krb auth weirdness found out
Sam Liddicott
sam at liddicott.com
Thu Apr 2 16:29:26 GMT 2009
I DID get the ASN.1 krb error with the other user and this looks like
the cause of it changing the mail server back to the real mail server in
the control panel.
* Sam Liddicott wrote, On 02/04/09 17:26:
> * Sam Liddicott wrote, On 02/04/09 15:11:
>
>> And I'll try to get to the
>> bottom of the ASN.1 error.
>>
>>
> Hmmm, wireshark says it is a kerberos error:
>
> error_code: KRB5KRB_AP_ERR_MODIFIED (41)
> Realm: GALAXY.TEST.DBAMSYSTEMS.LOCAL
> Server Name (Service and Host): host/star.galaxy.test.dbamsystems.local
>
>
> where star is the original domain controller and mail server but doesn't
> hold mail boxes any more, but I note that openchange dumps:
>
>
> mapiproxy::mapiproxy_op_dispatch: RfrGetNewDSA(0x0): 28 bytes
> RfrGetNewDSA: struct RfrGetNewDSA
> in: struct RfrGetNewDSA
> ulFlags : 0x00000000 (0)
> pUserDN : *
> pUserDN : ''
> ppszUnused : NULL
> ppszServer : *
> ppszServer : NULL
> RfrGetNewDSA: struct RfrGetNewDSA
> out: struct RfrGetNewDSA
> ppszUnused : NULL
> ppszServer : *
> ppszServer : *
> ppszServer :
> 'star.galaxy.test.dbamsystems.local'
> result : MAPI_E_SUCCESS (0x0)
> mapiproxy::mapiproxy_op_reply
>
>
> However when I try a different username (that was created after the
> mailbox move) I no longer get the ASN.1 error and I can specify the full
> realm in smb.conf (with a patch as I suggested Julien, so that the
> specified creds have the realm in), but I still get ppszServer set to
> star, so it can't be the ppszServer that was causing mapiproxy to
> connect get creds for the wrong machine causing the kerberos error.
>
> HOWEVER I note that with this different username, when I click "Check
> Name" in the control panel, it keeps changing back the exchange server
> to the REAL exchange server and not the proxy!
>
> aggh
>
> Sam
>
More information about the samba-technical
mailing list