krb auth weirdness found out

Sam Liddicott sam at
Thu Apr 2 16:26:36 GMT 2009

* Sam Liddicott wrote, On 02/04/09 15:11:
> And I'll try to get to the
> bottom of the ASN.1 error.
Hmmm, wireshark says it is a kerberos error:
error_code: KRB5KRB_AP_ERR_MODIFIED (41)
Server Name (Service and Host): host/star.galaxy.test.dbamsystems.local

where star is the original domain controller and mail server but doesn't
hold mail boxes any more, but I note that openchange dumps:

mapiproxy::mapiproxy_op_dispatch: RfrGetNewDSA(0x0): 28 bytes
     RfrGetNewDSA: struct RfrGetNewDSA
        in: struct RfrGetNewDSA
            ulFlags                  : 0x00000000 (0)
            pUserDN                  : *
                pUserDN                  : ''
            ppszUnused               : NULL
            ppszServer               : *
                ppszServer               : NULL
     RfrGetNewDSA: struct RfrGetNewDSA
        out: struct RfrGetNewDSA
            ppszUnused               : NULL
            ppszServer               : *
                ppszServer               : *
                    ppszServer               :
            result                   : MAPI_E_SUCCESS (0x0)

However when I try a different username (that was created after the
mailbox move) I no longer get the ASN.1 error and I can specify the full
realm in smb.conf (with a patch as I suggested Julien, so that the
specified creds have the realm in), but I still get ppszServer set to
star, so it can't be the ppszServer that was causing mapiproxy to
connect get creds for the wrong machine causing the kerberos error.

HOWEVER I note that with this different username, when I click "Check
Name" in the control panel, it keeps changing back the exchange server
to the REAL exchange server and not the proxy!



More information about the samba-technical mailing list