eUPN and Kerberos PAC issues

Stefan (metze) Metzmacher metze at samba.org
Tue Mar 10 17:43:28 MDT 2015


Am 10.03.2015 um 23:28 schrieb Andrew Bartlett:
> On Tue, 2015-03-10 at 16:23 +0100, Stefan (metze) Metzmacher wrote:
> 
>> But while testing I found some additional problems with enterprise
>> principals,
>> see the attached patches.
> 
> Thanks.  What did you do to trigger these?  Did it happen on the server,
> or (as I'm assuming) on the client?  Does it trigger against Windows as
> the server, or Samba?  Unless canonicalise was forced off (like I do in
> the krb5.kdc tests), how do we get an enterprise principal in the PAC?  

I did the following:

kinit -E administrator at W2012R2-L4.BASE
kvno cifs/ub1204-161.s4xdom.base

=> that generated an error "realm found in 'short' principal"
Because the windows kdc added administrator at W2012R2-L4.BASE in the PAC.

While

kinit administrator at W2012R2-L4.BASE
kvno cifs/ub1204-161.s4xdom.base

worked fine, as there's only "administrator" in the PAC.

I'd also another bug.

kinit -E administrator at S4XDOM.BASE
kvno cifs/w2012r2-183.w2012r2-l4.base
failed with message altered.

While it worked with
kinit -C -E administrator at S4XDOM.BASE
kvno cifs/w2012r2-183.w2012r2-l4.base

and
kinit administrator at S4XDOM.BASE
kvno cifs/w2012r2-183.w2012r2-l4.base

Maybe this is also fixed, but I need to retest that.

> In the meantime, I'll follow though and finish the tests by making our
> code validate the tickets being obtained. 

Thanks!

metze

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150311/de1fa347/attachment.pgp>


More information about the samba-technical mailing list