eUPN and Kerberos PAC issues

Stefan (metze) Metzmacher metze at
Thu Mar 12 02:05:03 MDT 2015

Hi Andrew,

>>> I noticed it only because the PAC in the AS-REP and referral ticket where
>>> generated by a Windows 2012R2 KDC and the samba/heimdal kdc
>>> fails to verify the PAC in the TGS-REQ.
>>> I'll have a look at the patches later, thanks!
>>> metze
>> Thanks.  It seems I broke samba4.local.pac, so I'll investigate that
>> tomorrow if it isn't obvious to you.
> This showed up that we got things wrong in our old PAC-creation code,
> and made me think about UPN and samAccountName values with spaces in
> them.  The attached patches fixes these cases as well.
> Attached is the whole series.  Please review/push when you are able.

Pushed with minor whitespace fixes
and splitting/reordering some patches.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the samba-technical mailing list