AS-REQ using SPN
Rowland Penny
rpenny at samba.org
Wed Nov 15 18:04:26 UTC 2017
On Thu, 16 Nov 2017 06:54:01 +1300
Andrew Bartlett <abartlet at samba.org> wrote:
> On Wed, 2017-11-15 at 10:03 +0000, Rowland Penny via samba-technical
> wrote:
> > On Wed, 15 Nov 2017 10:53:36 +0100
> > Ralph Böhme via samba-technical <samba-technical at lists.samba.org>
> > wrote:
> >
> > > Hi Garming,
> > >
> > > On Wed, Nov 15, 2017 at 11:34:18AM +1300, Garming Sam wrote:
> > > > I noticed that this behaviour of AS-REQ with a SPN was
> > > > introduced a little while ago. It asserted that this is in line
> > > > with Windows, but I have been making some attempts and have yet
> > > > to see any Windows KDC manage to accept such a request (so
> > > > something is not quite right, or I'm missing something). I've
> > > > tried it against a 2008R2 and 2012R2 machine.
> > >
> > > works here against Windows 2016:
> > >
> > > [slow at kazak scratch]$ cat /etc/krb5.conf
> > > [libdefaults]
> > > default_realm = RIVERSIDE.SITE
> > > dns_lookup_realm = false
> > > dns_lookup_kdc = false
> > >
> > > [realms]
> > > RIVERSIDE.SITE = {
> > > kdc = 10.10.11.14
> > > }
> > >
> >
> > Hi Ralph, would you like to try that again with the Samba
> > recommended krb5.conf ?
> >
> > Which is:
> >
> > [libdefaults]
> > default_realm = RIVERSIDE.SITE
> > dns_lookup_realm = false
> > dns_lookup_kdc = true
> >
>
> Rowland,
>
> For Ralph's purposes his krb5.conf is perfectly OK, and is typical for
> most developer configurations. It is very similar to what I'm using
> and has no impact on the tests he is doing for me.
>
> Thanks,
>
> Andrew Bartlett
>
Excuse me, but aren't you the person that bangs on about tests for
Samba ?
If so, shouldn't you be testing and using Samba in the way that Samba
recommends ?
That includes what your krb5.conf contains, if, as you say, developers
are using a different krb5.conf, then shouldn't the default krb5.conf
be the same as the developers ?
Rowland
More information about the samba-technical
mailing list