AS-REQ using SPN
Ralph Böhme
slow at samba.org
Wed Nov 15 09:53:36 UTC 2017
Hi Garming,
On Wed, Nov 15, 2017 at 11:34:18AM +1300, Garming Sam wrote:
> I noticed that this behaviour of AS-REQ with a SPN was introduced a little
> while ago. It asserted that this is in line with Windows, but I have been
> making some attempts and have yet to see any Windows KDC manage to accept
> such a request (so something is not quite right, or I'm missing something).
> I've tried it against a 2008R2 and 2012R2 machine.
works here against Windows 2016:
[slow at kazak scratch]$ cat /etc/krb5.conf
[libdefaults]
default_realm = RIVERSIDE.SITE
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
RIVERSIDE.SITE = {
kdc = 10.10.11.14
}
[slow at kazak scratch]$ bin/samba4ktutil foo.keytab
foo/win2016.riverside.site at RIVERSIDE.SITE (des-cbc-crc)
foo/win2016.riverside.site at RIVERSIDE.SITE (des-cbc-md5)
foo/win2016.riverside.site at RIVERSIDE.SITE (arcfour-hmac-md5)
foo/win2016.riverside.site at RIVERSIDE.SITE (aes256-cts-hmac-sha1-96)
foo/win2016.riverside.site at RIVERSIDE.SITE (aes128-cts-hmac-sha1-96)
[slow at kazak scratch]$ bin/samba4kinit -k -t foo.keytab foo/win2016.riverside.site
[slow at kazak scratch]$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: foo/win2016.riverside.site at RIVERSIDE.SITE
Valid starting Expires Service principal
11/15/2017 10:51:12 11/15/2017 20:48:38 krbtgt/RIVERSIDE.SITE at RIVERSIDE.SITE
> I have also seen a Kerberos client attempt such a connection, but it fails
> to do any useful work as the TGS request will fail due to HDB_F_GET_ANY not
> being supplied (currently still HDB_F_GET_CLIENT) in subsequent database
> fetch calls. Is there a particular use case I don't really understand here?
Iirc I somehow noticed the difference in behaviour.
-slow
--
Ralph Boehme, Samba Team https://samba.org/
Samba Developer, SerNet GmbH https://sernet.de/en/samba/
More information about the samba-technical
mailing list