AS-REQ using SPN

Garming Sam garming at
Tue Nov 14 22:34:18 UTC 2017


I noticed that this behaviour of AS-REQ with a SPN was introduced a 
little while ago. It asserted that this is in line with Windows, but I 
have been making some attempts and have yet to see any Windows KDC 
manage to accept such a request (so something is not quite right, or I'm 
missing something). I've tried it against a 2008R2 and 2012R2 machine.

I have also seen a Kerberos client attempt such a connection, but it 
fails to do any useful work as the TGS request will fail due to 
HDB_F_GET_ANY not being supplied (currently still HDB_F_GET_CLIENT) in 
subsequent database fetch calls. Is there a particular use case I don't 
really understand here? The client seemed to work previously, so I can 
only assume that when it used to fail, it triggered a fallback instead. 
The only way to make it proceed is adding an addition host/XXXX at REALM in 
the userPrincipalName, which refuses to be set across LDAP in the 
Windows versions I've tried (but works on Samba).

Patch made to Heimdal to allow this behaviour:

Commit ID: 20dc68050df7b1b0c9d06f8251183a0a6283fcaf

     s4/heimdal: allow SPNs in AS-REQ

     This allows testing keytabs with service tickets. Windows KDCs allow
     this as well.

     Signed-off-by: Ralph Boehme <slow at>
     Reviewed-by: Andreas Schneider <asn at>



More information about the samba-technical mailing list