eUPN and Kerberos PAC issues

Stefan (metze) Metzmacher metze at
Thu Mar 12 04:06:00 MDT 2015

Am 12.03.2015 um 10:28 schrieb Andrew Bartlett:
> On Thu, 2015-03-12 at 09:05 +0100, Stefan (metze) Metzmacher wrote:
>> Hi Andrew,
>>>>> I noticed it only because the PAC in the AS-REP and referral ticket where
>>>>> generated by a Windows 2012R2 KDC and the samba/heimdal kdc
>>>>> fails to verify the PAC in the TGS-REQ.
>>>>> I'll have a look at the patches later, thanks!
>>>>> metze
>>>> Thanks.  It seems I broke samba4.local.pac, so I'll investigate that
>>>> tomorrow if it isn't obvious to you.
>>> This showed up that we got things wrong in our old PAC-creation code,
>>> and made me think about UPN and samAccountName values with spaces in
>>> them.  The attached patches fixes these cases as well.
>>> Attached is the whole series.  Please review/push when you are able.
>> Pushed with minor whitespace fixes
>> and splitting/reordering some patches.
> I don't see the additional tests in your autobuild.  Are you planning on
> pushing those later?

There was a problem with the s4member env.

I've fixed the bug, see;a=commitdiff;h=272ab25b540f8e2a718fbdff5acc6e73798fc415
and pushed everything.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the samba-technical mailing list