Bug 3671 - "net ads keytab add" makes the service uppercase
Summary: "net ads keytab add" makes the service uppercase
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: net utility (show other bugs)
Version: 3.0.21a
Hardware: x86 Linux
: P3 normal
Target Milestone: none
Assignee: Jim McDonough
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2006-04-10 09:52 UTC by Blindauer Emmanuel (dead mail address)
Modified: 2013-03-06 14:46 UTC (History)
0 users

See Also:


Attachments
Let the user decide the case of the SPN (2.13 KB, patch)
2006-04-20 08:25 UTC, Blindauer Emmanuel (dead mail address)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Blindauer Emmanuel (dead mail address) 2006-04-10 09:52:26 UTC
Trying the "net ads keytab add nfs" command to add a SPN for "nfs/hostname@REALM" it seems that the SPN added is "NFS/hostname@REALM"
This makes rpc.gssd fails (from binutils) as the SPN is case dependant, and I asked to add nfs and not NFS. 
Note that adding a SPN lower-case directly on a DC from windows 2000  works, with ktutil.
Comment 1 Gerald (Jerry) Carter (dead mail address) 2006-04-20 07:39:45 UTC
This seems to be fixed.  I cannot reproduce it in 3.0.23pre1.
Comment 2 Blindauer Emmanuel (dead mail address) 2006-04-20 08:23:40 UTC
I'm not sure this is fixed , I had a look at svn and the creation of SPN doesn't seems to be fixed (ldap.c and kerberos_keytab.c)

(log from net command whow the SPN in lower and upper case, the keytab entry is make with a lowerwase, but the creation on the server is made in uppercase:
[2006/04/20 15:18:00, 5] libads/ldap.c:ads_add_service_principal_name(1320)
  ads_add_service_principal_name: INFO: Adding NFS/ibis.u-strasbg.fr to host IBIS
...
[2006/04/20 15:18:00, 3] libads/kerberos_keytab.c:ads_keytab_add_entry(268)
  ads_keytab_add_entry: adding keytab entry for (nfs/ibis.u-strasbg.fr@DPTINFO.URS.LOCAL) with encryption type (18) and version (0)


Here the patch I used to fix this problem:

Comment 3 Blindauer Emmanuel (dead mail address) 2006-04-20 08:25:23 UTC
Created attachment 1868 [details]
Let the user decide the case of the SPN

Let the user decide the case of the SPN, and create CIFS and HOST in uppercase
Comment 4 Kodiak Firesmith 2013-03-06 14:46:24 UTC
I don't think this was actually fixed.  The bug was labelled as such due to 'could not reproduce', but I can demonstrate how to reproduce, and can make cautious speculation as to how it appeared to be un-reproduceable by Jerry, because the same thing happened to me at first:

From 'klist -k /etc/krb5.keytab', the SPN 'nfs/fqdn@DOMAIN' appears to really be 'nfs/fqdn@DOMAIN', but if you do a 'net ads status', you'll see it ended up on the domain controller as 'NFS/fqdn@DOMAIN', which breaks kerberized NFS.

One of the senior engineers at my org was able to verify in the current source that the patch submitted in this bug was not actually applied and likely this bug has persisted all this time.  

I wasn't sure how to proceed so I created a new bug and linked this one to it.

https://bugzilla.samba.org/show_bug.cgi?id=9699