[PATCH] Improve krb5 KDC tests, kdc behaviour

Andrew Bartlett abartlet at samba.org
Mon Feb 2 20:17:42 MST 2015

On Fri, 2015-01-30 at 17:44 +1300, Andrew Bartlett wrote:
> Metze,
> Attached is some improvements to our KDC test script, and a fix for our
> KDC.  
> I still need to cover the canonicalize case for TGS-REQ, but this needs
> further work (I have to rework the code to use krb5_get_creds).
> Garming has reviewed it, but I wanted to see what you thought about it. 

I've now covered the TGS-REQ case with canonicalize set, which you made
a change to in 51b94ab3fd4d13ee38813eb7d20db11edaa667a8 with:

 s4:kdc: canonicalize the principal if HDB_F_FOR_TGS_REQ is given
 Windows seems to always canonicalize the principal in TGS replies.

I can't reproduce this behaviour against Windows 2012R2 with some now
quite extensive tests, and so the patches I attach revert this, in

Let me know what you think.  We plan on pushing this soon, but if you
have any thoughts before or after it hits master, I'll be very glad to
look into them. 

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

-------------- next part --------------
A non-text attachment was scrubbed...
Name: upn-and-tests.patch
Type: text/x-patch
Size: 140386 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150203/17f3a8f1/attachment-0001.bin>

More information about the samba-technical mailing list