[cifs-protocol] 114121712176508 MS-KILE Behaviour for client principal name in service tickets

Sreekanth Nadendla srenaden at microsoft.com
Wed Feb 18 13:05:08 MST 2015 

Hello Andrew,
                         In your response below, you said "No, it isn't". I take it that you are saying kinit.exe  user at SHORTDOMAIN could result in a principal that has a different REALM than what was specified in the request and this leads to name mismatch.  If I am correct in my understanding of the problem description here, all I am saying is the request over the wire never sent SHORTDOMAIN as Crealm which you can see from the trace.  

It is just that the kinit.exe output is misleading you into thinking that the short-form domain got changed by Windows AD to a different DNS-based realm.  Let me know your thoughts on this. Note that the explanation offered is based on the trace you gave us and we don't have a local repro identical to yours. Also want to add that we can setup test cases for all scenarios except the custom one which uses Enterprise names without Canonicalization. 

At this time it is my understanding that you are NOT blocked with your implementation but only trying to bring more clarity to the specs. Let me know otherwise. 



Regards,
Sreekanth Nadendla
Microsoft Windows Open Specifications

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org] 
Sent: Tuesday, February 17, 2015 11:31 PM
To: Sreekanth Nadendla
Cc: MSSolve Case Email; cifs-protocol at samba.org
Subject: Re: [cifs-protocol] 114121712176508 MS-KILE Behaviour for client principal name in service tickets

On Wed, 2015-02-18 at 04:19 +0000, Sreekanth Nadendla wrote:
> Andrew,  when you execute kinit user at SHORTDOMAIN, the outgoing AS 
> request uses string user at SHORTDOMAIN as Cname but still would be sent 
> with proper realm name i.e. Crealm is still 
> WIN2012R2.ABARTLET.WGTN.CAT-IT.CO.NZ.

No, it isn't.  I'm not talking about enterprise here, these are normal KRB5_NT_PRINCIPAL names.

Andrew Bartlett

--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the cifs-protocol mailing list