'[cifs-protocol] 114121712176508 MS-KILE Behaviour for client principal name in service tickets'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       cifs-protocol
Subject:    [cifs-protocol] 114121712176508 MS-KILE Behaviour for client principal name in service tickets
From:       Sreekanth Nadendla <srenaden () microsoft ! com>
Date:       2014-12-19 20:25:20
Message-ID: BY2PR03MB127C940DA3E47D4C88B0C9BC56B0 () BY2PR03MB127 ! namprd03 ! prod ! outlook ! com
[Download RAW message or body]

Hello Andrew,
                          I will be assisting you with this issue. I have couple of \
questions to ensure that we both are reproducing the same issue.

On the Windows domain controller, you could open "Active Directory Users and \
Computers" and view the properties for account Administrator. By default, the field \
"User logon name" is empty. So when you say you have set the  userPrinciplaName to \
admin@win2012r2.abartlet.wgtn.cat-it.co.nz, you have specified "admin" in the field \
"User logon name" and chose the FQDN win2012r2.abartlet.wgtn.cat-it.co.nz from the \
dropdown for domain. Correct ?

I am using kinit.exe from Java Development kit which does not support -enterprise \
option. I will look for an alternative that works on windows and supports the \
-enterprise option. 

I've created a user as following on my test win2k12 R2 AD. Note that the letter J is \
capital letter and UPN is Jenny2 while sAMAccountName is Jenny3.

Property                         Value
------------		--------------------
name			Jennifer Klick
sAMAccountName	Jenny3
userPrincipalName	Jenny2@379135DOM.lab

C:\Program Files\Java\jdk1.8.0_25\jre\bin>kinit.exe jenny2 ( here j is lower case)
New ticket is stored in cache file. 

C:\Program Files\Java\jdk1.8.0_25\jre\bin>klist.exe

Default principal: jenny2@379135DOM.LAB    (Just like you found, the supplied name is \
kept as is).

I would like to know what you will see in your environment if you were to create the \
same account Jennifer as described and execute the following and check the output of \
klist.exe. Assuming you use klist.exe to verify, if not can you use it to see if your \
method yields the same results seen from klist.exe ? Please let me know. Also note \
the case of letter J in each of the commands below  
kinit -enterprise jenny2@yourdomain
kinit -enterprise Jenny2@yourdomain
kinit -enterprise jenny3@yourdomain
kinit -enterprise Jenny3@yourdomain   

kinit -enterprise jenny2
kinit -enterprise Jenny3

kinit -enterprise Jenny2
kinit -enterprise Jenny3

Regards,
Sreekanth Nadendla
Microsoft Windows Open Specifications

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet@samba.org] 
Sent: Tuesday, December 16, 2014 10:21 PM
To: Interoperability Documentation Help
Cc: cifs-protocol@samba.org
Subject: MS-KILE Behaviour for client principal name in service tickets

G'Day,

I'm trying to pin down a behaviour of the Windows 2012R2 (and probably
all) AD DC, with regard to the client principal name that is encrypted into the \
service tickets issued to services. 

While AD uses the PAC exclusivly as it's measure of identity, unix-based services \
typcially use the result of gss_display_name() on the client name returned from \
gss_accept_sec_context().

This is the client principal name encrypted into the Kerberos service ticket by the \
KDC, and decrypted with the service keytab entry.

I've noticed a curious number of variations in the principal name that is returned \
here.  This concerns me, because ideally this should have consistently matched \
samAccountName, to allow a stable identity to be matched on the service side.  With a \
krb5.conf having: [libdefaults]
default_realm = WIN2012R2.ABARTLET.WGTN.CAT-IT.CO.NZ

The administrator user has userPrincipalname of \
admin@w2k12.abartlet.wgtn.cat-it.co.nz

Then here are the names (cut off before the realm, which is always \
@WIN2012R2.ABARTLET.WGTN.CAT-IT.CO.NZ as far as I observe) the server decrypts out of \
the ticket, after each of these kinit commands:

kinit administrator
administrator

kinit --enterprise admin@w2k12.abartlet.wgtn.cat-it.co.nz
Administrator

kinit Administrator
Administrator

kinit ADMINISTRATOR
ADMINISTRATOR

kinit --enterprise administrator
Administrator

kinit --enterprise ADMINISTRATOR
Administrator

The point is, when a NT-Principal name is supplied by kinit, it is kept identically, \
however when a enterprise name is supplied, it is always overwritten with the \
samAccountName.

Additionally, I checked what happens if I set the userPrinciplaName to \
admin@win2012r2.abartlet.wgtn.cat-it.co.nz

kinit admin@WIN2012R2.ABARTLET.WGTN.CAT-IT.CO.NZ
admin

This is a surprising result. It means that, apparently, we can not rely on the \
username returned from Kerberos to either case sensitivly or insensitively match the \
samAccountName

Can you please confirm if my understanding is correct, and where this is documented \
in MS-KILE, as I can't find any reference to this behaviour at all.

Thanks,

--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

_______________________________________________
cifs-protocol mailing list
cifs-protocol@samba.org
https://lists.samba.org/mailman/listinfo/cifs-protocol

[prev in list] [next in list] [prev in thread] [next in thread] 