[PATCH] Fix spnego with machine$@DOMAIN
Andreas Schneider
asn at samba.org
Thu Dec 1 12:11:02 UTC 2016
Hello,
if you join a domain with Kerberos (MIT) you get the following error:
samba-cli01:~ # net ads join -k
Kinit for SAMBA-CLI01$@EARTH to access WINSRV-DC02.earth.milkyway.site failed:
KDC reply did not match expectations
The reason is that after the latest changes to libsmb we use:
SAMBA-CLI01$@EARTH
as the principal for kinit. Windows allows to use the domain name (netbios
name) in the principal but for that you need to turn on canonicalization
support. We do not do that if Samba is compiled with MIT Kerberos.
The attached patch is part of my MIT KDC working branch since last year, I
think it is time to push it to master :)
Please review and push!
Thanks,
Andreas
--
Andreas Schneider GPG-ID: CC014E3D
Samba Team asn at samba.org
www.samba.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-s3-libads-Fix-canonicalization-support-with-MIT-Kerb.patch
Type: text/x-patch
Size: 1623 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20161201/e5ecf0a5/0001-s3-libads-Fix-canonicalization-support-with-MIT-Kerb.bin>
More information about the samba-technical
mailing list