The Samba-Bugzilla – Bug 9699
"net ads keytab add" makes the service uppercase
Last modified: 2013-04-15 07:01:24 UTC
Forgive me if I'm going about this the wrong way - this is my first time filing a bug report on Samba and I could be way off base.
This is a re-hash of https://bugzilla.samba.org/show_bug.cgi?id=3671, but I don't know how to request a re-open, or to link a new report to an old one.
Now for the bug:
'net ads keytab add "nfs" -U some_ADadmin' yields an uppercase NFS/fqdn principal which I understand to cause problems with Kerberized NFS using AD as the KDC.
Other people have encountered this issue before, an example is the ancient bugzilla I posted above, but more recently they have hacked around this problem via specifying 'nfs/fqdn' during the join as a UPN. This doesn't seem to be a good solution as I can demonstrate that only one UPN is possible and 'old' ones are lopped off during the addition of a new one (try a join specifying many createupn="" statements, only the last will show).
One recent example in the wild is: http://ubuntuforums.org/showthread.php?t=1924660
Also of note is that klist -k shows the intended name 'nfs/fqdn', but the actual SPN in Active Directory shows 'NFS/fqdn'.
As I have been given some minimal privs temporarily by the Windows admins, I can also demonstrate that I can create the correct SPN in ADUC directly on the DC ('nfs/fqdn'), but this doesn't help as we'd have to have a Windows domain admin help us out each time we wanted to deploy a host. Note that creating the SPN in ADUC doesn't let the SPN filter down to the local keytab anyhow.
Am I missing some switch or other way to 'invoke net ads keytab add' that would allow me to emplace an SPN both into AD and the local keytab which is of the correct (lower)case for the widely needed nfs servicePrincipalName?
Steps to reproduce
Windows Server 2008r2 Domain Controller
RHEL 6.4 client host
-> Clear current system:
---> net ads leave
---> rm /etc/krb5.keytab
-> Join AD
---> net ads joint createcomputer=Some/OU createupn=host/SOME.SERVER@SOME.AD.DOMAIN
-> Add the "nfs" keytab spn
---> net ads keytab add "nfs" (all reasonable iterations of this have been tried, eg: nfs, 'nfs, "nfs", nfs/fqdn, etc)
---> klist -k (looks great, we see lowercase spns for nfs!)
---> net ads status (full of woe, we see: servicePrincipalName: NFS/fqdn)
Thanks in advance for any help or advice that can be provided!
Here's guidance from Microsoft on case-sensitivity of SPNs in AD:
"Service Principal Names (SPNs) are not case sensitive when used by Microsoft Windows-based computers. However, an SPN can be used by any type of computer system. Many of these computer systems, especially UNIX-based systems, are case-sensitive and require the proper case to function properly. Care should be taken to use the proper case particularly when an SPN can be used by a non-Windows-based computer."
Created attachment 8718 [details]
Jeremy, please take a look at this patch. You uppercased them a long time ago in e948458a79462bd99ef7c02b4d7ec22c6554a163. I think we should pass the spn in the right case here!
Comment on attachment 8718 [details]
LGTM. Pushed to autobuild. Re-assign to Karolin if you want this in 4.0.next.
Created attachment 8724 [details]
Created attachment 8725 [details]
Comment on attachment 8724 [details]
Comment on attachment 8725 [details]
NAK on this patch. In 3.6.x, strlower_m() is defined as:
lib/util_str.c:void strlower_m(char *s)
so you can't do an if (!strlower_m()) statement.
Needs to be just the strlower_m() on its own.
Created attachment 8732 [details]
Comment on attachment 8732 [details]
NAK again (sorry Andreas).
Looks like a cut-and-paste error.
First hunk has:
+ strlower_m(&psp2[strlen(spn) + 1]);
servicePrincipalName = psp1;
I think the + line should be:
+ strlower_m(&psp1[strlen(spn) + 1]);
(note the change from psp2 -> psp1).
libads/ldap.c:1923:12: warning: ‘psp2’ may be used uninitialized in this function [-Wuninitialized]
Created attachment 8748 [details]
/me slaps Andreas
Comment on attachment 8748 [details]
That's it :-). LGTM, thanks.
Now if you could return the favour by reviewing my patchset for Bug 9777..
Re-assigning to Karolin for inclusion in 4.0.next and 3.6.next.
Pushed to v3-6-test and autobuild-v4-0-test.
Pushed to v4-0-test.
Closing out bug report.