KRB_AP_ERR_MODIFIED in session setup to trusted domain ?

Volker Lendecke Volker.Lendecke at SerNet.DE
Sun Oct 23 16:42:00 GMT 2005

On Sun, Oct 23, 2005 at 10:12:49PM +1000, Andrew Bartlett wrote:
> It looks to me like Samba is asking for the right principal, but the
> win2k DC is canonicalising the response into a ticket for the krbtgt on
> the trusted realm.  

Trying to understand what's going on, so please forgive me if I'm wrong: Isn't
sending the krbtgt for W2KAD.W2K3AD.ORG exactly the right thing to do? Our
domain, W2K3AD.ORG is the parent domain of W2KAD.W2K3AD.ORG, and I'm trying to
connect to w2kpdc at W2KAD.W2K3AD.ORG. w2k3dc at W2K3AD.ORG simply can not give us a
service ticket for w2kpdc at W2KAD.W2K3AD.ORG, because it does not know about that
principal. All it can do is refer us to krbtgt at W2KAD.W2K3AD.ORG to ask for the
proper ticket there. 

> Basically, we need to get proper and/or win2k3 compatible
> canonicalisation support into Heimdal.

To me it seems that Samba4 is missing the step to take the service ticket for
krbtgt at W2KAD.W2K3AD.ORG to convert that into the real service ticket for
w2kpdc at W2KAD.W2K3AD.ORG. Is it that what  you mean with "canonicalisation"?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :

More information about the samba-technical mailing list