[PATCH] Fix regression in samba-tool domain exportkeytab
Ralph Boehme
slow at samba.org
Sat Apr 30 20:51:20 UTC 2016
On Sat, Apr 30, 2016 at 05:46:47PM +1200, Andrew Bartlett wrote:
> I'm surprised by the kinit with SPN bit, but I can't find an existing
> tests that contradicts what you found.
I also tested authenticating as KRBTGT, Windows returns
KRB5KDC_ERR_CLIENT_REVOKED in this case. We do as well, albeit
returning a misleading error string, WIP fix is here:
<https://git.samba.org/?p=slow/samba.git;a=commitdiff;h=4bc7c812bf7ec05165d15fc03110139795b1df41>
Additionally, Windows KDC allows TGS-REQ with a TGT acquired as SPN
as well, test and fix:
<https://git.samba.org/?p=slow/samba.git;a=commitdiff;h=80d5a654409490419bf2f1b02a39f4503102912e>
<https://git.samba.org/?p=slow/samba.git;a=commitdiff;h=8cd5cb5ca1e8011fc6891d93e7b59a615d62d11f>
> ...
>
> For the first 6 patches:
>
> Reviewed-by: Andrew Bartlett <abartlet at samba.org>
the whole patchset has meanwhile been pushed, shall I revert the last
two that allow the AS-REQ as SPN? I think they are correct and metze
and Andreas both ACKed the change.
Cheerio!
-slow
More information about the samba-technical
mailing list