Bug 9699 - "net ads keytab add" makes the service uppercase
"net ads keytab add" makes the service uppercase
Status: RESOLVED FIXED
Product: Samba 3.6
Classification: Unclassified
Component: Client Tools
3.6.9
x64 Linux
: P5 normal
: ---
Assigned To: Karolin Seeger
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-03-05 23:19 UTC by Kodiak Firesmith
Modified: 2013-04-15 07:01 UTC (History)
1 user (show)

See Also:


Attachments
master patch (1.41 KB, patch)
2013-04-03 13:51 UTC, Andreas Schneider
jra: review+
Details
v4-0-test patch (1.58 KB, patch)
2013-04-04 07:39 UTC, Andreas Schneider
jra: review+
Details
v3-6-test patch (1.54 KB, patch)
2013-04-04 07:42 UTC, Andreas Schneider
jra: review-
Details
v3-6-test patch (1.41 KB, patch)
2013-04-05 08:21 UTC, Andreas Schneider
jra: review-
Details
v3-6-test patch (1.41 KB, patch)
2013-04-10 08:03 UTC, Andreas Schneider
jra: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Kodiak Firesmith 2013-03-05 23:19:15 UTC
Forgive me if I'm going about this the wrong way - this is my first time filing a bug report on Samba and I could be way off base.

This is a re-hash of https://bugzilla.samba.org/show_bug.cgi?id=3671, but I don't know how to request a re-open, or to link a new report to an old one.


Now for the bug:

'net ads keytab add "nfs" -U some_ADadmin' yields an uppercase NFS/fqdn principal which I understand to cause problems with Kerberized NFS using AD as the KDC.

Other people have encountered this issue before, an example is the ancient bugzilla I posted above, but more recently they have hacked around this problem via specifying 'nfs/fqdn' during the join as a UPN.  This doesn't seem to be a good solution as I can demonstrate that only one UPN is possible and 'old' ones are lopped off during the addition of a new one (try a join specifying many createupn="" statements, only the last will show).
One recent example in the wild is: http://ubuntuforums.org/showthread.php?t=1924660


Also of note is that klist -k shows the intended name 'nfs/fqdn', but the actual SPN in Active Directory shows 'NFS/fqdn'.

As I have been given some minimal privs temporarily by the Windows admins, I can also demonstrate that I can create the correct SPN in ADUC directly on the DC ('nfs/fqdn'), but this doesn't help as we'd have to have a Windows domain admin help us out each time we wanted to deploy a host.  Note that creating the SPN in ADUC doesn't let the SPN filter down to the local keytab anyhow.

Am I missing some switch or other way to 'invoke net ads keytab add' that would allow me to emplace an SPN both into AD and the local keytab which is of the correct (lower)case for the widely needed nfs servicePrincipalName?

==================
Steps to reproduce
==================

Required Infra:
Windows Server 2008r2 Domain Controller
RHEL 6.4 client host

Steps:

-> Clear current system:
---> net ads leave
---> rm /etc/krb5.keytab

-> Join AD
---> net ads joint createcomputer=Some/OU createupn=host/SOME.SERVER@SOME.AD.DOMAIN

-> Add the "nfs" keytab spn
---> net ads keytab add "nfs" (all reasonable iterations of this have been tried, eg: nfs, 'nfs, "nfs", nfs/fqdn, etc)
---> klist -k (looks great, we see lowercase spns for nfs!)
---> net ads status (full of woe, we see: servicePrincipalName: NFS/fqdn)

Thanks in advance for any help or advice that can be provided!
Comment 1 Kodiak Firesmith 2013-03-06 14:52:39 UTC
Here's guidance from Microsoft on case-sensitivity of SPNs in AD:
http://technet.microsoft.com/en-us/library/cc731241.aspx

"Service Principal Names (SPNs) are not case sensitive when used by Microsoft Windows-based computers. However, an SPN can be used by any type of computer system. Many of these computer systems, especially UNIX-based systems, are case-sensitive and require the proper case to function properly. Care should be taken to use the proper case particularly when an SPN can be used by a non-Windows-based computer."
Comment 2 Andreas Schneider 2013-04-03 13:51:32 UTC
Created attachment 8718 [details]
master patch

Jeremy, please take a look at this patch. You uppercased them a long time ago in e948458a79462bd99ef7c02b4d7ec22c6554a163. I think we should pass the spn in the right case here!
Comment 3 Jeremy Allison 2013-04-03 20:10:42 UTC
Comment on attachment 8718 [details]
master patch

LGTM. Pushed to autobuild. Re-assign to Karolin if you want this in 4.0.next.
Comment 4 Andreas Schneider 2013-04-04 07:39:57 UTC
Created attachment 8724 [details]
v4-0-test patch
Comment 5 Andreas Schneider 2013-04-04 07:42:29 UTC
Created attachment 8725 [details]
v3-6-test patch
Comment 6 Jeremy Allison 2013-04-04 19:48:12 UTC
Comment on attachment 8724 [details]
v4-0-test patch

LGTM.
Comment 7 Jeremy Allison 2013-04-04 20:12:46 UTC
Comment on attachment 8725 [details]
v3-6-test patch

NAK on this patch. In 3.6.x, strlower_m() is defined as:

lib/util_str.c:void strlower_m(char *s)

so you can't do an if (!strlower_m()) statement.

Needs to be just the strlower_m() on its own.

Jeremy.
Comment 8 Andreas Schneider 2013-04-05 08:21:08 UTC
Created attachment 8732 [details]
v3-6-test patch
Comment 9 Jeremy Allison 2013-04-09 19:07:01 UTC
Comment on attachment 8732 [details]
v3-6-test patch

NAK again (sorry Andreas).

Looks like a cut-and-paste error.

First hunk has:

-	strupper_m(psp1);
-	strlower_m(&psp1[strlen(spn)]);
+	strlower_m(&psp2[strlen(spn) + 1]);
 	servicePrincipalName[0] = psp1;

I think the + line should be:

+	strlower_m(&psp1[strlen(spn) + 1]);

(note the change from psp2 -> psp1).

gcc says:

libads/ldap.c:1923:12: warning: ‘psp2’ may be used uninitialized in this function [-Wuninitialized]

Please confirm.

Jeremy.
Comment 10 Andreas Schneider 2013-04-10 08:03:53 UTC
Created attachment 8748 [details]
v3-6-test patch

/me slaps Andreas
Comment 11 Jeremy Allison 2013-04-10 22:05:22 UTC
Comment on attachment 8748 [details]
v3-6-test patch

That's it :-). LGTM, thanks.

Now if you could return the favour by reviewing my patchset for Bug 9777..

:-).

Cheers,

Jeremy.
Comment 12 Jeremy Allison 2013-04-10 22:05:52 UTC
Re-assigning to Karolin for inclusion in 4.0.next and 3.6.next.

Jeremy.
Comment 13 Karolin Seeger 2013-04-11 07:48:02 UTC
Pushed to v3-6-test and autobuild-v4-0-test.
Comment 14 Karolin Seeger 2013-04-11 10:17:12 UTC
Pushed to v4-0-test.
Closing out bug report.

Thanks!