[Samba] RE: Delegation of authentication (S4U) and SAMBA
Andrew Bartlett
abartlet at samba.org
Wed Feb 20 20:49:37 GMT 2008
On Tue, 2008-02-12 at 12:15 -0800, Ephi Dror wrote:
> Hello,
>
>
>
> Does samba support the use of S4U?
>
>
>
> What do we need to configure in SAMBA or krb5 to support getting a
> ticket obtained by S4U. We are using 3.0.25 and krb5-1.4.1
>
>
>
> We are getting the following error:
>
>
>
> decode_pac_data: Name in PAC [username at something1.something2.realmname]
> does not match principal name in ticket
>
>
>
> The ticket could be different than the PAC name because the ticket was
> obtained using S4U extension.
As you have found out, the code does not currently allow this.
Now that we are using the PAC, it shouldn't be too hard for you to
change things so that instead of requiring the two strings does to
match, it takes the PAC in precedence (if available).
I suggest raising this on samba-technical
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20080221/75173dcd/attachment.bin
More information about the samba
mailing list