[prev in list] [next in list] [prev in thread] [next in thread]
List: cifs-protocol
Subject: [cifs-protocol] 114121712176508 MS-KILE Behaviour for client principal name in service tickets
From: Sreekanth Nadendla <srenaden () microsoft ! com>
Date: 2014-12-19 20:25:20
Message-ID: BY2PR03MB127C940DA3E47D4C88B0C9BC56B0 () BY2PR03MB127 ! namprd03 ! prod ! outlook ! com
[Download RAW message or body]
Hello Andrew,
I will be assisting you with this issue. I have couple of \
questions to ensure that we both are reproducing the same issue.
On the Windows domain controller, you could open "Active Directory Users and \
Computers" and view the properties for account Administrator. By default, the field \
"User logon name" is empty. So when you say you have set the userPrinciplaName to \
admin@win2012r2.abartlet.wgtn.cat-it.co.nz, you have specified "admin" in the field \
"User logon name" and chose the FQDN win2012r2.abartlet.wgtn.cat-it.co.nz from the \
dropdown for domain. Correct ?
I am using kinit.exe from Java Development kit which does not support -enterprise \
option. I will look for an alternative that works on windows and supports the \
-enterprise option.
I've created a user as following on my test win2k12 R2 AD. Note that the letter J is \
capital letter and UPN is Jenny2 while sAMAccountName is Jenny3.
Property Value
------------ --------------------
name Jennifer Klick
sAMAccountName Jenny3
userPrincipalName Jenny2@379135DOM.lab
C:\Program Files\Java\jdk1.8.0_25\jre\bin>kinit.exe jenny2 ( here j is lower case)
New ticket is stored in cache file.
C:\Program Files\Java\jdk1.8.0_25\jre\bin>klist.exe
Default principal: jenny2@379135DOM.LAB (Just like you found, the supplied name is \
kept as is).
I would like to know what you will see in your environment if you were to create the \
same account Jennifer as described and execute the following and check the output of \
klist.exe. Assuming you use klist.exe to verify, if not can you use it to see if your \
method yields the same results seen from klist.exe ? Please let me know. Also note \
the case of letter J in each of the commands below
kinit -enterprise jenny2@yourdomain
kinit -enterprise Jenny2@yourdomain
kinit -enterprise jenny3@yourdomain
kinit -enterprise Jenny3@yourdomain
kinit -enterprise jenny2
kinit -enterprise Jenny3
kinit -enterprise Jenny2
kinit -enterprise Jenny3
Regards,
Sreekanth Nadendla
Microsoft Windows Open Specifications
-----Original Message-----
From: Andrew Bartlett [mailto:abartlet@samba.org]
Sent: Tuesday, December 16, 2014 10:21 PM
To: Interoperability Documentation Help
Cc: cifs-protocol@samba.org
Subject: MS-KILE Behaviour for client principal name in service tickets
G'Day,
I'm trying to pin down a behaviour of the Windows 2012R2 (and probably
all) AD DC, with regard to the client principal name that is encrypted into the \
service tickets issued to services.
While AD uses the PAC exclusivly as it's measure of identity, unix-based services \
typcially use the result of gss_display_name() on the client name returned from \
gss_accept_sec_context().
This is the client principal name encrypted into the Kerberos service ticket by the \
KDC, and decrypted with the service keytab entry.
I've noticed a curious number of variations in the principal name that is returned \
here. This concerns me, because ideally this should have consistently matched \
samAccountName, to allow a stable identity to be matched on the service side. With a \
krb5.conf having: [libdefaults]
default_realm = WIN2012R2.ABARTLET.WGTN.CAT-IT.CO.NZ
The administrator user has userPrincipalname of \
admin@w2k12.abartlet.wgtn.cat-it.co.nz
Then here are the names (cut off before the realm, which is always \
@WIN2012R2.ABARTLET.WGTN.CAT-IT.CO.NZ as far as I observe) the server decrypts out of \
the ticket, after each of these kinit commands:
kinit administrator
administrator
kinit --enterprise admin@w2k12.abartlet.wgtn.cat-it.co.nz
Administrator
kinit Administrator
Administrator
kinit ADMINISTRATOR
ADMINISTRATOR
kinit --enterprise administrator
Administrator
kinit --enterprise ADMINISTRATOR
Administrator
The point is, when a NT-Principal name is supplied by kinit, it is kept identically, \
however when a enterprise name is supplied, it is always overwritten with the \
samAccountName.
Additionally, I checked what happens if I set the userPrinciplaName to \
admin@win2012r2.abartlet.wgtn.cat-it.co.nz
kinit admin@WIN2012R2.ABARTLET.WGTN.CAT-IT.CO.NZ
admin
This is a surprising result. It means that, apparently, we can not rely on the \
username returned from Kerberos to either case sensitivly or insensitively match the \
samAccountName
Can you please confirm if my understanding is correct, and where this is documented \
in MS-KILE, as I can't find any reference to this behaviour at all.
Thanks,
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
_______________________________________________
cifs-protocol mailing list
cifs-protocol@samba.org
https://lists.samba.org/mailman/listinfo/cifs-protocol
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic