On Tue, 2015-02-17 at 17:10 +0000, Sreekanth Nadendla wrote: > Andrew, from the capture you have provided us > (no-canon.enterprise.lc-realm.uc-user.krb5-realm.win2k.upn.pcap), > > Client sent Cname = [email protected] and the > actual submitted Realm from the network capture is > WIN2012R2.ABARTLET.WGTN.CAT-IT.CO.NZ. (It is not > w2k12.abartlet.wgtn.cat-it.co.nz) > > The client did not ask for canonicalization. > The KDC returned Cname [email protected] which > is exactly what is sent > The KDC returned Crealm WIN2012R2.ABARTLET.WGTN.CAT-IT.CO.NZ as expected. > > The realm is always normalized per RFC. It's just that if windows AD receives > a mixed case realm name, then it will do a case insensitive comparision per > MS-KILE 3.1.5.7 Internationalization and Case Sensitivity. > > I do not see short-form domain being changed to a DNS-based realm. Please let > me know if I am missing something.
I'm sorry, I didn't raise that particular sub-case, because I thought that it would follow out of a clearer explanation of the general case. As you continue to insist that this area is all perfectly unusual, and fits into an un-indented (in my view) reading of the non-canonicalisation case (that an infinite variety of principals would be generated on the KDC, that all happen to share the same underlying identity/username/password), I'm trying to make clear that the Windows behaviour is special, under-documented and unique. As demonstration please examine that, along with the case transformation for the realm, canonicalisation or not, if you kinit for user@SHORTDOMAIN, the ticket returned is for [email protected]. Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba _______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
