Jerry,
Things still worked fine for existing domain members. I only noticed it
because I added a new system to the domain. Lines 962-964 of utils/net_ads.c
have comments about the upn but it's never being added. I rarely program in
"C" so this may not be the best way to do it but I modified line 977 to
if (!(host_upn = talloc_asprintf(ctx, "host/[EMAIL PROTECTED]", my_fqdn,
ads_s->config.realm)))
and added the following
ads_mod_str(ctx, &mods, "userPrincipalName", host_upn);
following line 988.
I used the convention which I'm accustomed to which is that the host should
be added in fqdn form since I was modifying the code myself.
i.e. host/[EMAIL PROTECTED]
If you want to mimic the previous behavior you would use the short,
lowercase host name instead of the fqdn.
I've also been adding "permitted_enctypes = rc4-hmac des-cbc-md5" to
/etc/krb5.conf because it makes no sense to me to add encryption types to
the keytab that the server doesn't support.
I've also performed a little pruning of the service principals in
libads/kerberos_keytab.c to eliminate all the case variations as I believe
this should be handled dynamically if it's needed.
Thanks,
Scott
-----Original Message-----
From: Gerald (Jerry) Carter [mailto:[EMAIL PROTECTED]
Sent: Thursday, July 13, 2006 1:47 PM
To: Doug VanLeuven
Cc: Scott Armstrong; [email protected]
Subject: Re: [Samba] Kerberos Keytab Code Update in 3.0.23
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Doug,
> File a bug report if you believe this to be true. I'm
> not at 3.0.23 right now and don't have the time to try it
> here. I wouldn't want to lose this. I did see a mention
> they dropped support of joins from machines where
> the domain differs from the realm, but haven't had
> time to check this. There has been a rewrite of the
> ads join code since 3.0.22.
Doug,
You should probably review my comments to Scott. Keytab
support is being rewritten, not dropped.
> Just that windows doesn't guarantee case in names.
>
> For example, on my login, the current tickets show up as
> HOST/[EMAIL PROTECTED]
> host/[EMAIL PROTECTED]
> HOST/[EMAIL PROTECTED]
> HOST/[EMAIL PROTECTED]
Your tickets where? From kerbtray.exe? Or on a Unix box?
I just an not seeing this case permutation you claim.
What is the list of SPNs for that Samba account in AD?
Can you tell what applications are generating these requests
so I can reproduce it?
PS: I asked out Apache guy (at Centeris) who is working
with mod_auth_kerb and he claims that krb5 authentication
to http://SerVer.ExaMple.COM still gets a ticket for
HTTP/server.example.com which supports my theory about
tickets based on SPN values.
chers, jerry
=====================================================================
Samba ------- http://www.samba.org
Centeris ----------- http://www.centeris.com
"What man is a man who does not make the world better?" --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org
iD8DBQFEtocjIR7qMdg1EfYRAmaeAJ9GtQm5jl3Tu6cnCrYMzUXYvYBOzwCguqEu
3SzBl9P3VkVi/P2rxzUMn58=
=zrFO
-----END PGP SIGNATURE-----
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
