AS-REQ using SPN
Andrew Bartlett
abartlet at samba.org
Wed Nov 15 17:54:01 UTC 2017
On Wed, 2017-11-15 at 10:03 +0000, Rowland Penny via samba-technical
wrote:
> On Wed, 15 Nov 2017 10:53:36 +0100
> Ralph Böhme via samba-technical <samba-technical at lists.samba.org> wrote:
>
> > Hi Garming,
> >
> > On Wed, Nov 15, 2017 at 11:34:18AM +1300, Garming Sam wrote:
> > > I noticed that this behaviour of AS-REQ with a SPN was introduced a
> > > little while ago. It asserted that this is in line with Windows,
> > > but I have been making some attempts and have yet to see any
> > > Windows KDC manage to accept such a request (so something is not
> > > quite right, or I'm missing something). I've tried it against a
> > > 2008R2 and 2012R2 machine.
> >
> > works here against Windows 2016:
> >
> > [slow at kazak scratch]$ cat /etc/krb5.conf
> > [libdefaults]
> > default_realm = RIVERSIDE.SITE
> > dns_lookup_realm = false
> > dns_lookup_kdc = false
> >
> > [realms]
> > RIVERSIDE.SITE = {
> > kdc = 10.10.11.14
> > }
> >
>
> Hi Ralph, would you like to try that again with the Samba recommended
> krb5.conf ?
>
> Which is:
>
> [libdefaults]
> default_realm = RIVERSIDE.SITE
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
Rowland,
For Ralph's purposes his krb5.conf is perfectly OK, and is typical for
most developer configurations. It is very similar to what I'm using
and has no impact on the tests he is doing for me.
Thanks,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list