
>>  [2009/10/12 09:43:53,  3]
>> libads/kerberos_verify.c:266(ads_keytab_verify_ticket)
>>   ads_keytab_verify_ticket: krb5_rd_req failed for all 12 matched keytab
>> principals
>> [2009/10/12 09:43:53,  3]
>> libads/kerberos_verify.c:567(ads_verify_ticket)
>>   ads_verify_ticket: krb5_rd_req with auth failed (Wrong principal in
>> request)
>> [2009/10/12 09:43:53, 10]
>> libads/kerberos_verify.c:576(ads_verify_ticket)
>>   ads_verify_ticket: returning error NT_STATUS_LOGON_FAILURE
> 
> i've found several informations about "wrong principal in request" errors 
> pointing to a name resolution problem. Can you check dns, /etc/hosts ...?
> 
>> I cut some of that out - it tried each name 6 times, hence the 12?
>> Looking at the system keytab, and the computer account in AD, everything
>> seems to match. FWIW, if I leave the domain and come back specifying the
>> remaining 2003 server as the password server, this all looks the same
>> and seems to work....
>>
>> How much does capitalization matter? ADSIEDIT shows the
>> ServicePrincipalNames as
>>
>> HOST/hostname.domain.wustl.edu
>> HOST/HOSTNAME
>>
>> Where the keytab is:
>>
>> host/hostname.domain.wustl.edu
>> host/hostname
>>
>>
>> -----Original Message-----
>> From: samba-bounces at lists.samba.org
>> [mailto:samba-bounces at lists.samba.org] On Behalf Of Dirk Jakobsmeier
>> Sent: Thursday, October 08, 2009 10:57 PM
>> To: samba at lists.samba.org
>> Subject: Re: [Samba] Authenticating Samba 3.4.2 vs WinServer 2008R2
>>
>> Hello Mark,
>>
>> Am Donnerstag 08 Oktober 2009 16:03:13 schrieb Bober, Mark:
>>> Hello! I'm having an odd issue between Samba and Win2k8R2. We updated
>>> one of our domain controllers to 2k8R2, and as such are working in a
>>> 2003-level AD environment. If I force the 'password server' to the
>> 2003
>>
>>> DC, then everything works fine, only working against the 2008 box has
>>> issues.
>> we have several issues here depending on one of our servers (2008). E.g.
>>
>> domainnames (username at domainname) has to be written in capital lettres
>> when
>> connecting to shares...
>>
>>> \\128.252.123.123\sharename <file:///\\128.252.123.123\sharename>
>>>
>>> And it works as expected - my clients are in the same domain, no
>>> password is asked for, etc.
>>>
>>> Using any form of the hostname in the URI, either \\hostname\sharename
>>> <file:///\\hostname\sharename>  or \\hostname.domain.name\sharename
>>> <file:///\\hostname.domain.name\sharename>  in the URI will
>> continually
>>
>>> prompt for a password.  Using 'smbclient' with the names in the URI on
>>> the Samba box itself works fine.
>>>
>>>
>>> log level = 1
>> did you try to set this to a higher level (and restart samba)? I always
>> use 99
>> so i get large logfiles with nearly all informations i need. The
>> clientlog
>> (log.clienthostname or log.clientip) could be interresting.
>>
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444


More information about the samba mailing list