[Samba] smartcard login - multiple UPN suffixes

Marcelo Andrade mrrandrade at gmail.com
Mon Aug 31 22:35:02 UTC 2015


Hey folks!

I need to allow smartcard authentication of a third party certificate
generated with an UPN that has a suffix that is not my domain name. From AD
literature, it's possible.

I followed these guidelines to make an additional UPN available for login:
https://technet.microsoft.com/en-us/library/cc772007.aspx

But I'm missing something. Kerberos does a part of the job, but then fails
to find the user.

*Kerberos: found MS UPN SAN: marcelo.rabelo-andrade at notmydomain*
*Kerberos: Found matching MS UPN SAN in certificate*
*Kerberos: PKINIT pre-authentication succeeded --
marcelo.rabelo-andrade\@notmydomain at MY.DOMAIN using CN=MARCELO ROCHA RABELO
DE ANDRADE,OU=Emissor of my certificate,C=BR*


Up to this part, everything seems fine (note the login at notmydomain followed
by the @MY.DOMAIN).

But then, it derails:

* Kerberos: TGS-REQ marcelo.rabelo-andrade at MY.DOMAIN from
ipv4:10.35.64.59:50639 <http://10.35.64.59:50639> for
host/serpro1560071v1.receita.intranet at MY.DOMAIN [canonicalize, renewable,
forwardable]*
*[2015/08/31 18:46:49.021827,  3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)*
*  Kerberos: Client no longer in database: marcelo.rabelo-andrade at MY.DOMAIN*


If I run a kinit -E marcelo.rabelo-andrade at notmydomain, it works
flawlessly.

Any hints on the subject so I can pull it off? Am I missing something?


More information about the samba mailing list