[Samba] forest trust
ACR ACR
acrsofter at gmail.com
Fri Jul 7 08:29:06 UTC 2017
samba-4.6.5
after set transitive forest trust with win2008R2
problems with processing GPO
some logs in samba show problems with kerberos constrained delegation
Kerberos: TGS-REQ W7-WRK1$@SFB.TEST.SIP.OFFICE.GL from ipv4:
192.168.100.22:50515 for w7-wrk1$\@
SFB.TEST.SIP.OFFICE.GL at SFB.TEST.SIP.OFFICE.GL [canonicalize,
request-anonymous, renewable, forwardable]
Kerberos: Bad request for constrained delegation
Kerberos: constrained delegation from W7-WRK1$@SFB.TEST.SIP.OFFICE.GL
(w7-wrk1$\@SFB.TEST.SIP.OFFICE.GL at SFB.TEST.SIP.OFFICE.GL) as W7-WRK1$@
SFB.TEST.SIP.OFFICE.GL to w7-wrk1$\@
SFB.TEST.SIP.OFFICE.GL at SFB.TEST.SIP.OFFICE.GL not allowed
Kerberos: Failed building TGS-REP to ipv4:192.168.100.22:50515
problem with check constrained delegation
in /kdc/krb5tgs.c
function check_constrained_delegation
if(!krb5_realm_compare(context, client->entry.principal,
server->entry.principal)) {
ret = KRB5KDC_ERR_BADOPTION;
kdc_log(context, config, 0,
"Bad request for constrained delegation");
return ret;
}
this function just strcmp of realms char*
no idea why it failed
More information about the samba
mailing list