[Samba] smartcard login - multiple UPN suffixes

Marcelo Andrade mrrandrade at gmail.com
Mon Aug 31 22:35:02 UTC 2015

Hey folks!

I need to allow smartcard authentication of a third party certificate
generated with an UPN that has a suffix that is not my domain name. From AD
literature, it's possible.

I followed these guidelines to make an additional UPN available for login:

But I'm missing something. Kerberos does a part of the job, but then fails
to find the user.

*Kerberos: found MS UPN SAN: marcelo.rabelo-andrade at notmydomain*
*Kerberos: Found matching MS UPN SAN in certificate*
*Kerberos: PKINIT pre-authentication succeeded --
marcelo.rabelo-andrade\@notmydomain at MY.DOMAIN using CN=MARCELO ROCHA RABELO
DE ANDRADE,OU=Emissor of my certificate,C=BR*

Up to this part, everything seems fine (note the login at notmydomain followed
by the @MY.DOMAIN).

But then, it derails:

* Kerberos: TGS-REQ marcelo.rabelo-andrade at MY.DOMAIN from
ipv4: <> for
host/serpro1560071v1.receita.intranet at MY.DOMAIN [canonicalize, renewable,
*[2015/08/31 18:46:49.021827,  3]
*  Kerberos: Client no longer in database: marcelo.rabelo-andrade at MY.DOMAIN*

If I run a kinit -E marcelo.rabelo-andrade at notmydomain, it works

Any hints on the subject so I can pull it off? Am I missing something?

More information about the samba mailing list