KRB_AP_ERR_MODIFIED in session setup to trusted domain ?

Andrew Bartlett abartlet at
Mon Oct 24 05:37:34 GMT 2005

On Mon, 2005-10-24 at 05:48 +0200, Volker Lendecke wrote:
> On Mon, Oct 24, 2005 at 06:56:39AM +1000, Andrew Bartlett wrote:
> > Traditionally, it should send us back 'unknown', and stop us dead, but
> > this is one of the areas where Microsoft changed behaviour.
> Drop us dead? I know I could read the RFC's myself, but how is cross-realm
> operation supposed to work?

It should return 'no such server' as a kerberos error traditionally. 

We just need to implement the canonicalisation stuff.

> > Before I broke Heimdal, as a client we would do a DNS lookup, and in
> > theory then find the full DNS name of the target, and therefore talk to
> > the right KDC.  But I didn't want to rely on DNS (given the name was a
> > netbios name), have timeouts or the like, so we ended up here.
> Where should I look to fix that? (I need it to make winbind work, and winbind3
> does it right .... :-))

Ahh, that reminds me:  For the insecure (but functional) behaviour that
Samba3 uses, and which we are currently discussing on the Heimdal list,
set:  'client use spnego principal = yes'.  It should also work
cross-realm, because it is a full principal name.

Andrew Bartlett

Andrew Bartlett                      
Samba Developer, SuSE Labs, Novell Inc.
Authentication Developer, Samba Team 
Student Network Administrator, Hawker College
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list