setting dNSHostName at join
Gerald (Jerry) Carter
jerry at samba.org
Tue Feb 27 02:30:55 GMT 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Guenther and I caught up later...
(8:03:29 PM) gd: coffeedude: I need to check back with
my customer, but they kepp telling me, that they
are not allowed to set dnsHostName (by LDAP security
descriptor) but nicely do krb5 auth in the domain
after joining.
(8:04:39 PM) gd: coffeedude: and where do you think we need
a fqdn when using kerberos? (without a system keytab)
(8:05:00 PM) gd: coffeedude: we can *always* kinit
as netbiosname$@realm.de.
(8:05:11 PM) gd: coffeedude: that is at least my understanding.
(8:05:57 PM) gd: coffeedude: so it is not required for the SPNs.
Do I miss something?
(8:06:06 PM) coffeedude: The keytab has nothing to do with
it. How can a Windows client get a service ticket
for an account with no SPN ?
(8:06:29 PM) coffeedude: gd: Just show me a trace of a Windows
client doing Krb5 auth in the session setup with no SPN set.
(8:06:35 PM) coffeedude: for the target server of course in AD.
(8:07:10 PM) coffeedude: NTLM will continue to work of course,
but that defeats the purpose of security =a ds.
(8:07:11 PM) gd: you mean for us as a smbd as a domain member?
(8:07:53 PM) coffeedude: gd: Yes. Just show me a trace of
a Windows client going \\server\share and sending
Krb5 in the session setup if the Samba host has not
SPN set in AD.
(8:08:06 PM) coffeedude: And no dNSHostName attribute
(8:08:35 PM) coffeedude: gd: I'm not trying to be stubborn
on this, I just need proof in order to accept the POV.
(8:09:05 PM) gd: coffeedude: sure, no problem, I'll try to get
such a trace
(8:09:47 PM) coffeedude: gd: Thinking a bit more, a Windows
client might succeed even it it cannot write to
the dNSHostName
(8:10:02 PM) coffeedude: if the value is already set
properly. That I could understand.
(8:10:18 PM) coffeedude: gd: and If you have traces, I'll
be glad to change my tune.
(8:11:35 PM) gd: coffeedude: my customer has valid DNS,
just the DNS entries replicate very slowly to
the subdomains. (They are not using the builtin
DNS in AD but an external one). Windows seems
to be happy with that.
(8:11:56 PM) coffeedude: gd: it's not a question of valid DNS.
(8:12:55 PM) coffeedude: gd: Ahh....I think I see what you
are saying now. I still need to see a trace to
understand it. I'm still a bit skeptical of your
customer (no offense).
(8:13:14 PM) coffeedude: gd: but I've been wrong before.....
(8:13:59 PM) coffeedude: gd: if I'm wrong, then we should
simply bracket the set spn and hostname in a WITH_
DNS_UPDATES block.
(8:14:01 PM) gd: coffeedude: sure, just relating to the
first issue: name2fqdn fails as the replication
is not finished yet. (they prepare their dns
for joining machines).
(8:14:37 PM) gd: coffeedude: I made all that now dependent
from the name2fqdn lookup success (converting
to BOOL). still testing...
(8:15:13 PM) coffeedude: gd: if you can show me the session
setup trace, then we'll figure it. If however, I'm
right about the krb5, then we have to know our fwdn
in order to join (can be configured in /etc/hosts).
cheers, jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFF45ffIR7qMdg1EfYRAs53AKDjaCid0Wcn9yl50GVcxFX0thQhtwCdFA12
rUcuLqD5Ylw0CbMivMftxZ4=
=2gwW
-----END PGP SIGNATURE-----
More information about the samba-technical
mailing list