Hi,
I'm trying to setup the following configuration but encounter a problem.
I'm not sure if it's a normal behavior for samba 4.
I have a smartcard provided with a user principal name looking like
serial_number at domain. The serial number is in the form of
0000-0000-0000-0000. The domain, let's say "upn.example.com",
doesn't
match my Samba Realm, that would be "realm.com". What's happening
here
is during Kerberos pre-auth, it checks for 0000-0000-0000-0000
\@upn.example.com at REALM.COM which works fine. But during the TGS phase,
it checks only for 0000-0000-0000-0000 at REALM.COM and this entry is
missing in Kerberos. Log file shows this :
[...] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: PKINIT pre-authentication succeeded -- 0000-0000-0000-0000
\@upn.example.com at REALM.COM using XXXX
[...] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: TGS-REQ 0000-0000-0000-0000 at REALM.COM from
ipv4:10.0.0.5:62591 for host/XXX [canonicalize, renewable, forwardable]
[...] ../lib/util/util_ldb.c:60(gendb_search_v)
gendb_search_v: DC=realm,DC=com NULL -> 1
[...] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Client no longer in database: 0000-0000-0000-0000 at REALM.COM
In order to have the pre-auth succeed I had to set an alternative UPN
suffix with Domain and Trust management tool and then change the user
name to the serial number and this suffix. I didn't do any specific
configuration, it's almost the same as the default one, tests were done
on Samba 4.0.8 and 4.10.
Am I doing something wrong or is it something that must be corrected ?
But to me it feels wrong to identify a given identity in pre-auth and a
different one for the ticket.
Thanks,
Etienne.
