[Samba] Authenticating Samba 3.4.2 vs WinServer 2008R2
Douglas E. Engert
deengert at anl.gov
Wed Oct 14 07:54:03 MDT 2009
ravi channavajhala wrote:
> To my understanding, windows treat principal names as case insensitive.
> Kerberos treats them as case sensitive. MIT Kerberos version - 1.7 is
> supposed to have fixed this.
>
> The way to get around this is to add uppercase SPN names into the Kerberos
> keytab.
Not exactly. Windows AD will accept any case and return the principal in the ticket
using the case requested by the caller.
A service principal usually consists of three parts, service, hostname and realm.
The service should be entered in the correct case, for example: host, ldap or HTTP.
The hostname should be the FQDN in lower case, and the realm should be the AD domain
name in uppercase.
Case becomes an issue to a unix service if the case of the principal in the
ticket does not match the case in keytab. It is also an issue when creating a keytab
file using DES or AES as the key is derived from a password and a salt. The salt
is is the concatenation of "host"||lowercase(samAccountName)||uppercase(AD domain name)
(Archfour does not use a salt.)
>
> Regards,
> /rkc
>
> -----Original Message-----
> From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
> On Behalf Of Bober, Mark
> Sent: Wednesday, October 14, 2009 12:17 AM
> To: samba at lists.samba.org
> Subject: Re: [Samba] Authenticating Samba 3.4.2 vs WinServer 2008R2
>
> DNS, /etc/hosts, all that is correct, on the Samba box, the client, and the
> 2008 AD server.
>
> It still works perfectly if you use \\128.252.x.x in the URI instead of the
> name.
>
> What is the functional difference between accessing a URI via IP rather than
> the hostname or FQDN?
>
> Mark
>
>
> -----Original Message-----
> From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
> On Behalf Of Dirk Jakobsmeier
> Sent: Tuesday, October 13, 2009 12:04 AM
> To: samba at lists.samba.org
> Subject: Re: [Samba] Authenticating Samba 3.4.2 vs WinServer 2008R2
>
> Hello Mark,
>
> Am Montag 12 Oktober 2009 16:56:35 schrieb Bober, Mark:
>> Here's some things from log level 99:
>>
>> [2009/10/12 09:43:53, 10] lib/util.c:2626(name_to_fqdn)
>> name_to_fqdn: lookup for HOSTNAME -> hostname.domain.wustl.edu.
>> [2009/10/12 09:43:53, 10]
>> libads/kerberos_verify.c:220(ads_keytab_verify_ticket)
>> ads_keytab_verify_ticket:
>> krb5_rd_req_return_keyblock_from_keytab(host/hostname.domain.wustl.edu at D
>> OMAIN.WUSTL.EDU) failed: Wrong principal in request
>> [2009/10/12 09:43:53, 10]
>> libads/kerberos_verify.c:220(ads_keytab_verify_ticket)
>> ads_keytab_verify_ticket:
>> krb5_rd_req_return_keyblock_from_keytab(host/hostname at DOMAIN.WUSTL.EDU)
>> failed: Wrong principal in request
>> [2009/10/12 09:43:53, 3]
>> libads/kerberos_verify.c:266(ads_keytab_verify_ticket)
>> ads_keytab_verify_ticket: krb5_rd_req failed for all 12 matched keytab
>> principals
>> [2009/10/12 09:43:53, 3]
>> libads/kerberos_verify.c:567(ads_verify_ticket)
>> ads_verify_ticket: krb5_rd_req with auth failed (Wrong principal in
>> request)
>> [2009/10/12 09:43:53, 10]
>> libads/kerberos_verify.c:576(ads_verify_ticket)
>> ads_verify_ticket: returning error NT_STATUS_LOGON_FAILURE
>
> i've found several informations about "wrong principal in request" errors
> pointing to a name resolution problem. Can you check dns, /etc/hosts ...?
>
>> I cut some of that out - it tried each name 6 times, hence the 12?
>> Looking at the system keytab, and the computer account in AD, everything
>> seems to match. FWIW, if I leave the domain and come back specifying the
>> remaining 2003 server as the password server, this all looks the same
>> and seems to work....
>>
>> How much does capitalization matter? ADSIEDIT shows the
>> ServicePrincipalNames as
>>
>> HOST/hostname.domain.wustl.edu
>> HOST/HOSTNAME
>>
>> Where the keytab is:
>>
>> host/hostname.domain.wustl.edu
>> host/hostname
>>
>>
>> -----Original Message-----
>> From: samba-bounces at lists.samba.org
>> [mailto:samba-bounces at lists.samba.org] On Behalf Of Dirk Jakobsmeier
>> Sent: Thursday, October 08, 2009 10:57 PM
>> To: samba at lists.samba.org
>> Subject: Re: [Samba] Authenticating Samba 3.4.2 vs WinServer 2008R2
>>
>> Hello Mark,
>>
>> Am Donnerstag 08 Oktober 2009 16:03:13 schrieb Bober, Mark:
>>> Hello! I'm having an odd issue between Samba and Win2k8R2. We updated
>>> one of our domain controllers to 2k8R2, and as such are working in a
>>> 2003-level AD environment. If I force the 'password server' to the
>> 2003
>>
>>> DC, then everything works fine, only working against the 2008 box has
>>> issues.
>> we have several issues here depending on one of our servers (2008). E.g.
>>
>> domainnames (username at domainname) has to be written in capital lettres
>> when
>> connecting to shares...
>>
>>> \\128.252.123.123\sharename <file:///\\128.252.123.123\sharename>
>>>
>>> And it works as expected - my clients are in the same domain, no
>>> password is asked for, etc.
>>>
>>> Using any form of the hostname in the URI, either \\hostname\sharename
>>> <file:///\\hostname\sharename> or \\hostname.domain.name\sharename
>>> <file:///\\hostname.domain.name\sharename> in the URI will
>> continually
>>
>>> prompt for a password. Using 'smbclient' with the names in the URI on
>>> the Samba box itself works fine.
>>>
>>>
>>> log level = 1
>> did you try to set this to a higher level (and restart samba)? I always
>> use 99
>> so i get large logfiles with nearly all informations i need. The
>> clientlog
>> (log.clienthostname or log.clientip) could be interresting.
>>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the samba
mailing list