eUPN and Kerberos PAC issues

Stefan (metze) Metzmacher metze at
Mon Mar 16 03:35:08 MDT 2015

Am 16.03.2015 um 01:48 schrieb Andrew Bartlett:
> On Sun, 2015-03-15 at 22:55 +0100, Stefan (metze) Metzmacher wrote:
>> Hi Andrew,
>>>>> I don't see the additional tests in your autobuild.  Are you planning on
>>>>> pushing those later?
>>>> There was a problem with the s4member env.
>>>> I've fixed the bug, see
>>>> and pushed everything.
>>> Thank you so much for looking into this, and sorry for the bother!
>>> I'm really pleased with how the KDC and our AD support is improving, and
>>> being validated.  Thanks for all your efforts in this area.
>> What about the following two patches.
> The gensec_gssapi patch looks reasonable, pushed.
> The second I would still really like a test for, because of how fragile
> this area is.

What happens currently is the following:

The given principal by the caller of samba_kdc_trust_message2entry() is
"krbtgt/S4XDOM.BASE at W2012R2-L4.BASE"
and we set entry_ex->entry.principal to "krbtgt/S4XDOM.BASE at S4XDOM.BASE".

The main _kdc_tgs_rep() uses krbtgt->entry->principal in tgs_build_reply(),
like this:

1763        /* Now refetch the primary krbtgt, and get the current kvno (the
1764         * sign check may have been on an old kvno, and the server may
1765         * have been an incoming trust) */
1766        ret = krb5_make_principal(context, &krbtgt_principal,
1769                                                                 1),
1770                                  KRB5_TGS_NAME,
(gdb) l
1773                                                                 1),
1774        if(ret) {
1775            kdc_log(context, config, 0,
1776                        "Failed to generate krbtgt principal");
1777            goto out;
1778        }
1780        ret = _kdc_db_fetch(context, config, krbtgt_principal,
HDB_F_GET_KRBTGT, NULL, NULL, &krbtgt_out);

krbtgt_principal is "krbtgt/S4XDOM.BASE at S4XDOM.BASE",
the realm of krbtgt->entry->principal doesn't matter.

krbtgt_out->entry.principal is also "krbtgt/S4XDOM.BASE at S4XDOM.BASE",
which is used to sign the PAC. While krbtgt->entry was used to validate
the PAC.

The only thing that differs seem to be confusing log messages and
confusing values seen within a debugger.
I don't know how we could test this automatically.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the samba-technical mailing list