Reason for removing sname check?
Tomas Kuthan
tomas.kuthan at oracle.com
Wed Oct 10 11:27:46 EDT 2012
Hi,
in MIT krb there used to be a check making sure, that the principal name
of a keytab entry used to decode enc-part of a ticket equals sname from
that ticket. But this check went away with the following commit:
http://anonsvn.mit.edu/viewvc/krb5/trunk/src/lib/krb5/krb/rd_req_dec.c?r1=21179&r2=21690
(line 224).
Please, does anybody recall why?
Background:
this check seems to break interoperability between AD and samba, at
least in our particular case:
DC: MS Windows Server 2008 AD
Samba server: Solaris 10
client: MS Windows XP
AD issues a KRB_APP_REQ ticket with sname 'cifs/<fqdn>'. But there is no
'cifs/*' principal in samba server keytab, and more importantly no
'cifs/*' principal can be seen on AD in the properties of the samba
server computer entry.
If the check is in place, it fails and so does decoding of the ticket.
It the check is by-passed, the ticket gets decoded alright (using a
keytab entry for 'host/<fqdn>').
Thanks,
Tomas
More information about the Kerberos
mailing list