[cifs-protocol] 114121712176508 MS-KILE Behaviour for client principal name in service tickets
abartlet at samba.org
Tue Feb 17 11:24:13 MST 2015
On Tue, 2015-02-17 at 17:10 +0000, Sreekanth Nadendla wrote:
> Andrew, from the capture you have provided us (no-canon.enterprise.lc-realm.uc-user.krb5-realm.win2k.upn.pcap),
> Client sent Cname = TESTALLOWED_UPN at w2k12.abartlet.wgtn.cat-it.co.nz and the actual submitted Realm from the network capture is WIN2012R2.ABARTLET.WGTN.CAT-IT.CO.NZ. (It is not w2k12.abartlet.wgtn.cat-it.co.nz)
> The client did not ask for canonicalization.
> The KDC returned Cname TESTALLOWED_UPN at w2k12.abartlet.wgtn.cat-it.co.nz which is exactly what is sent
> The KDC returned Crealm WIN2012R2.ABARTLET.WGTN.CAT-IT.CO.NZ as expected.
> The realm is always normalized per RFC. It's just that if windows AD receives a mixed case realm name, then it will do a case insensitive comparision per MS-KILE 220.127.116.11 Internationalization and Case Sensitivity.
> I do not see short-form domain being changed to a DNS-based realm. Please let me know if I am missing something.
I'm sorry, I didn't raise that particular sub-case, because I thought
that it would follow out of a clearer explanation of the general case.
As you continue to insist that this area is all perfectly unusual, and
fits into an un-indented (in my view) reading of the
non-canonicalisation case (that an infinite variety of principals would
be generated on the KDC, that all happen to share the same underlying
identity/username/password), I'm trying to make clear that the Windows
behaviour is special, under-documented and unique.
As demonstration please examine that, along with the case transformation
for the realm, canonicalisation or not, if you kinit for
user at SHORTDOMAIN, the ticket returned is for user at REALM.COM.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the cifs-protocol