Re: [Samba] Kerberos Keytab Code Update in 3.0.23

[Doug VanLeuven]

Gerald (Jerry) Carter wrote:


Yup.  That's what I meant.  I'll try to repro your results
on Monday (if all goes well).  Thanks.


I started up a machine that was on the shelf.
This one had been joined as rc4.
I edited krb5.conf and userAccountControl for des only

My DHCP registers machines in dyn.ldxnet.com and in-addr.arpa
which are dynamically updatable on linux.
Then the workstations register an A record in nt.ldxnet.com
which is DNS managed by windows 2003 server.

I've been adding the dyn.ldxnet.com names to servicePrincipalName
because it seems I get best results in mixed DNS domains.
Like Mark Twain said After a cat's been burnt on a hot
stove, won't sit on a cold one either.

Windows 2003 is Capitalizing the first letter in kerbtray
and klist, but the salt listed by ethereal is lowercase.

Browsing from windows domain machines work and smbclient -k
works after kinit.
This combination runs des only.  Not that old either.
Maybe you could back trace the changes.
Check out the keytab listing below.
Let me know if there is a stress test for this you'd like me to run.

Thats all for tonight - Doug

Linux lex 2.6.12-1.1381_FC3
Samba version 3.0.21pre3-SVN-build-11739
krb5-workstation-1.3.6-7
openldap-2.2.29-1.FC3

/etc/krb5.conf
[libdefaults]
 dns_lookup_realm = false
 dns_lookup_kdc = true
 default_realm = NT.LDXNET.COM
 default_keytab_name = FILE:/etc/krb5.keytab
 default_tgs_enctypes = des-cbc-md5 des-cbc-crc
 default_tkt_enctypes = des-cbc-md5 des-cbc-crc
 permitted_enctypes = des-cbc-md5 des-cbc-crc

[EMAIL PROTECTED] ~]# klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
 --
   3 host/[EMAIL PROTECTED] (DES cbc mode with RSA-MD5)

(Yes, I edited out all but one entry.  At first glance
it looks like you're right)

[EMAIL PROTECTED] ~]# kinit
Password for [EMAIL PROTECTED]:
[EMAIL PROTECTED] ~]# smbclient -k -Llex
OS=[Unix] Server=[Samba 3.0.21pre3-SVN-build-11739]

Sharename   Type  Comment
-     ---
print$  Disk  Printer Drivers
testDisk  Temporary file space
tempDisk  Temporary file space
IPC$IPC   IPC Service (lex)
ADMIN$  IPC   IPC Service (lex)
rootDisk  Home Directories
OS=[Unix] Server=[Samba 3.0.21pre3-SVN-build-11739]

Server   Comment
----

WorkgroupMaster
----
FOREST   RANGER1

ldp.exe on domain controller, entry for des-only lex workstation
Getting 1 entries:
 Dn: CN=lex,CN=Computers,DC=nt,DC=ldxnet,DC=com
5 objectClass: top; person; organizationalPerson; user; computer;
1 cn: lex;
1 distinguishedName: CN=lex,CN=Computers,DC=nt,DC=ldxnet,DC=com;
1 instanceType: 0x4 = ( IT_WRITE );
1 whenCreated: 11/24/2005 00:27:22 Pacific Standard Time Pacific 
Daylight Time;
1 whenChanged: 07/24/2006 12:08:07 Pacific Standard Time Pacific 
Daylight Time;
1 uSNCreated: 931987;
1 uSNChanged: 1128498;
1 name: lex;
1 objectGUID: fa853706-780c-46ac-aaf8-deffbdd4cc20;
	1 userAccountControl: 0x211000 = ( UF_WORKSTATION_TRUST_ACCOUNT | UF_DONT_EXPIRE_PASSWD | 
UF_USE_DES_KEY_ONLY );

1 badPwdCount: 0;
1 codePage: 0;
1 countryCode: 0;
1 badPasswordTime: 01/01/1601 00:00:00 UNC ;
1 lastLogoff: 01/01/1601 00:00:00 UNC ;
1 lastLogon: 07/25/2006 02:45:36 Pacific Standard Time Pacific 
Daylight Time;
1 localPolicyFlags: 0;
1 pwdLastSet: 11/24/2005 00:27:22 Pacific Standard Time Pacific 
Daylight Time;
1 primaryGroupID: 515;
1 objectSid: S-1-5-21-484763869-746137067-1343024091-1234;
1 accountExpires: 09/14/30828 02:48:05 UNC ;
1 logonCount: 30;
1 sAMAccountName: lex$;
1 sAMAccountType: 805306369;
1 operatingSystem: Samba;
1 operatingSystemVersion: 3.0.21pre3-SVN-build-11739;
1 dNSHostName: lex.dyn.ldxnet.com;
1 userPrincipalName: HOST/[EMAIL PROTECTED];
	6 servicePrincipalName: HOST/lex.dyn.ldxnet.com; CIFS/lex.dyn.ldxnet.com; 
CIFS/lex.nt.ldxnet.com; CIFS/lex; HOST/lex.nt.ldxnet.com; HOST/lex;

1 objectCategory: 
CN=Computer,CN=Schema,CN=Configuration,DC=nt,DC=ldxnet,DC=com;
1 isCriticalSystemObject: FALSE;
1 lastLogonTimestamp: 07/24/2006 12:08:07 Pacific Standard Time 
Pacific Daylight Time;
---

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Kerberos Keytab Code Update in 3.0.23

[Gerald (Jerry) Carter]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Doug VanLeuven wrote:
 
 Do you mean KdcUseRequestedEtypesForTickets = 1 in
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kdc ?
 
 
 If so, since 2004, plus the then hotfix.

Yup.  That's what I meant.  I'll try to repro your results
on Monday (if all goes well).  Thanks.





cheers, jerry
=
Samba--- http://www.samba.org
Centeris ---  http://www.centeris.com
What man is a man who does not make the world better?  --Balian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFEwfLGIR7qMdg1EfYRAl2eAKCu0dTqACGBEbhKyaeOeFDAkrnXUgCgqWly
gh57uzfGJRY6yoPYF2rAigU=
=okQ+
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Kerberos Keytab Code Update in 3.0.23

[Doug VanLeuven]

Gerald (Jerry) Carter wrote:

(a) deriving the DES salt
(b) generating the keytab file
(c) optionally creating the UPN as part of the join.

Please give it a whirl and let me know how it goes.
Our Krb5 code is over 3 years old spreading about
multiple MIT and heimdal versions.  It's time for some
spring cleaning but I don't want to loose functionality
if we can help it.


Jerry,
2003 Enterprise server
security = ADS
idmap backend = ad
winbind nss info = template sfu

I joined an FC3 using rc4 all is smooth and browsable.

I then removed support for rc4 in enctypes in /etc/krb5.conf.
Edited the machine acct and added the flag for des_only.
The domain controller can't browse the samba server.  Get
the pasword dialog box.

This method used to work.  I'll get an older version of
samba and verify that with the current 2003 including
current SP and security patches.

I then commented out the defines in /usr/include/krb5.h
for ENCTYPE_ARCFOUR.  Then configure  make to have a version
of samba where the ifdefs would trigger for des-only code.
This version won't join the domain.

I can try net keytab add on permutations, but don't have the
time until this weekend.

Des only may be a dinosaur for most modern kerberos, but
it might be important to eliminate dependency on rc4.
I've been told longhorn will include encryption types
that use salts and depending on the admin environment
they may want to run non-rc4.  There may also be legacy
consideration where the kerberos server is unix based.

Regards, Doug
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Kerberos Keytab Code Update in 3.0.23

[Gerald (Jerry) Carter]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Doug,

Thanks for testing this.

 2003 Enterprise server
 security = ADS
 idmap backend = ad
 winbind nss info = template sfu
 
 I joined an FC3 using rc4 all is smooth and browsable.
 
 I then removed support for rc4 in enctypes in /etc/krb5.conf.
 Edited the machine acct and added the flag for des_only.
 The domain controller can't browse the samba server.  Get
 the password dialog box.
 
 This method used to work.  I'll get an older version of
 samba and verify that with the current 2003 including
 current SP and security patches.

Did you enable the DES trick in the Windows 2003
registry ?  Otherwise Windows 2003 will always use
RC4-HMAC regardless of the DES_ONLY flag.  That's what
I've found at least.

 I then commented out the defines in /usr/include/krb5.h
 for ENCTYPE_ARCFOUR.  Then configure  make to have a version
 of samba where the ifdefs would trigger for des-only code.
 This version won't join the domain.

Yes.  There is a problem with DES session keys in CIFS
sessions.  That's a know issue on RHEL3 at least.  I'm
still trying to track it down.

 I can try net keytab add on permutations, but don't 
 have the time until this weekend.

Thanks.  I'll be around this weekend as well :-)

 Des only may be a dinosaur for most modern kerberos, but
 it might be important to eliminate dependency on rc4.
 I've been told longhorn will include encryption types
 that use salts and depending on the admin environment
 they may want to run non-rc4.  There may also be legacy
 consideration where the kerberos server is unix based.

DES session keys are an issue for RHEL3 so I will get
that fixed but it will require more investigation.





cheers, jerry
=
Samba--- http://www.samba.org
Centeris ---  http://www.centeris.com
What man is a man who does not make the world better?  --Balian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFEwVhMIR7qMdg1EfYRAgo4AJsG7086qBdyp/XeYkEWplmPlwlimwCfevXq
G/zpXCCOt56SrM21zJT6EaU=
=M8AK
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Kerberos Keytab Code Update in 3.0.23

[Doug VanLeuven]

Gerald (Jerry) Carter wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Doug,

Thanks for testing this.


OK.


I then removed support for rc4 in enctypes in /etc/krb5.conf.
Edited the machine acct and added the flag for des_only.
The domain controller can't browse the samba server.  Get
the password dialog box.

This method used to work.  I'll get an older version of
samba and verify that with the current 2003 including
current SP and security patches.


Did you enable the DES trick in the Windows 2003
registry ?  Otherwise Windows 2003 will always use
RC4-HMAC regardless of the DES_ONLY flag.  That's what
I've found at least.



Do you mean KdcUseRequestedEtypesForTickets = 1 in
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kdc ?


If so, since 2004, plus the then hotfix.

If not, then you'll have to let me know what the trick is :-)

Regards, Doug

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Kerberos Keytab Code Update in 3.0.23

[Gerald (Jerry) Carter]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Doug VanLeuven wrote:
 Gerald (Jerry) Carter wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 Doug,

 File a bug report if you believe this to be true.  I'm not at 3.0.23
 right now and don't have the time to try it
 here.  I wouldn't want to lose this. I did see a mention
 they dropped support of joins from machines where
 the domain differs from the realm, but haven't had time to check
 this. There has been a rewrite of the
 ads join code since 3.0.22.

 Doug,

 You should probably review my comments to Scott. Keytab
 support is being rewritten, not dropped.

 I was saying dns domain not equal realm dropped
 and rewrite ads join code

No it wasn't.  I run with this on a daily basis.
Perhaps something else is attributing to your failures.

 PS: I asked out Apache guy (at Centeris) who is working
 with mod_auth_kerb and he claims that krb5 authentication
 to http://SerVer.ExaMple.COM still gets a ticket for
 HTTP/server.example.com which supports my theory about
 tickets based on SPN values.

 Yes, it works with rc4-hmac.  But it's been coming 
 back to me. It didn't work with des-cbc-md5 until
 the permutations were added.  How soon we forget.
 It's really difficult to test des-only now.  Have to
 join with rc4, then hand edit with adsi.exe in the
 AD, then remove the rc4 from krb5.conf
 and reboot the machine to purge the caches, because 
 samba set's the des-only on a compile time flag.

I'll go back and retest but I'm still not convinced
(until I can reproduce it myself).




cheers, jerry
=
Samba--- http://www.samba.org
Centeris ---  http://www.centeris.com
What man is a man who does not make the world better?  --
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFEv8xTIR7qMdg1EfYRAmjxAJwN0i1/kOlvoCittCd+HwDd/BzL1ACgviXe
I84w7wN7ptp0OMJMCb9rfgI=
=ayvR
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Kerberos Keytab Code Update in 3.0.23

[Doug VanLeuven]

Gerald (Jerry) Carter wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Doug VanLeuven wrote:

Gerald (Jerry) Carter wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Doug,


File a bug report if you believe this to be true.  I'm not at 3.0.23
right now and don't have the time to try it
here.  I wouldn't want to lose this. I did see a mention
they dropped support of joins from machines where
the domain differs from the realm, but haven't had time to check
this. There has been a rewrite of the
ads join code since 3.0.22.

Doug,

You should probably review my comments to Scott. Keytab
support is being rewritten, not dropped.

I was saying dns domain not equal realm dropped
and rewrite ads join code


No it wasn't.  I run with this on a daily basis.
Perhaps something else is attributing to your failures.


First, I'm not having failures.  I was commenting information
I believed I read.
So what did you mean in this post:
http://marc.theaimsgroup.com/?l=sambam=115193492903190w=2

qoute:
 You were right. ( as usual.. )
 I had the wrong FQDN on the samba server.
 After reconfiguring my network and I got the FQDN back
 from 'hostname' the join worked as planned.

For the record, this is what WinXP does as well.
You cannot join a WinXP box to a domain using a non-admin
account if the client's FQDN is outside the AD domain.

I agree this is a change from previous Samba version,
but then previous Samba releases always required domain
admin creds to join.
endquote

Did you mean if one joins with non-admin credentials
it no longer works, but if one's credentials are
administrative it still works?

I understand previously joined machines still work.

Not trying to be a wise guy, just trying to understand.

Regards, Doug
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Kerberos Keytab Code Update in 3.0.23

[Gerald (Jerry) Carter]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Doug,

 I was saying dns domain not equal realm dropped
 and rewrite ads join code

 No it wasn't.  I run with this on a daily basis.
 Perhaps something else is attributing to your failures.

 First, I'm not having failures.  I was commenting information
 I believed I read.  So what did you mean in this post:
 http://marc.theaimsgroup.com/?l=sambam=115193492903190w=2
...
 Did you mean if one joins with non-admin credentials
 it no longer works, but if one's credentials are
 administrative it still works?
 
 I understand previously joined machines still work.
 
 Not trying to be a wise guy, just trying to understand.

No problem.  I spent a couple of days just staring at
traces and reading to try to track down the corner cases.
It's pretty confusing.

The best thing to do is to read here:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/control_access_rights.asp

and then use ADSIedit to view the default security
descriptor on a machine account object.

A non-admin (and the machine itself) only has validated-write
access to the dNSHostName and servicePrincipalName
attributes.  This means that the dNSHostName value has to
be with the AD realm and the SPN has to match the dNSHostName.
Try to join a WinXP box to a domain using a non-admin account
with the dns suffix outside of the AD realm and you will see
what I mean.  It fails to joins and tells you to contact the
administrator to relax the rules (or something similar).
If you are a domain admin, the you have full control to these
attributes and can do whatever you like.

Samba 3.0.22 did all the ads join operations using LDAP
requests which required you to be a Domain Admins.  As part
of the join, the machine SID was given full control over the
object in AD so again you could do whatever you liked with
'net ads keytab add -P'.

The code in 3.0.23 uses a mixture of RPC and LDAP just like
Windows 2000/XP.  The advantage is that a non-admin can
now join a Samba box to a domain given the same privileges
as required by Windows.  The disadvantage is that we can no
longer assume we have admin rights to set any property we
like.  This is why for example, we no longer try to create
a UPN by default (although I added a new option to net ads
join in 3.0.23a that will do that) or set the operatingSystem
attribute value.

Hope this helps clear up some of the confusion.

Note that I've added in a fair amount of new code in 3.0.23a
for

(a) deriving the DES salt
(b) generating the keytab file
(c) optionally creating the UPN as part of the join.

Please give it a whirl and let me know how it goes.
Our Krb5 code is over 3 years old spreading about
multiple MIT and heimdal versions.  It's time for some
spring cleaning but I don't want to loose functionality
if we can help it.





cheers, jerry
=
Samba--- http://www.samba.org
Centeris ---  http://www.centeris.com
What man is a man who does not make the world better?  --Balian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFEwALEIR7qMdg1EfYRAqxYAKCEtHnMHWcM0jfe8rEW+qMDHtq+/ACgqoSp
8h+xhVsePFFBKvjfXYisoXQ=
=540H
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Kerberos Keytab Code Update in 3.0.23

[Doug VanLeuven]

Gerald (Jerry) Carter wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Doug,

File a bug report if you believe this to be true.  I'm 
not at 3.0.23 right now and don't have the time to try it

here.  I wouldn't want to lose this. I did see a mention
they dropped support of joins from machines where
the domain differs from the realm, but haven't had 
time to check this. There has been a rewrite of the

ads join code since 3.0.22.


Doug,

You should probably review my comments to Scott. Keytab
support is being rewritten, not dropped.

I was saying dns domain not equal realm dropped
and rewrite ads join code



Just that windows doesn't guarantee case in names.

For example, on my login, the current tickets show up as
HOST/[EMAIL PROTECTED]
host/[EMAIL PROTECTED]
HOST/[EMAIL PROTECTED]
HOST/[EMAIL PROTECTED]


Your tickets where?  From kerbtray.exe?  Or on a Unix box?

kerbtray  klist


I just an not seeing this case permutation you claim.

NT40 sidhistory migration to 2000 AD
then standard 2000 AD upgraded to 2003 standard AD
then 2003 standard upgraded to 2003 enterprise.


What is the list of SPNs for that Samba account in AD?

samba 3.0.23, created account in AD
SPN's
CIFS/stor
CIFS/stor.nt.ldxnet.com
HOST/STOR
HOST/stor.nt.ldxnet.com

klist on 2003 server
   Server: cifs/[EMAIL PROTECTED]
  KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
  End Time: 7/18/2006 18:53:02
  Renew Time: 7/25/2006 8:53:02



Can you tell what applications are generating these requests
so I can reproduce it?

Domain controller browsing to stor's shares.


PS: I asked out Apache guy (at Centeris) who is working
with mod_auth_kerb and he claims that krb5 authentication
to http://SerVer.ExaMple.COM still gets a ticket for
HTTP/server.example.com which supports my theory about
tickets based on SPN values.

Yes, it works with rc4-hmac.  But it's been coming back to me.
It didn't work with des-cbc-md5 until the permutations were
added.  How soon we forget.  It's really difficult to test
des-only now.  Have to join with rc4, then hand edit with
adsi.exe in the AD, then remove the rc4 from krb5.conf
and reboot the machine to purge the caches, because samba
set's the des-only on a compile time flag.

For information, here's the list of tickets on the domain
controller after browsing an older, running samba server
joined years ago, and a win2000 workstation:
Cached Tickets: (6)

   Server: krbtgt/[EMAIL PROTECTED]
  KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
  End Time: 7/18/2006 18:53:02
  Renew Time: 7/25/2006 8:53:02


(win2000 workstation)
   Server: cifs/[EMAIL PROTECTED]
  KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
  End Time: 7/18/2006 18:53:02
  Renew Time: 7/25/2006 8:53:02


(FC3 - krb5 1.3.6)
   Server: cifs/[EMAIL PROTECTED]
  KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
  End Time: 7/18/2006 18:53:02
  Renew Time: 7/25/2006 8:53:02


(Domain controller)
   Server: ldap/ranger1.nt.ldxnet.com/[EMAIL PROTECTED]
  KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
  End Time: 7/18/2006 18:53:02
  Renew Time: 7/25/2006 8:53:02

(FC4 - long running samba currently at 3.0.23pre2-SVN-build-15985)
   Server: cifs/[EMAIL PROTECTED]
  KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
  End Time: 7/18/2006 18:53:02
  Renew Time: 7/25/2006 8:53:02

(Domain controller)
   Server: host/[EMAIL PROTECTED]
  KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
  End Time: 7/18/2006 18:53:02
  Renew Time: 7/25/2006 8:53:02



Regards, Doug
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Kerberos Keytab Code Update in 3.0.23

[Scott Armstrong]

Jerry,
I'll have to check on the semantic checking for
the UPN attribute. I'd rather (for safety's sake)
just give it a value:  host/${dNSHostName} attribute.
That way we know we are consistent.
The previous behavior was: host/[EMAIL PROTECTED] although I disagreed with
that format. I believe you've got the right value: host/[EMAIL PROTECTED]

Yeah but the previous default required you to have more
rights that Windows client required so we got slammed for
that.

Unfortunately there are many cases where DC Group Policies are cranked down
such that only Domain Admins can add/remove machines anyway.

Here's a thought; why not split the two functions?
Adding the machine to the domain (net ads join) handles just what is
necessary for that.
Creating the keytab (net ads keytab create) handles those specific
functions.
Adding additional service principals (net ads keytab add princ1 princ2 ...)
places these principals in other keytabs so the admin can move them to the
appropriate location and set permissions. An example of how this might work
would be that the service principal for http is placed in apache's home with
appropriate permissions so mod_auth_kerb functions using client auth.
Another might be to create a service principal for ldap and place it in /etc
with ownership ldap:nscd so nss_ldap can be configured with sasl gssapi and
proxy auth while maintaining nscd functionality.
If Samba needs some off-the-wall formats for its Kerberos principals in
order to respond to requests for \\HoStNaMe.DOMAIN\Share then create them in
memory on-the-fly as before the keytab management functions were added.
The only other issue that you may have addressed before - why waste the
effort of creating principals using all the encryption types that the client
supports when the only ones that will succeed are those that the server
supports?
Of course it would be nice if all the distributions of Linux, Solaris, AIX,
etc. had versions of kerberos that support rc4-hmac...
Thanks,
Scott

-Original Message-
From: Gerald (Jerry) Carter [mailto:[EMAIL PROTECTED] 
Sent: Thursday, July 13, 2006 5:35 PM
To: Scott Armstrong
Cc: 'Doug VanLeuven'; samba@lists.samba.org
Subject: Re: [Samba] Kerberos Keytab Code Update in 3.0.23

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Scott Armstrong wrote:

 Or I could add a switch to 'net ads join' that said 
 create the UPN.  I don't really want to make it
 default behavior.  Would that be acceptable?

 That would be fine although if you can allow the format 
 of the hostname to be controllable that would be a bonus. I
 think allowing as much as possible to be done at the
 time the machine account is created is best.

I'll have to check on the semantic checking for
the UPN attribute. I'd rather (for safety's sake)
just give it a value:  host/${dNSHostName} attribute.
That way we know we are consistent.

 It's pretty labor intensive to have to log onto the
 Windows DC afterward and run ADSIEdit in order to achieve
 the same result that was the default before the code rewrite.

Yeah but the previous default required you to have more
rights that Windows client required so we got slammed for
that.





cheers, jerry
=
Samba--- http://www.samba.org
Centeris ---  http://www.centeris.com
What man is a man who does not make the world better?  --Balian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFEtrxtIR7qMdg1EfYRAvi4AJ0VrM6Y1GstFg9eN4z9F1I04ChC5ACg3AyS
y8sHkxCVnMo9FyFDFDqACH8=
=Etdm
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Kerberos Keytab Code Update in 3.0.23

[Doug VanLeuven]

Scott Armstrong wrote:

First thing - I'd like to say a big THANK YOU to the developers.
I just upgraded to samba-3.0.23 and I've noticed an alarming issue with
respect to my configuration.
I've been using the built-in keytab management and it looks like the updated
code no longer creates the userPrincipal in Active Directory.
Whether this is an issue for others or not, it would be nice to have seen a
reference to it in the release notes. Since having the user principal in the
keytab and a cron job to renew the ticket are critical for me to use
pam_krb5, I'm going to attempt to figure out what code needs to be added
back from 3.0.22. In the defense of the authors, examining a Win2k3 server
does not show the userPrincipal value being set, although I sort of
considered this functionality to be the primary aim in using Samba for the
keytab management.


File a bug report if you believe this to be true.  I'm not at 3.0.23 right now
and don't have the time to try it here.  I wouldn't want to lose this.
I did see a mention they dropped support of joins from machines where
the domain differs from the realm, but haven't had time to check this.
There has been a rewrite of the ads join code since 3.0.22.


While I'm on my soap box, would it be possible to hear some clarification on
the value of some of the principals created in the keytab (MIT Kerberos)?
When I look at Active Directory using ADSI Edit, I see 4 servicePrincipal
values created as a result of net ads join -
host/host, host/fqdn, cifs/host, cifs/fqdn.
When I use ktutil to view the keys in the table, I'm confronted with output
that doesn't make any sense to me.
Note that I've substituted generic host/domain/realm info and I've forcibly
constrained the encryption types to rc4-hmac and des-cbc-md5
slot KVNO Principal
 
-
   12 host/[EMAIL PROTECTED]
   22 host/[EMAIL PROTECTED]
   32 cifs/[EMAIL PROTECTED]
   42 cifs/[EMAIL PROTECTED]
   52 [EMAIL PROTECTED]
   62 [EMAIL PROTECTED]
   72 [EMAIL PROTECTED]
   82 [EMAIL PROTECTED]
   92 host/[EMAIL PROTECTED]
  102 host/[EMAIL PROTECTED]
  112 host/[EMAIL PROTECTED]
  122 host/[EMAIL PROTECTED]
  132 host/[EMAIL PROTECTED]
  142 host/[EMAIL PROTECTED]
  152 HOST/[EMAIL PROTECTED]
  162 HOST/[EMAIL PROTECTED]
  172 HOST/[EMAIL PROTECTED]
  182 HOST/[EMAIL PROTECTED]
  192 HOST/[EMAIL PROTECTED]
  202 HOST/[EMAIL PROTECTED]
  212 HOST/[EMAIL PROTECTED]
  222 HOST/[EMAIL PROTECTED]
  232 cifs/[EMAIL PROTECTED]
  242 cifs/[EMAIL PROTECTED]
  252 cifs/[EMAIL PROTECTED]
  262 cifs/[EMAIL PROTECTED]
  272 cifs/[EMAIL PROTECTED]
  282 cifs/[EMAIL PROTECTED]
  292 CIFS/[EMAIL PROTECTED]
  302 CIFS/[EMAIL PROTECTED]
  312 CIFS/[EMAIL PROTECTED]
  322 CIFS/[EMAIL PROTECTED]
  332 CIFS/[EMAIL PROTECTED]
  342 CIFS/[EMAIL PROTECTED]
  352 CIFS/[EMAIL PROTECTED]
  362 CIFS/[EMAIL PROTECTED]
  372 cifs/[EMAIL PROTECTED]
  382 cifs/[EMAIL PROTECTED]
  392 CIFS/[EMAIL PROTECTED]
  402 CIFS/[EMAIL PROTECTED]
  412 host/[EMAIL PROTECTED]
  422 host/[EMAIL PROTECTED]
  432 HOST/[EMAIL PROTECTED]
  442 HOST/[EMAIL PROTECTED]
No offense intended, but what is the purpose of adding the variations of
case especially with respect to the FQDN?
When I look at the tickets that are the result of making connections from
one Win2K3 server to another, the principals simply reflect the form of the
requests - ie \\FOO yields principal cifs/[EMAIL PROTECTED], \\foo.bar.com 
yields
principal cifs/[EMAIL PROTECTED]
What am I missing?


Just that windows doesn't guarantee case in names.

For example, on my login, the current tickets show up as
HOST/[EMAIL PROTECTED]
host/[EMAIL PROTECTED]
HOST/[EMAIL PROTECTED]
HOST/[EMAIL PROTECTED]

I rarely see any cifs tickets.  Notice the uppercase machine name and
lower case domain name combo.  One ticket has the lowercase host and the
rest are uppercase HOST.

I'm also seeing Foo (first letter uppercase) generated by a 2003 enterprise
server for a samba A/D member.  I have a personally patched version of samba
to help accomodate this machine.
Consider yourself lucky to only have the two variations.

When samba manages the keytab, it has to generate enough combinations
to cover the majority of know variations for a worldwide installed base
of windows machines.

Regards, Doug


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Kerberos Keytab Code Update in 3.0.23

[Gerald (Jerry) Carter]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Doug,

 File a bug report if you believe this to be true.  I'm 
 not at 3.0.23 right now and don't have the time to try it
 here.  I wouldn't want to lose this. I did see a mention
 they dropped support of joins from machines where
 the domain differs from the realm, but haven't had 
 time to check this. There has been a rewrite of the
 ads join code since 3.0.22.

Doug,

You should probably review my comments to Scott. Keytab
support is being rewritten, not dropped.

 Just that windows doesn't guarantee case in names.
 
 For example, on my login, the current tickets show up as
 HOST/[EMAIL PROTECTED]
 host/[EMAIL PROTECTED]
 HOST/[EMAIL PROTECTED]
 HOST/[EMAIL PROTECTED]

Your tickets where?  From kerbtray.exe?  Or on a Unix box?
I just an not seeing this case permutation you claim.
What is the list of SPNs for that Samba account in AD?
Can you tell what applications are generating these requests
so I can reproduce it?

PS: I asked out Apache guy (at Centeris) who is working
with mod_auth_kerb and he claims that krb5 authentication
to http://SerVer.ExaMple.COM still gets a ticket for
HTTP/server.example.com which supports my theory about
tickets based on SPN values.





chers, jerry
=
Samba--- http://www.samba.org
Centeris ---  http://www.centeris.com
What man is a man who does not make the world better?  --Balian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFEtocjIR7qMdg1EfYRAmaeAJ9GtQm5jl3Tu6cnCrYMzUXYvYBOzwCguqEu
3SzBl9P3VkVi/P2rxzUMn58=
=zrFO
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Kerberos Keytab Code Update in 3.0.23

[Gerald (Jerry) Carter]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Scott Armstrong wrote:

 I've been using the built-in keytab management and it looks
 like the updated code no longer creates the userPrincipal
 in Active Directory.

I'm still working on the keytab code.  There will be more
updates.  Sorry I couldn't get everything done for 3.0.23.

You are correct.  I'm going to see if we can slip my keytab
fixes into 3.0.23a.

Here's what has happened.  'net ads join' was rewritten to
be like WinXP using ms-rpc rather than doing ldap
modify requests.  The end result is that non-admins
can now join Samba boxes to a domain just like they can
a Windows client (if the admin has granted the normal
privileges).

But now we are no longer guaranteed to be able to create
the UPN.  You can however always run 'kinit -k machine$'.]
In Windows 2000 domains the UPN affects the DES salting
principal.

I can add code to attempt to add the UPN if you like
but since 'kinit -k machine$' always works, that seems
like a better solution.

 Whether this is an issue for others or not, it would be nice
 to have seen a reference to it in the release notes.
 Since having the user principal in the keytab and
 a cron job to renew the ticket are critical for me to use
 pam_krb5, I'm going to attempt to figure out what code
 needs to be added back from 3.0.22. In the defense
 of the authors, examining a Win2k3 server
 does not show the userPrincipal value being set, although I
 sort of considered this functionality to be the primary
 aim in using Samba for the keytab management.

I'm attaching a patch against 3.0.23.  It does two
things:

* Removes the guesswork from deriving the DES salting
  principal
* Cleans up the keytab generation and restricts keys
  to  the single DES and RC4-HMAC keys.

The resulting keytab looks like (i've removed the
realm names in the message for better formatting):

ktutil:  list -e
slot KVNO Principal
-   ---
   16 host/suse10.plainjoe.org (DES cbc mode with CRC-32)
   26 host/suse10.plainjoe.org (DES cbc mode with RSA-MD5)
   36 host/suse10.plainjoe.org (ArcFour with HMAC/md5)
   46  host/suse10 (DES cbc mode with CRC-32)
   56  host/suse10 (DES cbc mode with RSA-MD5)
   66  host/suse10 (ArcFour with HMAC/md5)
   76  suse10$ (DES cbc mode with CRC-32)
   86  suse10$ (DES cbc mode with RSA-MD5)
   96  suse10$ (ArcFour with HMAC/md5)

If the machine has a UPN, that will be added as well.
So if you precreate the machine account with a UPN and join
the domain you would see it ni the list above.

 While I'm on my soap box, would it be possible to hear
 some clarification on the value of some of the principals
 created in the keytab (MIT Kerberos)?
 When I look at Active Directory using ADSI Edit, I see 4
 servicePrincipal values created as a result of net ads join -
 host/host, host/fqdn, cifs/host, cifs/fqdn.

I had the same reaction when I started looking at the
code.  There should only be two.  There are now (with
my latest changes).

Here's the deal.  Windows will think principals such as
cifs/ to the  host/... SPN.  See this URL:
http://support.microsoft.com/kb/326985/en-us

Now Windows doesn't actually store a keytab per say.
It just generates the keys on the fly.  See this URL:
http://mailman.mit.edu/pipermail/kerberos/2005-July/008167.html

I feel that the current keytab generation is broken.
It is trying to entries to handles mutliple case
permutations.



 No offense intended, but what is the purpose of
 adding the variations of case especially with respect to
 the FQDN?

Too much guessing IMO.

 When I look at the tickets that are the result of
 making connections from one Win2K3 server to another,
 the principals simply reflect the form of the
 requests - ie \\FOO yields principal cifs/[EMAIL PROTECTED],
 \\foo.bar.com yields principal cifs/[EMAIL PROTECTED]
 What am I missing?

My experience has been that the principals in the
service ticket match the SPN values in AD.  I don't
see all of this case permutation people are claiming.

The patch is a work in progress so any feedback would
be appreciated.




cheers, jerry
=
Samba--- http://www.samba.org
Centeris ---  http://www.centeris.com
What man is a man who does not make the world better?  --Balian

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFEto6AIR7qMdg1EfYRAsYAAKC07PLnFv3PSFk1v1UrZdSlCj/L1gCgjjmY
hploWv3pzVjytOndavHaCeI=
=aht3
-END PGP SIGNATURE-
=== modified file 'source/include/rpc_ds.h'
--- source/include/rpc_ds.h 
+++ source/include/rpc_ds.h 
@@ -48,6 +48,13 @@
 #define DSROLE_DOMAIN_MEMBER_SRV   3
 #define DSROLE_BDC

Re: [Samba] Kerberos Keytab Code Update in 3.0.23

[Gerald (Jerry) Carter]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Scott Armstrong wrote:

 Things still worked fine for existing domain members. 
 I only noticed it because I added a new system to
 the domain. Lines 962-964 of utils/net_ads.c have
 comments about the upn but it's never being added.
 I rarely program in C so this may not be the best
 way to do it but I modified line 977 to
if (!(host_upn = talloc_asprintf(ctx, 
   host/[EMAIL PROTECTED], my_fqdn, ads_s-config.realm)))
 and added the following
 ads_mod_str(ctx, mods, userPrincipalName, host_upn);
 following line 988.

Yeah.  That would achieve what you want.

 I used the convention which I'm accustomed to which 
 is that the host should be added in fqdn form
 since I was modifying the code myself.
 i.e. host/[EMAIL PROTECTED]

Help me understand how you use 'kinit -k' What kind
of cron jobs are these?  And why can't you use 'kinit
- -k machine$'?






ciao, jerry
=
Samba--- http://www.samba.org
Centeris ---  http://www.centeris.com
What man is a man who does not make the world better?  --Balian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFEtpUTIR7qMdg1EfYRAqmbAJ9RC0tzh9N5b/MO4KxJzExbhHoQNACeM8E3
syExJwHSYfXwwM8ROL/O2uY=
=t1iJ
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Kerberos Keytab Code Update in 3.0.23

[Gerald (Jerry) Carter]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Scott Armstrong wrote:

 And why can't you use 'kinit -k machine$'?
 
 I probably could do that but I had been trying to keep 
 things as close to the way I had been creating machine
 principals when using an MIT KDC - host/[EMAIL PROTECTED]
 The kinit command I'm using is
 kinit -p -k host/[EMAIL PROTECTED]
 I also have a weekly cron job to automatically change 
 the machine trust password since I believe I read in
 one of the mailings that it wasn't handled automatically
 yet.

If the only reason for the UPN is so its more like MIT,
then I'm inclined to push back and say just precreate the
machine account with a UPN before joining the domain.
Or I could add a switch to 'net ads join' that said
create the UPN.  I don't really want to make it default
behavior.  Would that be acceptable?





cheers, jerry
=
Samba--- http://www.samba.org
Centeris ---  http://www.centeris.com
What man is a man who does not make the world better?  --Balian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFEtrQNIR7qMdg1EfYRAgieAKDfY/WJd35qexWCErikuJCoQ527+wCgkdHc
1/fWbn44a0JiMsnJnfIXlyc=
=tMTf
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Kerberos Keytab Code Update in 3.0.23

[Gerald (Jerry) Carter]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Scott Armstrong wrote:

 Or I could add a switch to 'net ads join' that said 
 create the UPN.  I don't really want to make it
 default behavior.  Would that be acceptable?

 That would be fine although if you can allow the format 
 of the hostname to be controllable that would be a bonus. I
 think allowing as much as possible to be done at the
 time the machine account is created is best.

I'll have to check on the semantic checking for
the UPN attribute. I'd rather (for safety's sake)
just give it a value:  host/${dNSHostName} attribute.
That way we know we are consistent.

 It's pretty labor intensive to have to log onto the
 Windows DC afterward and run ADSIEdit in order to achieve
 the same result that was the default before the code rewrite.

Yeah but the previous default required you to have more
rights that Windows client required so we got slammed for
that.





cheers, jerry
=
Samba--- http://www.samba.org
Centeris ---  http://www.centeris.com
What man is a man who does not make the world better?  --Balian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFEtrxtIR7qMdg1EfYRAvi4AJ0VrM6Y1GstFg9eN4z9F1I04ChC5ACg3AyS
y8sHkxCVnMo9FyFDFDqACH8=
=Etdm
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Kerberos Keytab Code Update in 3.0.23

[Doug VanLeuven]

No offense intended, but what is the purpose of
adding the variations of case especially with respect to
the FQDN?


Too much guessing IMO.


True.  Very true.  But I'll chime in with we got there after
numerous authentication failures at different sites.
It always seemed there had to be a different way, because the
MS writeup of creating a user account, generating a keytab,
and exporting to the target system prior to the join worked
with only 1 entry.  A UPN.  I tried real hard, but was unable
to ever generate a keytab UPN on a machine account.

I argued it was overkill at the time, but Redhat's
enterprise issues went away.  It was one of their people
did the basic patch with Jeremy heavily editing.




When I look at the tickets that are the result of
making connections from one Win2K3 server to another,
the principals simply reflect the form of the
requests - ie \\FOO yields principal cifs/[EMAIL PROTECTED],
\\foo.bar.com yields principal cifs/[EMAIL PROTECTED]
What am I missing?


My experience has been that the principals in the
service ticket match the SPN values in AD.  I don't
see all of this case permutation people are claiming.

The patch is a work in progress so any feedback would
be appreciated.


Jerry,
Give me a couple days to get samba current across multiple
servers, then I'll remove and re-add one of the old problem
servers and diagnose what I get.  I may even go so far
as to create a brand new server in vm and join it and
access it from various unix and windows A/D platforms.

Am I right in understanding the rewrite will require the
in-addr.arpa to resolve to the same dns domain as
the realm?

Ticket case variations are what show up when clients access
the samba servers using klist or kerbtray.  It could be a case
of because they exist, they get used.  Except for the first
letter upcase, all others downcase.  I traced that using ethereal,
patched samba to generate it in the keytab, and things
started working.  I remember distinctly.  Unless Jeremy
did something behind the scenes at the same time that I
downloaded using svn.  As in private/secrets.tdb.  Magic there.

FWIW - my experience with windows is that it was written
with a certain amount of heuristics, in that a learned behavior
will continue to be used until it fails at which time the
code falls into a different procedure that, if successful,
will be used until it fails, etc.  This is why users document
different behaviors in what appears on the surface the
same environment.

Regards, Doug
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Kerberos Keytab Code Update in 3.0.23

[Scott Armstrong]

Jerry,
Things still worked fine for existing domain members. I only noticed it
because I added a new system to the domain. Lines 962-964 of utils/net_ads.c
have comments about the upn but it's never being added. I rarely program in
C so this may not be the best way to do it but I modified line 977 to
if (!(host_upn = talloc_asprintf(ctx, host/[EMAIL PROTECTED], my_fqdn,
ads_s-config.realm)))
and added the following
ads_mod_str(ctx, mods, userPrincipalName, host_upn);
following line 988.
I used the convention which I'm accustomed to which is that the host should
be added in fqdn form since I was modifying the code myself.
i.e. host/[EMAIL PROTECTED]
If you want to mimic the previous behavior you would use the short,
lowercase host name instead of the fqdn.
I've also been adding permitted_enctypes = rc4-hmac des-cbc-md5 to
/etc/krb5.conf because it makes no sense to me to add encryption types to
the keytab that the server doesn't support.
I've also performed a little pruning of the service principals in
libads/kerberos_keytab.c to eliminate all the case variations as I believe
this should be handled dynamically if it's needed.
Thanks,
Scott

-Original Message-
From: Gerald (Jerry) Carter [mailto:[EMAIL PROTECTED] 
Sent: Thursday, July 13, 2006 1:47 PM
To: Doug VanLeuven
Cc: Scott Armstrong; samba@lists.samba.org
Subject: Re: [Samba] Kerberos Keytab Code Update in 3.0.23

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Doug,

 File a bug report if you believe this to be true.  I'm 
 not at 3.0.23 right now and don't have the time to try it
 here.  I wouldn't want to lose this. I did see a mention
 they dropped support of joins from machines where
 the domain differs from the realm, but haven't had 
 time to check this. There has been a rewrite of the
 ads join code since 3.0.22.

Doug,

You should probably review my comments to Scott. Keytab
support is being rewritten, not dropped.

 Just that windows doesn't guarantee case in names.
 
 For example, on my login, the current tickets show up as
 HOST/[EMAIL PROTECTED]
 host/[EMAIL PROTECTED]
 HOST/[EMAIL PROTECTED]
 HOST/[EMAIL PROTECTED]

Your tickets where?  From kerbtray.exe?  Or on a Unix box?
I just an not seeing this case permutation you claim.
What is the list of SPNs for that Samba account in AD?
Can you tell what applications are generating these requests
so I can reproduce it?

PS: I asked out Apache guy (at Centeris) who is working
with mod_auth_kerb and he claims that krb5 authentication
to http://SerVer.ExaMple.COM still gets a ticket for
HTTP/server.example.com which supports my theory about
tickets based on SPN values.





chers, jerry
=
Samba--- http://www.samba.org
Centeris ---  http://www.centeris.com
What man is a man who does not make the world better?  --Balian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFEtocjIR7qMdg1EfYRAmaeAJ9GtQm5jl3Tu6cnCrYMzUXYvYBOzwCguqEu
3SzBl9P3VkVi/P2rxzUMn58=
=zrFO
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Kerberos Keytab Code Update in 3.0.23

[Scott Armstrong]

Jerry, 

 I used the convention which I'm accustomed to which is that the host 
 should be added in fqdn form since I was modifying the code myself.
 i.e. host/[EMAIL PROTECTED]

Help me understand how you use 'kinit -k' What kind of cron jobs are these?

And why can't you use 'kinit -k machine$'?

I probably could do that but I had been trying to keep things as close to
the way I had been creating machine principals when using an MIT KDC -
host/[EMAIL PROTECTED]
The kinit command I'm using is
kinit -p -k host/[EMAIL PROTECTED]
I also have a weekly cron job to automatically change the machine trust
password since I believe I read in one of the mailings that it wasn't
handled automatically yet.

Thanks,
Scott

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Kerberos Keytab Code Update in 3.0.23

[Scott Armstrong]

If the only reason for the UPN is so its more like MIT, then I'm inclined
to push back and say just precreate 
the machine account with a UPN before joining the domain.
Or I could add a switch to 'net ads join' that said create the UPN.  I
don't really want to make it default 
behavior.  Would that be acceptable?
That would be fine although if you can allow the format of the hostname to
be controllable that would be a bonus. I think allowing as much as possible
to be done at the time the machine account is created is best. It's pretty
labor intensive to have to log onto the Windows DC afterward and run
ADSIEdit in order to achieve the same result that was the default before the
code rewrite.
Thanks,
Scott 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba