[PATCH] Fix kerberos authentication with Vista
Andreas Schneider
anschneider at suse.de
Wed Dec 12 18:29:02 GMT 2007
Gerald (Jerry) Carter wrote:
> Andreas Schneider wrote:
>> Hi List,
>
>> attached is a patch against v3-0-test to fix smbclient's
>> kerberos authentication against a Vista client. It depends
>> on 'realm =' to be set in smb.conf. I didn't find a way to
>> get the realm another way and I think we shouldn't do a clap
>> or dns request here.
>
> Sorry. That's a broken implementation then. You can't
> assume that every client you connect to will be in the same
> domain.
>
Two trusted domains MARVIN and ARTHUR, a user MARVIN\anschneider and a share
on the machine barteldan:
Vista Client Vista Client
+-----------------------+ +---------------+
| m: antares | u tries to access s | m: barteldan |
| d: MARVIN |--------------------->| d: ARTHUR |
| u: MARVIN\anschneider | | s: Share |
+-----------------------+ +---------------+
m = machine
d = domain
u = user
s = share
If you try to access the share on barteldan with Vista, it tries to get a
ticket for BARTELDAN$@MARVIN.REALM.COM. Then it falls back to user/password
authentication.
I think Vista uses the REALM from the TGT, cause it works if you login to
barteldan and access a share on antares.
I have two tcpdump's showing this behavior. So my implementation bahaves like
Vista, it doesn't read the realm from the kerberos cache atm.
So, what should I do now?
Best regards,
-- andreas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 254 bytes
Desc: OpenPGP digital signature
Url : http://lists.samba.org/archive/samba-technical/attachments/20071212/af45fbf8/signature.bin
More information about the samba-technical
mailing list