AS-REQ using SPN

Andrew Bartlett abartlet at samba.org
Wed Nov 15 17:51:54 UTC 2017 

On Wed, 2017-11-15 at 10:53 +0100, Ralph Böhme via samba-technical
wrote:
> Hi Garming,
> 
> On Wed, Nov 15, 2017 at 11:34:18AM +1300, Garming Sam wrote:
> > I noticed that this behaviour of AS-REQ with a SPN was introduced a little
> > while ago. It asserted that this is in line with Windows, but I have been
> > making some attempts and have yet to see any Windows KDC manage to accept
> > such a request (so something is not quite right, or I'm missing something).
> > I've tried it against a 2008R2 and 2012R2 machine.
> 
> works here against Windows 2016:
> 
> [slow at kazak scratch]$ cat /etc/krb5.conf
> [libdefaults]
>         default_realm = RIVERSIDE.SITE
>         dns_lookup_realm = false
>         dns_lookup_kdc = false
> 
> [realms]
>         RIVERSIDE.SITE = {
>                  kdc = 10.10.11.14
>         }
> 
> [slow at kazak scratch]$ bin/samba4ktutil foo.keytab 
> foo/win2016.riverside.site at RIVERSIDE.SITE (des-cbc-crc)
> foo/win2016.riverside.site at RIVERSIDE.SITE (des-cbc-md5)
> foo/win2016.riverside.site at RIVERSIDE.SITE (arcfour-hmac-md5)
> foo/win2016.riverside.site at RIVERSIDE.SITE (aes256-cts-hmac-sha1-96)
> foo/win2016.riverside.site at RIVERSIDE.SITE (aes128-cts-hmac-sha1-96)
> 
> [slow at kazak scratch]$ bin/samba4kinit -k -t foo.keytab foo/win2016.riverside.site
> 
> [slow at kazak scratch]$ klist
> Ticket cache: FILE:/tmp/krb5cc_1000
> Default principal: foo/win2016.riverside.site at RIVERSIDE.SITE
> 
> Valid starting       Expires              Service principal
> 11/15/2017 10:51:12  11/15/2017 20:48:38  krbtgt/RIVERSIDE.SITE at RIVERSIDE.SITE
> 
> > I have also seen a Kerberos client attempt such a connection, but it fails
> > to do any useful work as the TGS request will fail due to HDB_F_GET_ANY not
> > being supplied (currently still HDB_F_GET_CLIENT) in subsequent database
> > fetch calls. Is there a particular use case I don't really understand here?
> 
> Iirc I somehow noticed the difference in behaviour.

Can you show me the full LDIF for that account, and if at all possible
a network capture?  

I know this seems overkill for something that 'just works', but I'm
writing tests to lock this down and am also having trouble reproducing
this.  (I'm aiming at Windows 2012R2 so far). 

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list