[Samba] Identity change between pkinit and TGS
etienne.bagnoud at irovision.ch
Fri Oct 18 04:44:56 MDT 2013
I'm trying to setup the following configuration but encounter a problem.
I'm not sure if it's a normal behavior for samba 4.
I have a smartcard provided with a user principal name looking like
serial_number at domain. The serial number is in the form of
0000-0000-0000-0000. The domain, let's say "upn.example.com", doesn't
match my Samba Realm, that would be "realm.com". What's happening here
is during Kerberos pre-auth, it checks for 0000-0000-0000-0000
\@upn.example.com at REALM.COM which works fine. But during the TGS phase,
it checks only for 0000-0000-0000-0000 at REALM.COM and this entry is
missing in Kerberos. Log file shows this :
Kerberos: PKINIT pre-authentication succeeded -- 0000-0000-0000-0000
\@upn.example.com at REALM.COM using XXXX
Kerberos: TGS-REQ 0000-0000-0000-0000 at REALM.COM from
ipv4:10.0.0.5:62591 for host/XXX [canonicalize, renewable, forwardable]
gendb_search_v: DC=realm,DC=com NULL -> 1
Kerberos: Client no longer in database: 0000-0000-0000-0000 at REALM.COM
In order to have the pre-auth succeed I had to set an alternative UPN
suffix with Domain and Trust management tool and then change the user
name to the serial number and this suffix. I didn't do any specific
configuration, it's almost the same as the default one, tests were done
on Samba 4.0.8 and 4.10.
Am I doing something wrong or is it something that must be corrected ?
But to me it feels wrong to identify a given identity in pre-auth and a
different one for the ticket.
More information about the samba