[cifs-protocol] 114121712176508 MS-KILE Behaviour for client principal name in service tickets

Sreekanth Nadendla srenaden at microsoft.com
Fri Jan 16 13:47:28 MST 2015

Hello Andrew,
In my new test environment, I have Ubuntu 14.10 server added to MS Windows domain with heimdal client installed.

My default realm is 379135DOM.LAB
sAMAccountName  is Administrator
userPrinciplaName is  admin at 379135DOM.lab

Test Results are as follows

1) kinit administrator
klist shows administrator at 379135DOM.LAB

2) kinit --enterprise admin at 379135DOM.LAB
klist shows Administrator at 379135DOM.LAB

3) kinit Administrator
klist shows Administrator at 379135DOM.LAB

klist shows ADMINISTRATOR at 379135DOM.LAB

5) kinit --enterprise administrator
klist shows Administrator

6) kinit --enterprise ADMINISTRATOR
klist shows Administrator at 379135DOM.LAB

So far these results are identical to what you've seen in your environment.

= = === ==================

Now as for your test case 7 below, you've mentioned that you've set the userPrinciplaName to admin at win2012r2.abartlet.wgtn.cat-it.co.nz . 
So the realm was win2k12.abartlet.wgtn.cat-it.co.nz before this change.

And you saw 

7) kinit admin at WIN2012R2.ABARTLET.WGTN.CAT-IT.CO.NZ
    admin at WIN2012R2.ABARTLET.WGTN.CAT-IT.CO.NZ 
OR was it 

In my case when I've changed the UPN from admin at 379135DOM.lab to admin at 5579135DOM.lab
So after this, I ran kinit admin at 5579135DOM.LAB. Here I got the error   "Unable to reach any kdc in realm 5579135DOM.LAB".

So I wonder why you didn't get the same error. Is it because you actually have both realms WIN2012R2.ABARTLET.WGTN.CAT-IT.CO.NZ  and WIN2K12.ABARTLET.WGTN.CAT-IT.CO.NZ setup ? 

If yes, then why is this a surprising result for you ? Because when we are not doing canonicalization, we keep the name identical to what was supplied in the command i.e. admin. 

Sreekanth Nadendla
Microsoft Windows Open Specifications

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org] 
Sent: Tuesday, January 13, 2015 4:05 PM
To: Sreekanth Nadendla
Cc: cifs-protocol at samba.org; MSSolve Case Email
Subject: Re: 114121712176508 MS-KILE Behaviour for client principal name in service tickets

On Tue, 2015-01-13 at 20:39 +0000, Sreekanth Nadendla wrote:
> Hello Andrew,
>                          I have not heard from you regarding my e-mail 
> below. Perhaps you are busy working on other issues. My attempts to 
> reproduce the issue using the versions of kinit, klist from latest 
> "kerberos for windows build"
> http://web.mit.edu/kerberos/dist/kfw/4.0/kfw-4.0.1-amd64.msi] always 
> results in user name matching with what is in samAccountName if we 
> ignore the case.

Sorry, I've been busy at and preparing for linux.conf.au, which I'm at this week.  You may need to run on linux, install ubuntu or debian, and then install heimdal-clients (sudo apt-get install heimdal-clients).
That should help you reproduce what I'm doing. 

In the meantime, I'm also writing some specific smbtorture tests, which will still need linux to run, but will fix the exact requests into a testsuite that can be easily run and re-run.


> Also by design, one can actually create a user having non matching 
> samAccountname, userPrincipalName  as I've indicated in my repro few 
> weeks ago. See the picture below. In case you are unable to revisit 
> this i.e. test this at your end and confirm which tools you are using, 
> I will archive this issue for a while until you could work on it 
> again. Please let me know.

Yes, I'm well aware these can be different.

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the cifs-protocol mailing list