[16410] in Kerberos_V5_Development
RE: 2008 R2
daemon@ATHENA.MIT.EDU (Bill Fellows)
Wed Sep 29 16:21:27 2010
Message-ID: <471772.15807.qm@web30408.mail.mud.yahoo.com>
Date: Thu, 23 Sep 2010 10:51:44 -0700 (PDT)
From: Bill Fellows <wrfellows@yahoo.com>
To: Mike Patnode <mike.patnode@centrify.com>, krbdev@mit.edu
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="0-800626637-1285264304=:15807"
Errors-To: krbdev-bounces@mit.edu
--0-800626637-1285264304=:15807
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
Mike,
Thanks for your reply.
According to the information I've gotten from Microsoft, the 2008 SP2 does =
not apply to 2008 R2. Also the hotfix you mentioned doesn't apply to 2008 R=
2.=20
We got this response from Microsoft technical support:
"I have received an update from my SME on the data which has been provided =
to us. The problem is the name-type used for the TGT request is set to Unkn=
own:
133=A0 =A0 =A0 =A0=A0=A02010-08-26 17:15:17.284157=A0 =A0 =A0 =A0=A0=A0x.x.=
x.x
x.x.x.x=A0 =A0=A0=A0KRB5=A0 =A0 =A0 AS-REQ
Server Name (Unknown): krbtgt/EXAMPLE.COM
Name-type: Unknown (0)
Name: krbtgt
Name: EXAMPLE.COM
The name-type needs to be Service and Instance.=A0 The reason why it works =
against the Writable DCs is because those DCs dont need to proxy the authen=
tication, RODCs do.=A0 In W2K8R2 there were additional checks in the Kerber=
os decryption code path which now exposes this problem."
I've attached a network capture displaying this problem.
Thanks again,
Bill Fellows
--- On Wed, 9/22/10, Mike Patnode <mike.patnode@centrify.com> wrote:
> From: Mike Patnode <mike.patnode@centrify.com>
> Subject: RE: 2008 R2
> To: "Bill Fellows" <wrfellows@yahoo.com>, "krbdev@mit.edu" <krbdev@mit.ed=
u>
> Date: Wednesday, September 22, 2010, 2:52 PM
> Have you install SP2 or this hotfix?
>=20
> http://support.microsoft.com/kb/951191
>=20
> -----Original Message-----
> From: krbdev-bounces@mit.edu
> [mailto:krbdev-bounces@mit.edu]
> On Behalf Of Bill Fellows
> Sent: Wednesday, September 22, 2010 2:13 PM
> To: krbdev@mit.edu
> Subject: 2008 R2=20
>=20
> Hi,
>=20
> I'm unable to authenticate through Kerberos to a 2008 R2
> read only domain controller (RODC) with Samba 3.5.5. I
> changed the krb5_princ_type field in bld_pr_ext.c
> krb5_build_principal_ext() to KRB5_NT_SRV_INST from
> KRB5_NT_UNKNOWN and this solved the problem. Is there a
> better / safer fix for this bug?
>=20
> Thanks,
> Bill Fellows
>=20
>=20
> =A0 =A0 =A0=20
> _______________________________________________
> krbdev mailing list=A0 =A0 =A0 =A0 =A0
> =A0=A0=A0krbdev@mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
>=0A=0A=0A
--0-800626637-1285264304=:15807
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
--0-800626637-1285264304=:15807--
