eUPN and Kerberos PAC issues
Stefan (metze) Metzmacher
metze at samba.org
Tue Mar 10 17:43:28 MDT 2015
Am 10.03.2015 um 23:28 schrieb Andrew Bartlett:
> On Tue, 2015-03-10 at 16:23 +0100, Stefan (metze) Metzmacher wrote:
>> But while testing I found some additional problems with enterprise
>> see the attached patches.
> Thanks. What did you do to trigger these? Did it happen on the server,
> or (as I'm assuming) on the client? Does it trigger against Windows as
> the server, or Samba? Unless canonicalise was forced off (like I do in
> the krb5.kdc tests), how do we get an enterprise principal in the PAC?
I did the following:
kinit -E administrator at W2012R2-L4.BASE
=> that generated an error "realm found in 'short' principal"
Because the windows kdc added administrator at W2012R2-L4.BASE in the PAC.
kinit administrator at W2012R2-L4.BASE
worked fine, as there's only "administrator" in the PAC.
I'd also another bug.
kinit -E administrator at S4XDOM.BASE
failed with message altered.
While it worked with
kinit -C -E administrator at S4XDOM.BASE
kinit administrator at S4XDOM.BASE
Maybe this is also fixed, but I need to retest that.
> In the meantime, I'll follow though and finish the tests by making our
> code validate the tickets being obtained.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 181 bytes
Desc: OpenPGP digital signature
More information about the samba-technical