[PATCH] Fix spnego with machine$@DOMAIN
Andreas Schneider
asn at samba.org
Thu Dec 1 14:40:07 UTC 2016
On Thursday, 1 December 2016 13:11:02 CET Andreas Schneider wrote:
> Hello,
>
> if you join a domain with Kerberos (MIT) you get the following error:
>
> samba-cli01:~ # net ads join -k
> Kinit for SAMBA-CLI01$@EARTH to access WINSRV-DC02.earth.milkyway.site
> failed: KDC reply did not match expectations
>
> The reason is that after the latest changes to libsmb we use:
>
> SAMBA-CLI01$@EARTH
>
> as the principal for kinit. Windows allows to use the domain name (netbios
> name) in the principal but for that you need to turn on canonicalization
> support. We do not do that if Samba is compiled with MIT Kerberos.
>
>
> The attached patch is part of my MIT KDC working branch since last year, I
> think it is time to push it to master :)
>
>
> Please review and push!
Metze asked me to create a bug so we also backport this.
https://bugzilla.samba.org/show_bug.cgi?id=12457
Patch has been updated with the BUG URL added.
Andreas
--
Andreas Schneider GPG-ID: CC014E3D
Samba Team asn at samba.org
www.samba.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-s3-libads-Fix-canonicalization-support-with-MIT-Kerb.patch
Type: text/x-patch
Size: 1739 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20161201/f9aba697/0001-s3-libads-Fix-canonicalization-support-with-MIT-Kerb.bin>
More information about the samba-technical
mailing list