KRB_AP_ERR_MODIFIED in session setup to trusted domain ?

Andrew Bartlett abartlet at
Sun Oct 23 20:56:39 GMT 2005

On Sun, 2005-10-23 at 18:42 +0200, Volker Lendecke wrote:
> On Sun, Oct 23, 2005 at 10:12:49PM +1000, Andrew Bartlett wrote:
> > It looks to me like Samba is asking for the right principal, but the
> > win2k DC is canonicalising the response into a ticket for the krbtgt on
> > the trusted realm.  
> Trying to understand what's going on, so please forgive me if I'm wrong: Isn't
> sending the krbtgt for W2KAD.W2K3AD.ORG exactly the right thing to do? Our
> domain, W2K3AD.ORG is the parent domain of W2KAD.W2K3AD.ORG, and I'm trying to
> connect to w2kpdc at W2KAD.W2K3AD.ORG. w2k3dc at W2K3AD.ORG simply can not give us a
> service ticket for w2kpdc at W2KAD.W2K3AD.ORG, because it does not know about that
> principal. All it can do is refer us to krbtgt at W2KAD.W2K3AD.ORG to ask for the
> proper ticket there. 

Traditionally, it should send us back 'unknown', and stop us dead, but
this is one of the areas where Microsoft changed behaviour.

Before I broke Heimdal, as a client we would do a DNS lookup, and in
theory then find the full DNS name of the target, and therefore talk to
the right KDC.  But I didn't want to rely on DNS (given the name was a
netbios name), have timeouts or the like, so we ended up here.

> > Basically, we need to get proper and/or win2k3 compatible
> > canonicalisation support into Heimdal.
> To me it seems that Samba4 is missing the step to take the service ticket for
> krbtgt at W2KAD.W2K3AD.ORG to convert that into the real service ticket for
> w2kpdc at W2KAD.W2K3AD.ORG. Is it that what  you mean with "canonicalisation"?

Yep.  There are flags we get back we need to deal with which say that
funny business is going on, and we can chase things from there.

Andrew Bartlett

Andrew Bartlett                      
Samba Developer, SuSE Labs, Novell Inc.
Authentication Developer, Samba Team 
Student Network Administrator, Hawker College
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list