ravi channavajhala wrote:
To my understanding, windows treat principal names as case insensitive.
Kerberos treats them as case sensitive. MIT Kerberos version - 1.7 is
supposed to have fixed this.
The way to get around this is to add uppercase SPN names into the Kerberos
keytab.
Not exactly. Windows AD will accept any case and return the principal in the
ticket
using the case requested by the caller.
A service principal usually consists of three parts, service, hostname and
realm.
The service should be entered in the correct case, for example: host, ldap or
HTTP.
The hostname should be the FQDN in lower case, and the realm should be the AD
domain
name in uppercase.
Case becomes an issue to a unix service if the case of the principal in the
ticket does not match the case in keytab. It is also an issue when creating a
keytab
file using DES or AES as the key is derived from a password and a salt. The salt
is is the concatenation of "host"||lowercase(samAccountName)||uppercase(AD
domain name)
(Archfour does not use a salt.)
Regards,
/rkc
-----Original Message-----
From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org]
On Behalf Of Bober, Mark
Sent: Wednesday, October 14, 2009 12:17 AM
To: samba@lists.samba.org
Subject: Re: [Samba] Authenticating Samba 3.4.2 vs WinServer 2008R2
DNS, /etc/hosts, all that is correct, on the Samba box, the client, and the
2008 AD server.
It still works perfectly if you use \\128.252.x.x in the URI instead of the
name.
What is the functional difference between accessing a URI via IP rather than
the hostname or FQDN?
Mark
-----Original Message-----
From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org]
On Behalf Of Dirk Jakobsmeier
Sent: Tuesday, October 13, 2009 12:04 AM
To: samba@lists.samba.org
Subject: Re: [Samba] Authenticating Samba 3.4.2 vs WinServer 2008R2
Hello Mark,
Am Montag 12 Oktober 2009 16:56:35 schrieb Bober, Mark:
Here's some things from log level 99:
[2009/10/12 09:43:53, 10] lib/util.c:2626(name_to_fqdn)
name_to_fqdn: lookup for HOSTNAME -> hostname.domain.wustl.edu.
[2009/10/12 09:43:53, 10]
libads/kerberos_verify.c:220(ads_keytab_verify_ticket)
ads_keytab_verify_ticket:
krb5_rd_req_return_keyblock_from_keytab(host/hostname.domain.wustl....@d
OMAIN.WUSTL.EDU) failed: Wrong principal in request
[2009/10/12 09:43:53, 10]
libads/kerberos_verify.c:220(ads_keytab_verify_ticket)
ads_keytab_verify_ticket:
krb5_rd_req_return_keyblock_from_keytab(host/hostn...@domain.wustl.edu)
failed: Wrong principal in request
[2009/10/12 09:43:53, 3]
libads/kerberos_verify.c:266(ads_keytab_verify_ticket)
ads_keytab_verify_ticket: krb5_rd_req failed for all 12 matched keytab
principals
[2009/10/12 09:43:53, 3]
libads/kerberos_verify.c:567(ads_verify_ticket)
ads_verify_ticket: krb5_rd_req with auth failed (Wrong principal in
request)
[2009/10/12 09:43:53, 10]
libads/kerberos_verify.c:576(ads_verify_ticket)
ads_verify_ticket: returning error NT_STATUS_LOGON_FAILURE
i've found several informations about "wrong principal in request" errors
pointing to a name resolution problem. Can you check dns, /etc/hosts ...?
I cut some of that out - it tried each name 6 times, hence the 12?
Looking at the system keytab, and the computer account in AD, everything
seems to match. FWIW, if I leave the domain and come back specifying the
remaining 2003 server as the password server, this all looks the same
and seems to work....
How much does capitalization matter? ADSIEDIT shows the
ServicePrincipalNames as
HOST/hostname.domain.wustl.edu
HOST/HOSTNAME
Where the keytab is:
host/hostname.domain.wustl.edu
host/hostname
-----Original Message-----
From: samba-boun...@lists.samba.org
[mailto:samba-boun...@lists.samba.org] On Behalf Of Dirk Jakobsmeier
Sent: Thursday, October 08, 2009 10:57 PM
To: samba@lists.samba.org
Subject: Re: [Samba] Authenticating Samba 3.4.2 vs WinServer 2008R2
Hello Mark,
Am Donnerstag 08 Oktober 2009 16:03:13 schrieb Bober, Mark:
Hello! I'm having an odd issue between Samba and Win2k8R2. We updated
one of our domain controllers to 2k8R2, and as such are working in a
2003-level AD environment. If I force the 'password server' to the
2003
DC, then everything works fine, only working against the 2008 box has
issues.
we have several issues here depending on one of our servers (2008). E.g.
domainnames (usern...@domainname) has to be written in capital lettres
when
connecting to shares...
\\128.252.123.123\sharename <file:///\\128.252.123.123\sharename>
And it works as expected - my clients are in the same domain, no
password is asked for, etc.
Using any form of the hostname in the URI, either \\hostname\sharename
<file:///\\hostname\sharename> or \\hostname.domain.name\sharename
<file:///\\hostname.domain.name\sharename> in the URI will
continually
prompt for a password. Using 'smbclient' with the names in the URI on
the Samba box itself works fine.
log level = 1
did you try to set this to a higher level (and restart samba)? I always
use 99
so i get large logfiles with nearly all informations i need. The
clientlog
(log.clienthostname or log.clientip) could be interresting.
--
Douglas E. Engert <deeng...@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
