Isaac Boukris

I think I figured out the TGS failure, I suspect it is a bug that we sign protocol-transition tickets with the impersonator principal inside KRB5SignedPath, I think we should sign...

I think I figured the AS failure too, now both tests pass for me but it needs more thinking.

Hi Luke, I addressed your comments, but I moved the KRB5SignedPath changes to a separate PR as I need to think these changes some more and this PR got too...

@jaltman @lhoward, I'm having second thoughts on this change - sorry. CC: @greghudson I think the logic in MS-SFU in the first comment above makes a wrong assumption about kerberos...

> Are you saying the MIT KDC might change the names in TGS responses, or the MIT TGS client might allow changes to names? I was referring to MIT TGS...

@greghudson I did some tests using heimdal test suit and the kdc won't canonicalize the client name. The client code would only allow client name to be canonicalized if EXTRACT_TICKET_ALLOW_CNAME_MISMATCH...

This one is tricky, I suspect it's going to get me troubles with samba test-suite, I need to think it more, so I'll change the status of this PR and...

I think it would be nice if we expose our basic-auth API as an authentication provider by implementing a check_password() function and registering it via ap_register_auth_provider(AUTHN_PROVIDER_GROUP). This will allow it...

@akallabeth a wild guess; perhaps your user can't get an AES ticket and fails on windows due to use of rc4 enctype in kerberos, klist or wireshark would show it...

On the other hand, I can't reproduce the original issue as it works for me on linux as well, so it may be just due to usual kerberos failure such...