Hello, Does samba support the use of S4U? What do we need to configure in SAMBA or krb5 to support getting a ticket obtained by S4U. We are using 3.0.25 and krb5-1.4.1 We are getting the following error: decode_pac_data: Name in PAC [username@something1.something2.realmname] does not match principal name in ticket The ticket could be different than the PAC name because the ticket was obtained using S4U extension. Any help will be really appreciated. Cheers, Ephi Background: http://searchwindowssecurity.techtarget.com/news/article/0,289142,sid45_ gci1013484,00.html Kerberos' ability to support delegation is a consequence of its unique ticketing mechanism. When sending a ticket to a server, the Kerberos client can add additional information to it so the server can reuse it to request other tickets on the user's behalf to the Kerberos KDC
Andrew Bartlett
2008-Feb-20 20:49 UTC
[Samba] RE: Delegation of authentication (S4U) and SAMBA
On Tue, 2008-02-12 at 12:15 -0800, Ephi Dror wrote:> Hello, > > > > Does samba support the use of S4U? > > > > What do we need to configure in SAMBA or krb5 to support getting a > ticket obtained by S4U. We are using 3.0.25 and krb5-1.4.1 > > > > We are getting the following error: > > > > decode_pac_data: Name in PAC [username@something1.something2.realmname] > does not match principal name in ticket > > > > The ticket could be different than the PAC name because the ticket was > obtained using S4U extension.As you have found out, the code does not currently allow this. Now that we are using the PAC, it shouldn't be too hard for you to change things so that instead of requiring the two strings does to match, it takes the PAC in precedence (if available). I suggest raising this on samba-technical Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba/attachments/20080221/75173dcd/attachment.bin