Andrew, when you execute kinit user@SHORTDOMAIN, the outgoing AS request uses string user@SHORTDOMAIN as Cname but still would be sent with proper realm name i.e. Crealm is still WIN2012R2.ABARTLET.WGTN.CAT-IT.CO.NZ. Perhaps this is making you think that the Windows AD switched realm part from SHORTDOAMIN to REALM.COM. Also note that the AS response would also have the same Crealm and not SHORTDOMAIN.
If you think I am missing something here can you point me to the fields in the network trace or any other supporting data ? Regards, Sreekanth Nadendla Microsoft Windows Open Specifications -----Original Message----- From: Andrew Bartlett [mailto:[email protected]] Sent: Tuesday, February 17, 2015 1:24 PM To: Sreekanth Nadendla Cc: MSSolve Case Email; [email protected] Subject: Re: [cifs-protocol] 114121712176508 MS-KILE Behaviour for client principal name in service tickets On Tue, 2015-02-17 at 17:10 +0000, Sreekanth Nadendla wrote: > Andrew, from the capture you have provided us > (no-canon.enterprise.lc-realm.uc-user.krb5-realm.win2k.upn.pcap), > > Client sent Cname = [email protected] > and the actual submitted Realm from the network capture is > WIN2012R2.ABARTLET.WGTN.CAT-IT.CO.NZ. (It is not > w2k12.abartlet.wgtn.cat-it.co.nz) > > The client did not ask for canonicalization. > The KDC returned Cname > [email protected] which is exactly what is > sent The KDC returned Crealm WIN2012R2.ABARTLET.WGTN.CAT-IT.CO.NZ as expected. > > The realm is always normalized per RFC. It's just that if windows AD receives > a mixed case realm name, then it will do a case insensitive comparision per > MS-KILE 3.1.5.7 Internationalization and Case Sensitivity. > > I do not see short-form domain being changed to a DNS-based realm. Please let > me know if I am missing something. I'm sorry, I didn't raise that particular sub-case, because I thought that it would follow out of a clearer explanation of the general case. As you continue to insist that this area is all perfectly unusual, and fits into an un-indented (in my view) reading of the non-canonicalisation case (that an infinite variety of principals would be generated on the KDC, that all happen to share the same underlying identity/username/password), I'm trying to make clear that the Windows behaviour is special, under-documented and unique. As demonstration please examine that, along with the case transformation for the realm, canonicalisation or not, if you kinit for user@SHORTDOMAIN, the ticket returned is for [email protected]. Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba _______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
