Return
-
Title
Differences with NETBIOS and sAMAccountName machine names with GSSAPI -
Description
FQDN names can always perform GSSAPI sessions, while shorter names fail randomly and may ask for a password twice. -
Cause
For GSSAPI, there is a difference between machine names equal to or shorter than 15 characters (NETBIOS) and machines between 16 and 20 characters (sAMAccountName)
-
Resolution
When using vastool join, Safeguard Authentication Services (if needed) will truncate the machine's hostname to the first 15 characters. This is the NetBIOS limitation (15 + $) and not a product limitation.
The vastool join command has a ( -n ) option that allows you to specify a different name for the computer object than the vastool would usually generate from your hostname. The computer name specified with the ( -n ) option should be either the fully qualified DNS name or the sAMAccountName name for the computer object.
You can specify the ( -n ) option at join time, allowing a maximum of 19 characters. This is the maximum length allowed in Active Directory (19 + $), and it is not a limitation imposed by our product.
Example first-time join (no -n ):$ hostnameNote the hostname has been trimmed to 15 chars per NETBIOS rules (sas002iamtwenty + $), but the FQDN remains correct.
sas002iamtwentychars
$ /opt/quest/bin/vastool -u sysadm join -f domain.com$ sudo vastool ktutil list
/etc/opt/quest/vas/host.keytab:
Vno Type Principal Aliases
2 aes128-cts-hmac-sha1-96 host/sas002iamtwentychars.domain.com@domain.com
2 aes128-cts-hmac-sha1-96 SAS002IAMTWENTY$@domain.com
2 aes128-cts-hmac-sha1-96 host/SAS002IAMTWENTY@domain.com
2 aes128-cts-hmac-sha1-96 cifs/sas002iamtwentychars.domain.com@domain.com
2 aes128-cts-hmac-sha1-96 cifs/SAS002IAMTWENTYCHARS@domain.com
2 aes256-cts-hmac-sha1-96 host/sas002iamtwentychars.domain.com@domain.com
2 aes256-cts-hmac-sha1-96 SAS002IAMTWENTY$@domain.com
2 aes256-cts-hmac-sha1-96 host/SAS002IAMTWENTY@domain.com
2 aes256-cts-hmac-sha1-96 cifs/sas002iamtwentychars.domain.com@domain.com
2 aes256-cts-hmac-sha1-96 cifs/SAS002IAMTWENTYCHARS@domain.com
2 arcfour-hmac-md5 host/sas002iamtwentychars.domain.com@domain.com
2 arcfour-hmac-md5 SAS002IAMTWENTY$@domain.com
2 arcfour-hmac-md5 host/SAS002IAMTWENTY@domain.com
2 arcfour-hmac-md5 cifs/sas002iamtwentychars.domain.com@domain.com
2 arcfour-hmac-md5 cifs/SAS002IAMTWENTYCHARS@domain.com
If you query AD for the SPNs created, they also comply with NETBIOS rules. The FQDN SPN entry remains correct.$ sudo vastool -u host/ attrs host/ ServicePrincipalName
servicePrincipalName: as/SAS002IAMTWENTY
servicePrincipalName: host/SAS002IAMTWENTY
servicePrincipalName: host/sas002iamtwentychars.domain.com
What this means for GSSAPI operations is that you can do GSSAPI to the FQDN name but not to the short name. The short name will likely not exist on DNS, so it will not be resolvable, and there is no SPN for the actual hostname so GSSAPI will fail. This is expected, and it is not a bug.
Example first time join USING -n$ /opt/quest/bin/vastool -u sysadm join -f -n sas002iamtwentychars domain.com
Note the hostname has been trimmed to 19 chars per sAMAccountName rules (sas002iamtwentychar + $), but the FQDN remains correct.$ sudo vastool ktutil list
/etc/opt/quest/vas/host.keytab:
Vno Type Principal Aliases
2 aes128-cts-hmac-sha1-96 host/sas002iamtwentychars.domain.com@domain.com
2 aes128-cts-hmac-sha1-96 SAS002IAMTWENTYCHAR$@domain.com
2 aes128-cts-hmac-sha1-96 host/SAS002IAMTWENTYCHAR@domain.com
2 aes128-cts-hmac-sha1-96 cifs/sas002iamtwentychars.domain.com@domain.com
2 aes128-cts-hmac-sha1-96 cifs/SAS002IAMTWENTYCHARS@domain.com
2 aes256-cts-hmac-sha1-96 host/sas002iamtwentychars.domain.com@domain.com
2 aes256-cts-hmac-sha1-96 SAS002IAMTWENTYCHAR$@domain.com
2 aes256-cts-hmac-sha1-96 host/SAS002IAMTWENTYCHAR@domain.com
2 aes256-cts-hmac-sha1-96 cifs/sas002iamtwentychars.domain.com@domain.com
2 aes256-cts-hmac-sha1-96 cifs/SAS002IAMTWENTYCHARS@domain.com
2 arcfour-hmac-md5 host/sas002iamtwentychars.domain.com@domain.com
2 arcfour-hmac-md5 SAS002IAMTWENTYCHAR$@domain.com
2 arcfour-hmac-md5 host/SAS002IAMTWENTYCHAR@domain.com
2 arcfour-hmac-md5 cifs/sas002iamtwentychars.domain.com@domain.com
2 arcfour-hmac-md5 cifs/SAS002IAMTWENTYCHARS@domain.com
Same query to AD$ sudo vastool -u host/ attrs host/ ServicePrincipalName
servicePrincipalName: as/SAS002IAMTWENTYCHAR
servicePrincipalName: host/SAS002IAMTWENTYCHAR
servicePrincipalName: host/sas002iamtwentychars.domain.com
General guidelines while using GSSAPI.- GSSAPI sessions are usually performed against FQDN names instead of shorter names. So if your implementations are always FQDN, then no issues are expected.
- If you have hostnames with a max length of 15 (NETBIOS) or 19 (sAMAccountName with the corresponding SPN), then you can do GSSAPI with the short name.
- If you have hostnames with a machine name equal to 20 or more, then only FQDN will work, and short names will never work.
- Note that if you have “GSSAPIStrictAcceptorCheck yes” in /etc/ssh/sshd_config this will make ssh user@FQDN the ONLY way to do GSSAPI.
Important:
If you plan to modify the machine name, please unjoin, modify the machine name if needed and then join the system again to the domain (with or without -n ). This way, you ensure the Active directory and vastool keytab SPN entries are created correctly.
Also, an AD admin can always add any SPNs they need/want to the AD SPNs list and the vastool keytab.