3671 – "net ads keytab add" makes the service uppercase

Bug 3671 - "net ads keytab add" makes the service uppercase

Summary: "net ads keytab add" makes the service uppercase

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 3.0
Classification:	Unclassified
Component:	net utility (show other bugs)
Version:	3.0.21a
Hardware:	x86 Linux

Importance:	P3 normal
Target Milestone:	none
Assignee:	Jim McDonough
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2006-04-10 09:52 UTC by Blindauer Emmanuel (dead mail address)
Modified:	2013-03-06 14:46 UTC (History)
CC List:	0 users

See Also:

Attachments
Let the user decide the case of the SPN (2.13 KB, patch) 2006-04-20 08:25 UTC, Blindauer Emmanuel (dead mail address)	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Blindauer Emmanuel (dead mail address) 2006-04-10 09:52:26 UTC

Trying the "net ads keytab add nfs" command to add a SPN for "nfs/hostname@REALM" it seems that the SPN added is "NFS/hostname@REALM"
This makes rpc.gssd fails (from binutils) as the SPN is case dependant, and I asked to add nfs and not NFS. 
Note that adding a SPN lower-case directly on a DC from windows 2000  works, with ktutil.

Comment 1 Gerald (Jerry) Carter (dead mail address) 2006-04-20 07:39:45 UTC

This seems to be fixed.  I cannot reproduce it in 3.0.23pre1.

Comment 2 Blindauer Emmanuel (dead mail address) 2006-04-20 08:23:40 UTC

I'm not sure this is fixed , I had a look at svn and the creation of SPN doesn't seems to be fixed (ldap.c and kerberos_keytab.c)

(log from net command whow the SPN in lower and upper case, the keytab entry is make with a lowerwase, but the creation on the server is made in uppercase:
[2006/04/20 15:18:00, 5] libads/ldap.c:ads_add_service_principal_name(1320)
  ads_add_service_principal_name: INFO: Adding NFS/ibis.u-strasbg.fr to host IBIS
...
[2006/04/20 15:18:00, 3] libads/kerberos_keytab.c:ads_keytab_add_entry(268)
  ads_keytab_add_entry: adding keytab entry for (nfs/ibis.u-strasbg.fr@DPTINFO.URS.LOCAL) with encryption type (18) and version (0)


Here the patch I used to fix this problem:

Comment 3 Blindauer Emmanuel (dead mail address) 2006-04-20 08:25:23 UTC

Created attachment 1868 [details]
Let the user decide the case of the SPN

Let the user decide the case of the SPN, and create CIFS and HOST in uppercase

Comment 4 Kodiak Firesmith 2013-03-06 14:46:24 UTC

I don't think this was actually fixed.  The bug was labelled as such due to 'could not reproduce', but I can demonstrate how to reproduce, and can make cautious speculation as to how it appeared to be un-reproduceable by Jerry, because the same thing happened to me at first:

From 'klist -k /etc/krb5.keytab', the SPN 'nfs/fqdn@DOMAIN' appears to really be 'nfs/fqdn@DOMAIN', but if you do a 'net ads status', you'll see it ended up on the domain controller as 'NFS/fqdn@DOMAIN', which breaks kerberized NFS.

One of the senior engineers at my org was able to verify in the current source that the patch submitted in this bug was not actually applied and likely this bug has persisted all this time.  

I wasn't sure how to proceed so I created a new bug and linked this one to it.

https://bugzilla.samba.org/show_bug.cgi?id=9699