AS-REQ using SPN
garming at catalyst.net.nz
Tue Nov 14 22:34:18 UTC 2017
I noticed that this behaviour of AS-REQ with a SPN was introduced a
little while ago. It asserted that this is in line with Windows, but I
have been making some attempts and have yet to see any Windows KDC
manage to accept such a request (so something is not quite right, or I'm
missing something). I've tried it against a 2008R2 and 2012R2 machine.
I have also seen a Kerberos client attempt such a connection, but it
fails to do any useful work as the TGS request will fail due to
HDB_F_GET_ANY not being supplied (currently still HDB_F_GET_CLIENT) in
subsequent database fetch calls. Is there a particular use case I don't
really understand here? The client seemed to work previously, so I can
only assume that when it used to fail, it triggered a fallback instead.
The only way to make it proceed is adding an addition host/XXXX at REALM in
the userPrincipalName, which refuses to be set across LDAP in the
Windows versions I've tried (but works on Samba).
Patch made to Heimdal to allow this behaviour:
Commit ID: 20dc68050df7b1b0c9d06f8251183a0a6283fcaf
s4/heimdal: allow SPNs in AS-REQ
This allows testing keytabs with service tickets. Windows KDCs allow
this as well.
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
More information about the samba-technical