First thing - I'd like to say a big "THANK YOU" to the developers. I just upgraded to samba-3.0.23 and I've noticed an alarming issue with respect to my configuration. I've been using the built-in keytab management and it looks like the updated code no longer creates the userPrincipal in Active Directory. Whether this is an issue for others or not, it would be nice to have seen a reference to it in the release notes. Since having the user principal in the keytab and a cron job to renew the ticket are critical for me to use pam_krb5, I'm going to attempt to figure out what code needs to be added back from 3.0.22. In the defense of the authors, examining a Win2k3 server does not show the userPrincipal value being set, although I sort of considered this functionality to be the primary aim in using Samba for the keytab management. While I'm on my soap box, would it be possible to hear some clarification on the value of some of the principals created in the keytab (MIT Kerberos)? When I look at Active Directory using ADSI Edit, I see 4 servicePrincipal values created as a result of "net ads join" - host/host, host/fqdn, cifs/host, cifs/fqdn. When I use ktutil to view the keys in the table, I'm confronted with output that doesn't make any sense to me. Note that I've substituted generic host/domain/realm info and I've forcibly constrained the encryption types to rc4-hmac and des-cbc-md5 slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 2 host/[EMAIL PROTECTED] 2 2 host/[EMAIL PROTECTED] 3 2 cifs/[EMAIL PROTECTED] 4 2 cifs/[EMAIL PROTECTED] 5 2 [EMAIL PROTECTED] 6 2 [EMAIL PROTECTED] 7 2 [EMAIL PROTECTED] 8 2 [EMAIL PROTECTED] 9 2 host/[EMAIL PROTECTED] 10 2 host/[EMAIL PROTECTED] 11 2 host/[EMAIL PROTECTED] 12 2 host/[EMAIL PROTECTED] 13 2 host/[EMAIL PROTECTED] 14 2 host/[EMAIL PROTECTED] 15 2 HOST/[EMAIL PROTECTED] 16 2 HOST/[EMAIL PROTECTED] 17 2 HOST/[EMAIL PROTECTED] 18 2 HOST/[EMAIL PROTECTED] 19 2 HOST/[EMAIL PROTECTED] 20 2 HOST/[EMAIL PROTECTED] 21 2 HOST/[EMAIL PROTECTED] 22 2 HOST/[EMAIL PROTECTED] 23 2 cifs/[EMAIL PROTECTED] 24 2 cifs/[EMAIL PROTECTED] 25 2 cifs/[EMAIL PROTECTED] 26 2 cifs/[EMAIL PROTECTED] 27 2 cifs/[EMAIL PROTECTED] 28 2 cifs/[EMAIL PROTECTED] 29 2 CIFS/[EMAIL PROTECTED] 30 2 CIFS/[EMAIL PROTECTED] 31 2 CIFS/[EMAIL PROTECTED] 32 2 CIFS/[EMAIL PROTECTED] 33 2 CIFS/[EMAIL PROTECTED] 34 2 CIFS/[EMAIL PROTECTED] 35 2 CIFS/[EMAIL PROTECTED] 36 2 CIFS/[EMAIL PROTECTED] 37 2 cifs/[EMAIL PROTECTED] 38 2 cifs/[EMAIL PROTECTED] 39 2 CIFS/[EMAIL PROTECTED] 40 2 CIFS/[EMAIL PROTECTED] 41 2 host/[EMAIL PROTECTED] 42 2 host/[EMAIL PROTECTED] 43 2 HOST/[EMAIL PROTECTED] 44 2 HOST/[EMAIL PROTECTED] No offense intended, but what is the purpose of adding the variations of case especially with respect to the FQDN? When I look at the tickets that are the result of making connections from one Win2K3 server to another, the principals simply reflect the form of the requests - ie \\FOO yields principal cifs/[EMAIL PROTECTED], \\foo.bar.com yields principal cifs/[EMAIL PROTECTED] What am I missing? Thank you, Scott
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
