[PATCH] Fix kerberos authentication with Vista

Jeremy Allison jra at samba.org
Sat Dec 15 06:30:23 GMT 2007


On Thu, Dec 13, 2007 at 03:27:30PM +0100, Andreas Schneider wrote:
> Andreas Schneider wrote:
> > 
> > Gerald (Jerry) Carter wrote:
> >> Andreas Schneider wrote:
> >>> Hi List,
> >>> attached is a patch against v3-0-test to fix smbclient's 
> >>> kerberos authentication against a Vista client. It depends
> >>> on 'realm =' to be set in smb.conf. I didn't find a way to
> >>> get the realm another way and I think we shouldn't do a clap
> >>> or dns request here.
> >> Sorry.  That's a broken implementation then.  You can't
> >> assume that every client you connect to will be in the same
> >> domain.
> >>
> > 
> > Two trusted domains MARVIN and ARTHUR, a user MARVIN\anschneider and a share
> > on the machine barteldan:
> > 
> >         Vista Client                               Vista Client
> >   +-----------------------+                      +---------------+
> >   | m: antares            | u tries to access s  | m: barteldan  |
> >   | d: MARVIN             |--------------------->| d: ARTHUR     |
> >   | u: MARVIN\anschneider |                      | s: Share      |
> >   +-----------------------+                      +---------------+
> > 
> > m = machine
> > d = domain
> > u = user
> > s = share
> > 
> > If you try to access the share on barteldan with Vista, it tries to get a
> > ticket for BARTELDAN$@MARVIN.REALM.COM. Then it falls back to user/password
> > authentication.
> > 
> > I think Vista uses the REALM from the TGT, cause it works if you login to
> > barteldan and access a share on antares.
> 
> Next try. This patch behaves the same like Vista now. Bug by bug, feature by
> feature.

Ok - Jerry - I think this is an improvement on what we
currently have (which is using the incorrect principal),
yes ?

I'm going to merge a varient of this (fixing the asprintf
error) - please let me know if you object.

Jeremy.


More information about the samba-technical mailing list