KRB_AP_ERR_MODIFIED in session setup to trusted domain ?
Andrew Bartlett
abartlet at samba.org
Mon Oct 24 05:37:34 GMT 2005
On Mon, 2005-10-24 at 05:48 +0200, Volker Lendecke wrote:
> On Mon, Oct 24, 2005 at 06:56:39AM +1000, Andrew Bartlett wrote:
> > Traditionally, it should send us back 'unknown', and stop us dead, but
> > this is one of the areas where Microsoft changed behaviour.
>
> Drop us dead? I know I could read the RFC's myself, but how is cross-realm
> operation supposed to work?
It should return 'no such server' as a kerberos error traditionally.
We just need to implement the canonicalisation stuff.
> > Before I broke Heimdal, as a client we would do a DNS lookup, and in
> > theory then find the full DNS name of the target, and therefore talk to
> > the right KDC. But I didn't want to rely on DNS (given the name was a
> > netbios name), have timeouts or the like, so we ended up here.
>
> Where should I look to fix that? (I need it to make winbind work, and winbind3
> does it right .... :-))
Ahh, that reminds me: For the insecure (but functional) behaviour that
Samba3 uses, and which we are currently discussing on the Heimdal list,
set: 'client use spnego principal = yes'. It should also work
cross-realm, because it is a full principal name.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc. http://suse.de
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20051024/e87e9549/attachment.bin
More information about the samba-technical
mailing list