Attached is a patch to 3.0.9 that addresses the issue.
Rakesh Patel
Luke Howard wrote:
you can use setspn to assign a SPN to a user or computer account.
Right, but you can't use the SPN as the client name in an AS-REQ.
You have to use the SAM account name or the UPN.
-- Luke
--
--- source/libads/ldap.c.ORIG 2004-11-15 22:03:32.000000000 -0500
+++ source/libads/ldap.c 2004-12-05 18:59:12.757740084 -0500
@@ -1353,6 +1353,7 @@
ret = ADS_ERROR(LDAP_NO_MEMORY);
name_to_fqdn(my_fqdn, machine_name);
+ strlower_m(my_fqdn);
status = ads_find_machine_acct(ads, (void **)&res, machine_name);
if (ADS_ERR_OK(status) && ads_count_replies(ads, res) == 1) {
@@ -1382,7 +1383,7 @@
goto done;
}
- if (!(host_spn = talloc_asprintf(ctx, "HOST/%s", machine_name)))
+ if (!(host_spn = talloc_asprintf(ctx, "HOST/%s", my_fqdn)))
goto done;
if (!(host_upn = talloc_asprintf(ctx, "[EMAIL PROTECTED]", host_spn, ads->config.realm)))
goto done;
@@ -1400,7 +1401,7 @@
servicePrincipalName[3] = psp2;
/* Ensure servicePrincipalName[4] and [5] are unique. */
- strlower_m(my_fqdn);
+
psp3 = talloc_asprintf(ctx, "CIFS/%s", my_fqdn);
strlower_m(&psp3[5]);
________________________________________________
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
