krb auth weirdness found out
Sam Liddicott
sam at liddicott.com
Thu Apr 2 16:26:36 GMT 2009
* Sam Liddicott wrote, On 02/04/09 15:11:
> And I'll try to get to the
> bottom of the ASN.1 error.
>
Hmmm, wireshark says it is a kerberos error:
error_code: KRB5KRB_AP_ERR_MODIFIED (41)
Realm: GALAXY.TEST.DBAMSYSTEMS.LOCAL
Server Name (Service and Host): host/star.galaxy.test.dbamsystems.local
where star is the original domain controller and mail server but doesn't
hold mail boxes any more, but I note that openchange dumps:
mapiproxy::mapiproxy_op_dispatch: RfrGetNewDSA(0x0): 28 bytes
RfrGetNewDSA: struct RfrGetNewDSA
in: struct RfrGetNewDSA
ulFlags : 0x00000000 (0)
pUserDN : *
pUserDN : ''
ppszUnused : NULL
ppszServer : *
ppszServer : NULL
RfrGetNewDSA: struct RfrGetNewDSA
out: struct RfrGetNewDSA
ppszUnused : NULL
ppszServer : *
ppszServer : *
ppszServer :
'star.galaxy.test.dbamsystems.local'
result : MAPI_E_SUCCESS (0x0)
mapiproxy::mapiproxy_op_reply
However when I try a different username (that was created after the
mailbox move) I no longer get the ASN.1 error and I can specify the full
realm in smb.conf (with a patch as I suggested Julien, so that the
specified creds have the realm in), but I still get ppszServer set to
star, so it can't be the ppszServer that was causing mapiproxy to
connect get creds for the wrong machine causing the kerberos error.
HOWEVER I note that with this different username, when I click "Check
Name" in the control panel, it keeps changing back the exchange server
to the REAL exchange server and not the proxy!
aggh
Sam
More information about the samba-technical
mailing list