[PATCH] Fix kerberos authentication with Vista

Andreas Schneider anschneider at suse.de
Wed Dec 12 18:29:02 GMT 2007

Gerald (Jerry) Carter wrote:
> Andreas Schneider wrote:
>> Hi List,
>> attached is a patch against v3-0-test to fix smbclient's 
>> kerberos authentication against a Vista client. It depends
>> on 'realm =' to be set in smb.conf. I didn't find a way to
>> get the realm another way and I think we shouldn't do a clap
>> or dns request here.
> Sorry.  That's a broken implementation then.  You can't
> assume that every client you connect to will be in the same
> domain.

Two trusted domains MARVIN and ARTHUR, a user MARVIN\anschneider and a share
on the machine barteldan:

        Vista Client                               Vista Client
  +-----------------------+                      +---------------+
  | m: antares            | u tries to access s  | m: barteldan  |
  | d: MARVIN             |--------------------->| d: ARTHUR     |
  | u: MARVIN\anschneider |                      | s: Share      |
  +-----------------------+                      +---------------+

m = machine
d = domain
u = user
s = share

If you try to access the share on barteldan with Vista, it tries to get a
ticket for BARTELDAN$@MARVIN.REALM.COM. Then it falls back to user/password

I think Vista uses the REALM from the TGT, cause it works if you login to
barteldan and access a share on antares.

I have two tcpdump's showing this behavior. So my implementation bahaves like
Vista, it doesn't read the realm from the kerberos cache atm.

So, what should I do now?

Best regards,

	-- andreas

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 254 bytes
Desc: OpenPGP digital signature
Url : http://lists.samba.org/archive/samba-technical/attachments/20071212/af45fbf8/signature.bin

More information about the samba-technical mailing list