[Samba] Identity change between pkinit and TGS

Fri Oct 18 04:44:56 MDT 2013

Hi,

I'm trying to setup the following configuration but encounter a problem.
I'm not sure if it's a normal behavior for samba 4.

I have a smartcard provided with a user principal name looking like
serial_number at domain. The serial number is in the form of
0000-0000-0000-0000. The domain, let's say "upn.example.com", doesn't
match my Samba Realm, that would be "realm.com". What's happening here
is during Kerberos pre-auth, it checks for 0000-0000-0000-0000
\@upn.example.com at REALM.COM which works fine. But during the TGS phase,
it checks only for 0000-0000-0000-0000 at REALM.COM and this entry is
missing in Kerberos. Log file shows this :

[...] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: PKINIT pre-authentication succeeded -- 0000-0000-0000-0000
\@upn.example.com at REALM.COM using XXXX

[...] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: TGS-REQ 0000-0000-0000-0000 at REALM.COM from
ipv4:10.0.0.5:62591 for host/XXX [canonicalize, renewable, forwardable]

[...] ../lib/util/util_ldb.c:60(gendb_search_v)
  gendb_search_v: DC=realm,DC=com NULL -> 1
[...] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Client no longer in database: 0000-0000-0000-0000 at REALM.COM

In order to have the pre-auth succeed I had to set an alternative UPN
suffix with Domain and Trust management tool and then change the user
name to the serial number and this suffix. I didn't do any specific
configuration, it's almost the same as the default one, tests were done
on Samba 4.0.8 and 4.10. 

Am I doing something wrong or is it something that must be corrected ?
But to me it feels wrong to identify a given identity in pre-auth and a
different one for the ticket.

Thanks,
Etienne.