[PATCH] Fix kerberos authentication with Vista
Jeremy Allison
jra at samba.org
Sat Dec 15 06:30:23 GMT 2007
On Thu, Dec 13, 2007 at 03:27:30PM +0100, Andreas Schneider wrote:
> Andreas Schneider wrote:
> >
> > Gerald (Jerry) Carter wrote:
> >> Andreas Schneider wrote:
> >>> Hi List,
> >>> attached is a patch against v3-0-test to fix smbclient's
> >>> kerberos authentication against a Vista client. It depends
> >>> on 'realm =' to be set in smb.conf. I didn't find a way to
> >>> get the realm another way and I think we shouldn't do a clap
> >>> or dns request here.
> >> Sorry. That's a broken implementation then. You can't
> >> assume that every client you connect to will be in the same
> >> domain.
> >>
> >
> > Two trusted domains MARVIN and ARTHUR, a user MARVIN\anschneider and a share
> > on the machine barteldan:
> >
> > Vista Client Vista Client
> > +-----------------------+ +---------------+
> > | m: antares | u tries to access s | m: barteldan |
> > | d: MARVIN |--------------------->| d: ARTHUR |
> > | u: MARVIN\anschneider | | s: Share |
> > +-----------------------+ +---------------+
> >
> > m = machine
> > d = domain
> > u = user
> > s = share
> >
> > If you try to access the share on barteldan with Vista, it tries to get a
> > ticket for BARTELDAN$@MARVIN.REALM.COM. Then it falls back to user/password
> > authentication.
> >
> > I think Vista uses the REALM from the TGT, cause it works if you login to
> > barteldan and access a share on antares.
>
> Next try. This patch behaves the same like Vista now. Bug by bug, feature by
> feature.
Ok - Jerry - I think this is an improvement on what we
currently have (which is using the incorrect principal),
yes ?
I'm going to merge a varient of this (fixing the asprintf
error) - please let me know if you object.
Jeremy.
More information about the samba-technical
mailing list