eUPN and Kerberos PAC issues
Stefan (metze) Metzmacher
metze at samba.org
Tue Mar 10 17:43:28 MDT 2015
Am 10.03.2015 um 23:28 schrieb Andrew Bartlett:
> On Tue, 2015-03-10 at 16:23 +0100, Stefan (metze) Metzmacher wrote:
>
>> But while testing I found some additional problems with enterprise
>> principals,
>> see the attached patches.
>
> Thanks. What did you do to trigger these? Did it happen on the server,
> or (as I'm assuming) on the client? Does it trigger against Windows as
> the server, or Samba? Unless canonicalise was forced off (like I do in
> the krb5.kdc tests), how do we get an enterprise principal in the PAC?
I did the following:
kinit -E administrator at W2012R2-L4.BASE
kvno cifs/ub1204-161.s4xdom.base
=> that generated an error "realm found in 'short' principal"
Because the windows kdc added administrator at W2012R2-L4.BASE in the PAC.
While
kinit administrator at W2012R2-L4.BASE
kvno cifs/ub1204-161.s4xdom.base
worked fine, as there's only "administrator" in the PAC.
I'd also another bug.
kinit -E administrator at S4XDOM.BASE
kvno cifs/w2012r2-183.w2012r2-l4.base
failed with message altered.
While it worked with
kinit -C -E administrator at S4XDOM.BASE
kvno cifs/w2012r2-183.w2012r2-l4.base
and
kinit administrator at S4XDOM.BASE
kvno cifs/w2012r2-183.w2012r2-l4.base
Maybe this is also fixed, but I need to retest that.
> In the meantime, I'll follow though and finish the tests by making our
> code validate the tickets being obtained.
Thanks!
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150311/de1fa347/attachment.pgp>
More information about the samba-technical
mailing list