[cifs-protocol] 114121712176508 MS-KILE Behaviour for client principal name in service tickets
Sreekanth Nadendla
srenaden at microsoft.com
Fri Jan 16 13:47:28 MST 2015
Hello Andrew,
In my new test environment, I have Ubuntu 14.10 server added to MS Windows domain with heimdal client installed.
My default realm is 379135DOM.LAB
sAMAccountName is Administrator
userPrinciplaName is admin at 379135DOM.lab
Test Results are as follows
1) kinit administrator
klist shows administrator at 379135DOM.LAB
2) kinit --enterprise admin at 379135DOM.LAB
klist shows Administrator at 379135DOM.LAB
3) kinit Administrator
klist shows Administrator at 379135DOM.LAB
4) kinit ADMINISTRATOR
klist shows ADMINISTRATOR at 379135DOM.LAB
5) kinit --enterprise administrator
klist shows Administrator
6) kinit --enterprise ADMINISTRATOR
klist shows Administrator at 379135DOM.LAB
So far these results are identical to what you've seen in your environment.
= = === ==================
Now as for your test case 7 below, you've mentioned that you've set the userPrinciplaName to admin at win2012r2.abartlet.wgtn.cat-it.co.nz .
So the realm was win2k12.abartlet.wgtn.cat-it.co.nz before this change.
And you saw
7) kinit admin at WIN2012R2.ABARTLET.WGTN.CAT-IT.CO.NZ
admin at WIN2012R2.ABARTLET.WGTN.CAT-IT.CO.NZ
OR was it
admin at WIN2K12.ABARTLET.WGTN.CAT-IT.CO.NZ ?
In my case when I've changed the UPN from admin at 379135DOM.lab to admin at 5579135DOM.lab
So after this, I ran kinit admin at 5579135DOM.LAB. Here I got the error "Unable to reach any kdc in realm 5579135DOM.LAB".
So I wonder why you didn't get the same error. Is it because you actually have both realms WIN2012R2.ABARTLET.WGTN.CAT-IT.CO.NZ and WIN2K12.ABARTLET.WGTN.CAT-IT.CO.NZ setup ?
If yes, then why is this a surprising result for you ? Because when we are not doing canonicalization, we keep the name identical to what was supplied in the command i.e. admin.
Regards,
Sreekanth Nadendla
Microsoft Windows Open Specifications
-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Tuesday, January 13, 2015 4:05 PM
To: Sreekanth Nadendla
Cc: cifs-protocol at samba.org; MSSolve Case Email
Subject: Re: 114121712176508 MS-KILE Behaviour for client principal name in service tickets
On Tue, 2015-01-13 at 20:39 +0000, Sreekanth Nadendla wrote:
> Hello Andrew,
>
> I have not heard from you regarding my e-mail
> below. Perhaps you are busy working on other issues. My attempts to
> reproduce the issue using the versions of kinit, klist from latest
> "kerberos for windows build"
> http://web.mit.edu/kerberos/dist/kfw/4.0/kfw-4.0.1-amd64.msi] always
> results in user name matching with what is in samAccountName if we
> ignore the case.
Sorry, I've been busy at and preparing for linux.conf.au, which I'm at this week. You may need to run on linux, install ubuntu or debian, and then install heimdal-clients (sudo apt-get install heimdal-clients).
That should help you reproduce what I'm doing.
In the meantime, I'm also writing some specific smbtorture tests, which will still need linux to run, but will fix the exact requests into a testsuite that can be easily run and re-run.
Thanks,
> Also by design, one can actually create a user having non matching
> samAccountname, userPrincipalName as I've indicated in my repro few
> weeks ago. See the picture below. In case you are unable to revisit
> this i.e. test this at your end and confirm which tools you are using,
> I will archive this issue for a while until you could work on it
> again. Please let me know.
Yes, I'm well aware these can be different.
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the cifs-protocol
mailing list