Re: [cifs-protocol] 114121712176508 MS-KILE Behaviour for client principal name in service tickets

Wed, 18 Feb 2015 12:05:29 -0800 

Hello Andrew,
                         In your response below, you said "No, it isn't". I 
take it that you are saying kinit.exe  user@SHORTDOMAIN could result in a 
principal that has a different REALM than what was specified in the request and 
this leads to name mismatch.  If I am correct in my understanding of the 
problem description here, all I am saying is the request over the wire never 
sent SHORTDOMAIN as Crealm which you can see from the trace.  

It is just that the kinit.exe output is misleading you into thinking that the 
short-form domain got changed by Windows AD to a different DNS-based realm.  
Let me know your thoughts on this. Note that the explanation offered is based 
on the trace you gave us and we don't have a local repro identical to yours. 
Also want to add that we can setup test cases for all scenarios except the 
custom one which uses Enterprise names without Canonicalization. 

At this time it is my understanding that you are NOT blocked with your 
implementation but only trying to bring more clarity to the specs. Let me know 
otherwise. 



Regards,
Sreekanth Nadendla
Microsoft Windows Open Specifications

-----Original Message-----
From: Andrew Bartlett [mailto:[email protected]] 
Sent: Tuesday, February 17, 2015 11:31 PM
To: Sreekanth Nadendla
Cc: MSSolve Case Email; [email protected]
Subject: Re: [cifs-protocol] 114121712176508 MS-KILE Behaviour for client 
principal name in service tickets

On Wed, 2015-02-18 at 04:19 +0000, Sreekanth Nadendla wrote:
> Andrew,  when you execute kinit user@SHORTDOMAIN, the outgoing AS 
> request uses string user@SHORTDOMAIN as Cname but still would be sent 
> with proper realm name i.e. Crealm is still 
> WIN2012R2.ABARTLET.WGTN.CAT-IT.CO.NZ.

No, it isn't.  I'm not talking about enterprise here, these are normal 
KRB5_NT_PRINCIPAL names.

Andrew Bartlett

--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba




_______________________________________________
cifs-protocol mailing list
[email protected]
https://lists.samba.org/mailman/listinfo/cifs-protocol

Reply via email to