[cifs-protocol] 114121712176508 MS-KILE Behaviour for client principal name in service tickets
srenaden at microsoft.com
Wed Feb 18 13:05:08 MST 2015
In your response below, you said "No, it isn't". I take it that you are saying kinit.exe user at SHORTDOMAIN could result in a principal that has a different REALM than what was specified in the request and this leads to name mismatch. If I am correct in my understanding of the problem description here, all I am saying is the request over the wire never sent SHORTDOMAIN as Crealm which you can see from the trace.
It is just that the kinit.exe output is misleading you into thinking that the short-form domain got changed by Windows AD to a different DNS-based realm. Let me know your thoughts on this. Note that the explanation offered is based on the trace you gave us and we don't have a local repro identical to yours. Also want to add that we can setup test cases for all scenarios except the custom one which uses Enterprise names without Canonicalization.
At this time it is my understanding that you are NOT blocked with your implementation but only trying to bring more clarity to the specs. Let me know otherwise.
Microsoft Windows Open Specifications
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Tuesday, February 17, 2015 11:31 PM
To: Sreekanth Nadendla
Cc: MSSolve Case Email; cifs-protocol at samba.org
Subject: Re: [cifs-protocol] 114121712176508 MS-KILE Behaviour for client principal name in service tickets
On Wed, 2015-02-18 at 04:19 +0000, Sreekanth Nadendla wrote:
> Andrew, when you execute kinit user at SHORTDOMAIN, the outgoing AS
> request uses string user at SHORTDOMAIN as Cname but still would be sent
> with proper realm name i.e. Crealm is still
No, it isn't. I'm not talking about enterprise here, these are normal KRB5_NT_PRINCIPAL names.
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the cifs-protocol