Trying the "net ads keytab add nfs" command to add a SPN for "nfs/hostname@REALM" it seems that the SPN added is "NFS/hostname@REALM"
This makes rpc.gssd fails (from binutils) as the SPN is case dependant, and I asked to add nfs and not NFS.
Note that adding a SPN lower-case directly on a DC from windows 2000 works, with ktutil.
This seems to be fixed. I cannot reproduce it in 3.0.23pre1.
I'm not sure this is fixed , I had a look at svn and the creation of SPN doesn't seems to be fixed (ldap.c and kerberos_keytab.c)
(log from net command whow the SPN in lower and upper case, the keytab entry is make with a lowerwase, but the creation on the server is made in uppercase:
[2006/04/20 15:18:00, 5] libads/ldap.c:ads_add_service_principal_name(1320)
ads_add_service_principal_name: INFO: Adding NFS/ibis.u-strasbg.fr to host IBIS
[2006/04/20 15:18:00, 3] libads/kerberos_keytab.c:ads_keytab_add_entry(268)
ads_keytab_add_entry: adding keytab entry for (nfs/ibis.u-strasbg.fr@DPTINFO.URS.LOCAL) with encryption type (18) and version (0)
Here the patch I used to fix this problem:
Created attachment 1868 [details]
Let the user decide the case of the SPN
Let the user decide the case of the SPN, and create CIFS and HOST in uppercase
I don't think this was actually fixed. The bug was labelled as such due to 'could not reproduce', but I can demonstrate how to reproduce, and can make cautious speculation as to how it appeared to be un-reproduceable by Jerry, because the same thing happened to me at first:
From 'klist -k /etc/krb5.keytab', the SPN 'nfs/fqdn@DOMAIN' appears to really be 'nfs/fqdn@DOMAIN', but if you do a 'net ads status', you'll see it ended up on the domain controller as 'NFS/fqdn@DOMAIN', which breaks kerberized NFS.
One of the senior engineers at my org was able to verify in the current source that the patch submitted in this bug was not actually applied and likely this bug has persisted all this time.
I wasn't sure how to proceed so I created a new bug and linked this one to it.