eUPN and Kerberos PAC issues

Andrew Bartlett abartlet at samba.org
Tue Mar 10 19:01:37 MDT 2015 

On Wed, 2015-03-11 at 00:43 +0100, Stefan (metze) Metzmacher wrote:
> Am 10.03.2015 um 23:28 schrieb Andrew Bartlett:
> > On Tue, 2015-03-10 at 16:23 +0100, Stefan (metze) Metzmacher wrote:
> > 
> >> But while testing I found some additional problems with enterprise
> >> principals,
> >> see the attached patches.
> > 
> > Thanks.  What did you do to trigger these?  Did it happen on the server,
> > or (as I'm assuming) on the client?  Does it trigger against Windows as
> > the server, or Samba?  Unless canonicalise was forced off (like I do in
> > the krb5.kdc tests), how do we get an enterprise principal in the PAC?  
> 
> I did the following:
> 
> kinit -E administrator at W2012R2-L4.BASE
> kvno cifs/ub1204-161.s4xdom.base
> 
> => that generated an error "realm found in 'short' principal"
> Because the windows kdc added administrator at W2012R2-L4.BASE in the PAC.
> 
> While
> 
> kinit administrator at W2012R2-L4.BASE
> kvno cifs/ub1204-161.s4xdom.base
> 
> worked fine, as there's only "administrator" in the PAC.
> 
> I'd also another bug.
> 
> kinit -E administrator at S4XDOM.BASE
> kvno cifs/w2012r2-183.w2012r2-l4.base
> failed with message altered.
> 
> While it worked with
> kinit -C -E administrator at S4XDOM.BASE
> kvno cifs/w2012r2-183.w2012r2-l4.base
> 
> and
> kinit administrator at S4XDOM.BASE
> kvno cifs/w2012r2-183.w2012r2-l4.base
> 
> Maybe this is also fixed, but I need to retest that.
> 
> > In the meantime, I'll follow though and finish the tests by making our
> > code validate the tickets being obtained. 
> 

Thanks for the detailed explanation metze, that gives me the right
information to build the test with. 

One question:  How did the patch help, as it was against Heimdal and
kvno is only in MIT?

Or did you fix it in your local MIT and port that to Heimdal, or
something else?

Thanks!

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150311/03157402/attachment.pgp>

More information about the samba-technical mailing list