KRB_AP_ERR_MODIFIED in session setup to trusted domain ?
Andrew Bartlett
abartlet at samba.org
Sun Oct 23 12:12:49 GMT 2005
On Sun, 2005-10-23 at 13:31 +0200, Volker Lendecke wrote:
> Hi Andrew!
>
> When I apply
>
> Index: winbind/wb_sid2domain.c
> ===================================================================
> --- winbind/wb_sid2domain.c (Revision 11245)
> +++ winbind/wb_sid2domain.c (Arbeitskopie)
> @@ -186,7 +186,7 @@
> state->result->schannel_creds = cli_credentials_init(state->result);
> if (composite_nomem(state->result->schannel_creds, state->ctx)) return;
> cli_credentials_set_conf(state->result->schannel_creds);
> - cli_credentials_set_anonymous(state->result->schannel_creds);
> + cli_credentials_set_machine_account(state->result->schannel_creds);
>
> talloc_steal(state->service, state->result);
> DLIST_ADD(state->service->domains, state->result);
>
> current winbind4 starts to connect to trusted domains using a kerberos session
> setup. I'm getting the attached sniff, the target machine complains that I have
> messed with something.
>
> What am I doing wrong?
Nothing, as far as I can tell.
It looks to me like Samba is asking for the right principal, but the
win2k DC is canonicalising the response into a ticket for the krbtgt on
the trusted realm.
Basically, we need to get proper and/or win2k3 compatible
canonicalisation support into Heimdal.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc. http://suse.de
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20051023/1d5c5ff2/attachment.bin
More information about the samba-technical
mailing list