On Sun, Jun 21, 2009 at 08:37:25PM +1000, Malcolm Gibbs wrote: > Hi, > > Ok got this fixed...seems I maybe have broke a fundamental Kerberos > rule and had a hostname with uppercase in it. > > The original fault was that my SS7000 virtualised appliance > (OpenSolaris and CIFS under the covers) was joining a Windows 2008 SP1 > AD Domain ok but idmap was failing with 'No AD Servers found' as the > idmapd LDAP SASL bind was never successful to the AD Server. > > > My original SS7000 host name was fw02-2009Q2 and I noticed in the > Kerberos network traffic it was switching it to fw02-2009q2. > > So playing with the hostnames I found: > > fw02-2009Q2 NOT WORK > fw02 DOES WORK > fw02Q2 NOT WORK > fw02q2 DOES WORK > FW02-2009Q2 NOT WORK > fw02-2009q2 DOES WORK > > Why does Kerberos not like uppercase client-names.
The KDC (AD in this case) is supposed to match the principal names as found in either the AS_REQ or TGS_REQ messages sent by the client exactly as is (the principal name sent by the client is expected to be in the canonical form). In other words it's a case sensitive match. This goes for any principal name including service principals (host/[email protected] is one type of service principal). Read RFC 4120 for more info on this. Note that it also states: 6.2.1. Name of Server Principals The principal identifier for a server on a host will generally be composed of two parts: (1) the realm of the KDC with which the server is registered, and (2) a two-component name of type NT-SRV-HST, if the host name is an Internet domain name, or a multi-component name of type NT-SRV-XHST, if the name of the host is of a form (such as X.500) that allows slash (/) separators. The first component of the two- or multi-component name will identify the service, and the latter components will identify the host. Where the name of the host is not case sensitive (for example, with Internet domain names) the name of the host MUST be lowercase. If specified by the application protocol for services such as telnet and the Berkeley R commands that run with system privileges, the first component MAY be the string 'host' instead of a service-specific identifier. Given this, I'm guessing there is a problem with the way the host service principal is being created on the AD. How are you doing this? After join the AD domain, what does the principal name found in the AD record look like? The FQDN part of the principal name should be all lower case. If not, the tool used to create this entry should be examined to determine why the hostname isn't all lowercase. -- Will Fiveash Sun Microsystems Inc. http://opensolaris.org/os/project/kerberos/ _______________________________________________ cifs-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
