eUPN and Kerberos PAC issues (was: Re: [PATCH] s4:kdc: add aes key support for trusted domains)

Andrew Bartlett abartlet at
Tue Mar 10 16:28:43 MDT 2015

On Tue, 2015-03-10 at 16:23 +0100, Stefan (metze) Metzmacher wrote:

> But while testing I found some additional problems with enterprise
> principals,
> see the attached patches.

Thanks.  What did you do to trigger these?  Did it happen on the server,
or (as I'm assuming) on the client?  Does it trigger against Windows as
the server, or Samba?  Unless canonicalise was forced off (like I do in
the krb5.kdc tests), how do we get an enterprise principal in the PAC?  

In the meantime, I'll follow though and finish the tests by making our
code validate the tickets being obtained. 


Andrew Bartlett
Andrew Bartlett
Authentication Developer, Samba Team
Samba Developer, Catalyst IT

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <>

More information about the samba-technical mailing list