[PATCH] heimdal fixes for the new keytab code
Gerald (Jerry) Carter
jerry at samba.org
Wed Jul 7 15:10:09 GMT 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Guenther Deschner wrote:
| * Joining ADS (w2k3 in my case) with current 3_0 svn with
| security = ads (no unix keytab involved)
|
| mthelena:~ # net ads join -U administrator%secret -d0
| Using short domain name -- W2K3TEST
| Joined 'MTHELENA' to realm 'W2K3TEST.SERNET.DE'
|
| * lets see what principals were created
....
OK. So it's the userPincipalName that we have to use
to get a TGT. The problem then is the cononicalization
of the name. We have to use the servicePrincipalName
for the keytab and the userPrincipalName for obtaining
a TGT. Makes sense I guess.
For the record,
# ldapsearch -Y GSSAPI -h spud.ad.plainjoe.org \
~ -b "DC=ad,DC=plainjoe,DC=org" -LLL "(userPrincipalName=*)" \
~ | egrep '(dn|PrincipalName)'
## normal user
dn: CN=Biddle,CN=Users,DC=ad,DC=plainjoe,DC=org
userPrincipalName: biddle at ad.plainjoe.org
## Samba joined using security = domain
dn: CN=jelly,CN=Computers,DC=ad,DC=plainjoe,DC=org
userPrincipalName: HOST/jelly at AD.PLAINJOE.ORG
## samba joined using security = ads
dn: CN=shaggy,CN=Computers,DC=ad,DC=plainjoe,DC=org
servicePrincipalName: CIFS/shaggy.ad.plainjoe.org
servicePrincipalName: CIFS/shaggy
servicePrincipalName: HOST/shaggy.ad.plainjoe.org
servicePrincipalName: HOST/shaggy
userPrincipalName: HOST/shaggy at AD.PLAINJOE.ORG
Strangely enough, the XP boxes joined to the domain only have
servicePrincipalName: HOST/XPTEST
servicePrincipalName: HOST/xptest.ad.plainjoe.org
no CIFS/....entry
The DC for the domain only has
servicePrincipalName: DNS/spud.ad.plainjoe.org
servicePrincipalName: HOST/spud.ad.plainjoe.org/AD
servicePrincipalName: HOST/SPUD
servicePrincipalName: HOST/spud.ad.plainjoe.org
servicePrincipalName: HOST/spud.ad.plainjoe.org/ad.plainjoe.org
servicePrincipalName: GC/spud.ad.plainjoe.org/ad.plainjoe.org
servicePrincipalName:
LDAP/b4adf850-defa-4267-8d18-e52d274dd979._msdcs.ad.plai
~ njoe.org
servicePrincipalName: LDAP/spud.ad.plainjoe.org/AD
servicePrincipalName: LDAP/SPUD
servicePrincipalName: LDAP/spud.ad.plainjoe.org
servicePrincipalName: LDAP/spud.ad.plainjoe.org/ad.plainjoe.org
servicePrincipalName:
NtFrs-88f5d2bd-b646-11d2-a6d3-00c04fc9b232/spud.ad.plain
~ joe.org
servicePrincipalName:
E3514235-4B06-11D1-AB04-00C04FC2DCD2/b4adf850-defa-4267-
~ 8d18-e52d274dd979/ad.plainjoe.org
Where does the CIFS/...entry come into play ?
(jerry heads off to search msdn)....
cheers, jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFA7BJRIR7qMdg1EfYRAriNAJ4lE83j19SEmmFoCfIvA53TLXq3QACgrbHs
MjP38cXR7Z6HbNN6Er6Pv5I=
=YGBe
-----END PGP SIGNATURE-----
More information about the samba-technical
mailing list