Gerald (Jerry) Carter wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Doug,
File a bug report if you believe this to be true. I'm
not at 3.0.23 right now and don't have the time to try it
here. I wouldn't want to lose this. I did see a mention
they dropped support of joins from machines where
the domain differs from the realm, but haven't had
time to check this. There has been a rewrite of the
ads join code since 3.0.22.
Doug,
You should probably review my comments to Scott. Keytab
support is being rewritten, not dropped.
I was saying dns domain not equal realm dropped
and rewrite ads join code
Just that windows doesn't guarantee case in names.
For example, on my login, the current tickets show up as
HOST/[EMAIL PROTECTED]
host/[EMAIL PROTECTED]
HOST/[EMAIL PROTECTED]
HOST/[EMAIL PROTECTED]
Your tickets where? From kerbtray.exe? Or on a Unix box?
kerbtray & klist
I just an not seeing this case permutation you claim.
NT40 sidhistory migration to 2000 AD
then standard 2000 AD upgraded to 2003 standard AD
then 2003 standard upgraded to 2003 enterprise.
What is the list of SPNs for that Samba account in AD?
samba 3.0.23, created account in AD
SPN's
CIFS/stor
CIFS/stor.nt.ldxnet.com
HOST/STOR
HOST/stor.nt.ldxnet.com
klist on 2003 server
Server: cifs/[EMAIL PROTECTED]
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 7/18/2006 18:53:02
Renew Time: 7/25/2006 8:53:02
Can you tell what applications are generating these requests
so I can reproduce it?
Domain controller browsing to stor's shares.
PS: I asked out Apache guy (at Centeris) who is working
with mod_auth_kerb and he claims that krb5 authentication
to http://SerVer.ExaMple.COM still gets a ticket for
HTTP/server.example.com which supports my theory about
tickets based on SPN values.
Yes, it works with rc4-hmac. But it's been coming back to me.
It didn't work with des-cbc-md5 until the permutations were
added. How soon we forget. It's really difficult to test
des-only now. Have to join with rc4, then hand edit with
adsi.exe in the AD, then remove the rc4 from krb5.conf
and reboot the machine to purge the caches, because samba
set's the des-only on a compile time flag.
For information, here's the list of tickets on the domain
controller after browsing an older, running samba server
joined years ago, and a win2000 workstation:
Cached Tickets: (6)
Server: krbtgt/[EMAIL PROTECTED]
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 7/18/2006 18:53:02
Renew Time: 7/25/2006 8:53:02
(win2000 workstation)
Server: cifs/[EMAIL PROTECTED]
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 7/18/2006 18:53:02
Renew Time: 7/25/2006 8:53:02
(FC3 - krb5 1.3.6)
Server: cifs/[EMAIL PROTECTED]
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 7/18/2006 18:53:02
Renew Time: 7/25/2006 8:53:02
(Domain controller)
Server: ldap/ranger1.nt.ldxnet.com/[EMAIL PROTECTED]
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 7/18/2006 18:53:02
Renew Time: 7/25/2006 8:53:02
(FC4 - long running samba currently at 3.0.23pre2-SVN-build-15985)
Server: cifs/[EMAIL PROTECTED]
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 7/18/2006 18:53:02
Renew Time: 7/25/2006 8:53:02
(Domain controller)
Server: host/[EMAIL PROTECTED]
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
End Time: 7/18/2006 18:53:02
Renew Time: 7/25/2006 8:53:02
Regards, Doug
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
