Bug 3671 - "net ads keytab add" makes the service uppercase
"net ads keytab add" makes the service uppercase
Status: RESOLVED FIXED
Product: Samba 3.0
Classification: Unclassified
Component: net utility
3.0.21a
x86 Linux
: P3 normal
: none
Assigned To: Jim McDonough
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2006-04-10 09:52 UTC by Blindauer Emmanuel
Modified: 2013-03-06 14:46 UTC (History)
0 users

See Also:


Attachments
Let the user decide the case of the SPN (2.13 KB, patch)
2006-04-20 08:25 UTC, Blindauer Emmanuel
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Blindauer Emmanuel 2006-04-10 09:52:26 UTC
Trying the "net ads keytab add nfs" command to add a SPN for "nfs/hostname@REALM" it seems that the SPN added is "NFS/hostname@REALM"
This makes rpc.gssd fails (from binutils) as the SPN is case dependant, and I asked to add nfs and not NFS. 
Note that adding a SPN lower-case directly on a DC from windows 2000  works, with ktutil.
Comment 1 Gerald (Jerry) Carter 2006-04-20 07:39:45 UTC
This seems to be fixed.  I cannot reproduce it in 3.0.23pre1.
Comment 2 Blindauer Emmanuel 2006-04-20 08:23:40 UTC
I'm not sure this is fixed , I had a look at svn and the creation of SPN doesn't seems to be fixed (ldap.c and kerberos_keytab.c)

(log from net command whow the SPN in lower and upper case, the keytab entry is make with a lowerwase, but the creation on the server is made in uppercase:
[2006/04/20 15:18:00, 5] libads/ldap.c:ads_add_service_principal_name(1320)
  ads_add_service_principal_name: INFO: Adding NFS/ibis.u-strasbg.fr to host IBIS
...
[2006/04/20 15:18:00, 3] libads/kerberos_keytab.c:ads_keytab_add_entry(268)
  ads_keytab_add_entry: adding keytab entry for (nfs/ibis.u-strasbg.fr@DPTINFO.URS.LOCAL) with encryption type (18) and version (0)


Here the patch I used to fix this problem:

Comment 3 Blindauer Emmanuel 2006-04-20 08:25:23 UTC
Created attachment 1868 [details]
Let the user decide the case of the SPN

Let the user decide the case of the SPN, and create CIFS and HOST in uppercase
Comment 4 Kodiak Firesmith 2013-03-06 14:46:24 UTC
I don't think this was actually fixed.  The bug was labelled as such due to 'could not reproduce', but I can demonstrate how to reproduce, and can make cautious speculation as to how it appeared to be un-reproduceable by Jerry, because the same thing happened to me at first:

From 'klist -k /etc/krb5.keytab', the SPN 'nfs/fqdn@DOMAIN' appears to really be 'nfs/fqdn@DOMAIN', but if you do a 'net ads status', you'll see it ended up on the domain controller as 'NFS/fqdn@DOMAIN', which breaks kerberized NFS.

One of the senior engineers at my org was able to verify in the current source that the patch submitted in this bug was not actually applied and likely this bug has persisted all this time.  

I wasn't sure how to proceed so I created a new bug and linked this one to it.

https://bugzilla.samba.org/show_bug.cgi?id=9699