Case insensitive names (was Re: Turning off hostnamecanonicalisation)

Markus Moeller huaraz at moeller.plus.com
Tue Sep 13 19:28:29 EDT 2005 

"Andrew Bartlett" <abartlet at samba.org> wrote in message 
news:1126651724.9663.113.camel at localhost.localdomain...

>On Tue, 2005-09-13 at 14:59 -0400, Sam Hartman wrote:
>> >>>>> "Nicolas" == Nicolas Williams <Nicolas.Williams at sun.com> writes:
>>
>>     Nicolas> The proposed set/change password version 2 protocol deals
>>     Nicolas> with principal aliasing...
>>
>>
>> It requires that the KDC be able to enumerate all the principals that
>> a particular service can be known as.  That is not compatible with
>> case insensitive keytabs in an interoperable manner.
>
>I don't get this.  If the KDC knows that it is case insensitve, then why
>can't it just include an extra boolean to the effect of 'and all case
>variations of the above'?  The set/change password isn't RFC yet, right?
>And why can't we have a similar flag in a keytab entry?
>
>It seems to me that current sites using unix kerberos are jumping though
>some very high hoops to avoid this kind of extension.  Likewise, it is
>forcing applications (such as Samba3) to manually enumerates all entries
>in a keytab to implement such a behaviour.
>

I would think you could do the same as MS. Have only one RC4 key (e.g 
host/fqdn) and dynamically create
others you need (Assuming they all belong to the same AD entry)
If you look at ktutil which has the add_entry function (e.g. 
add_entry -key -p CIFS/HOSTname -k 1 -e RC4  and
then use the host/fqdn key you get from klist -ekK as input)  you create a 
CIFS/HOSTname keytab entry. You only need to add this code into samba3.


>
>Now, for Samba4 I can just hack more stuff into a custom kerberos lib,
>and pretend these problems don't exist in a broader world.  However, I
>know this isn't popular, and I've promised to at least try and
>transition to system libs eventually.  Even if Samba4 never does, I
>would really like other services to be able to provide kerberos logins
>to windows clients, without major pain, or rewriting the apps, or
>telling users 'just recompile and statically link against
>lorikeet-heimdal'...
>
>(I already have this issue coming up to my plate soon, as I try to
>understand how GSS-TSIG and BIND 9 will fit into Samba4's AD-like
>environment.  Given advise on these lists before, I don't want to
>include a custom BIND if I don't have to...).
>
>Andrew Bartlett
>
>-- 
>Andrew Bartlett                                http://samba.org/~abartlet/
>Samba Developer, SuSE Labs, Novell Inc.        http://suse.de
>Authentication Developer, Samba Team           http://samba.org
>Student Network Administrator, Hawker College  http://hawkerc.net
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
>

Regards
Markus

More information about the krbdev mailing list