[PATCH] Fix regression in samba-tool domain exportkeytab

[Andrew Bartlett]

On Sat, 2016-04-30 at 22:51 +0200, Ralph Boehme wrote:
> On Sat, Apr 30, 2016 at 05:46:47PM +1200, Andrew Bartlett wrote:
> > I'm surprised by the kinit with SPN bit, but I can't find an
> > existing
> > tests that contradicts what you found.
> 
> I also tested authenticating as KRBTGT, Windows returns
> KRB5KDC_ERR_CLIENT_REVOKED in this case. We do as well, albeit
> returning a misleading error string, WIP fix is here:
> 
> <https://git.samba.org/?p=slow/samba.git;a=commitdiff;h=4bc7c812bf7ec
> 05165d15fc03110139795b1df41>
> 
> Additionally, Windows KDC allows TGS-REQ with a TGT acquired as SPN
> as well, test and fix:
> 
> <https://git.samba.org/?p=slow/samba.git;a=commitdiff;h=80d5a65440949
> 0419bf2f1b02a39f4503102912e>
> <https://git.samba.org/?p=slow/samba.git;a=commitdiff;h=8cd5cb5ca1e80
> 11fc6891d93e7b59a615d62d11f>
> 
> > ...
> > 
> > For the first 6 patches:
> > 
> > Reviewed-by: Andrew Bartlett <abartlet at samba.org>
> 
> the whole patchset has meanwhile been pushed, shall I revert the last
> two that allow the AS-REQ as SPN? I think they are correct and metze
> and Andreas both ACKed the change.

No need to do anything hasty, I just spent quite some time down an
adjacent rathole, and my experience is just that nothing is ever as it
seems.  It would be great if this can be probed a bit more with the
krb5.kdc tests.

The background is that about a year ago I was working on adding eUPN
support.  The patch given by another developer was just as simple. 
 However, in trying to prove it was correct we ended up not only with
many many more changes to actually get it right (matching Windows), but
also a quite complex testsuite to prove it.

So having done that, I'm just a bit sceptical that this is the whole
story.

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba