[Samba] Kerberos authentication on standalone server in MIT realm breaks after 4.11.6 -> 4.13.14 update

Ralph Boehme slow at samba.org
Fri Nov 26 10:16:52 UTC 2021

Hello Sebastien,

On 11/26/21 10:12, Chapiron Sebastien via samba wrote:
>    get_user_from_kerberos_info: Username MY.REALM\myuser is invalid on this system
> [2021/11/25 16:41:47.275194,  3, pid=162160, effective(0, 0), real(0, 0)] ../../source3/auth/auth_generic.c:222(auth3_generate_session_info_pac)

This looks like a regression introduced by the recent security fixes. 
The attached patch should hopefully fixes it.

Can you please give it a whirl and report back whether it fixes the 
issue for you?

As a quick solution it might be possible to use the username map script 
based on the example in


We're not sure this behaves identical, but it might work in the 
standalone server case.


Ralph Boehme, Samba Team                 https://samba.org/
SerNet Samba Team Lead      https://sernet.de/en/team-samba
-------------- next part --------------
A non-text attachment was scrubbed...
Name: CVE-2020-25717-MIT-regression.patch
Type: text/x-patch
Size: 1828 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba/attachments/20211126/bcabd388/CVE-2020-25717-MIT-regression.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20211126/bcabd388/OpenPGP_signature.sig>

More information about the samba mailing list