fix identity realm

client/client_ad_integration_test.go

@@ -46,6 +46,16 @@ func TestClient_GetServiceTicket_AD(t *testing.T) {
 	}
 	assert.Equal(t, spn, tkt.SName.GetPrincipalNameString())
 	assert.Equal(t, int32(18), key.KeyType)
+
+	b, _ = hex.DecodeString(testdata.SYSHTTP_KEYTAB)
+	skt, _ := keytab.Parse(b)
+	err = tkt.DecryptEncPart(skt, "sysHTTP")
+	if err != nil {
+		t.Errorf("could not decrypt service ticket: %v", err)
+	}
+	isPAC, pac, err := tkt.GetPACType(skt, "sysHTTP")
+	assert.True(t, isPAC, "should have PAC")
+	assert.Equal(t, "TEST.GOKRB5", pac.KerbValidationInfo.LogonDomainName.String(), "domain name in PAC not correct")
 }
 
 func TestClient_SuccessfulLogin_AD_TRUST_USER_DOMAIN(t *testing.T) {

credentials/credentials.go

@@ -127,9 +127,6 @@ func (c *Credentials) SetADCredentials(a ADCredentials) {
 	if a.EffectiveName != "" {
 		c.SetUserName(a.EffectiveName)
 	}
-	if a.LogonDomainName != "" {
-		c.SetDomain(a.LogonDomainName)
-	}
 	for i := range a.GroupMembershipSIDs {
 		c.AddAuthzAttribute(a.GroupMembershipSIDs[i])
 	}

examples/example-AD.go

@@ -23,18 +23,20 @@ func main() {
 	s := httpServer()
 	defer s.Close()
 
-	b, _ := hex.DecodeString(testdata.TESTUSER1_KEYTAB)
+	b, _ := hex.DecodeString(testdata.TESTUSER1_USERKRB5_AD_KEYTAB)
 	kt, _ := keytab.Parse(b)
 	c, _ := config.NewConfigFromString(testdata.TEST_KRB5CONF)
 	cl := client.NewClientWithKeytab("testuser1", "USER.GOKRB5", kt)
 	cl.WithConfig(c)
+	cl.GoKrb5Conf.DisablePAFXFast = true
 	httpRequest(s.URL, cl)
 
-	b, _ = hex.DecodeString(testdata.TESTUSER2_KEYTAB)
+	b, _ = hex.DecodeString(testdata.TESTUSER2_USERKRB5_AD_KEYTAB)
 	kt, _ = keytab.Parse(b)
 	c, _ = config.NewConfigFromString(testdata.TEST_KRB5CONF)
 	cl = client.NewClientWithKeytab("testuser2", "USER.GOKRB5", kt)
 	cl.WithConfig(c)
+	cl.GoKrb5Conf.DisablePAFXFast = true
 	httpRequest(s.URL, cl)
 
 	//httpRequest("http://host.test.gokrb5/index.html")
@@ -63,7 +65,7 @@ func httpRequest(url string, cl client.Client) {
 
 func httpServer() *httptest.Server {
 	l := log.New(os.Stderr, "GOKRB5 Service: ", log.Ldate|log.Ltime|log.Lshortfile)
-	b, _ := hex.DecodeString(testdata.SYSHTTP_KEYTAB)
+	b, _ := hex.DecodeString(testdata.SYSHTTP_RESGOKRB5_AD_KEYTAB)
 	kt, _ := keytab.Parse(b)
 	th := http.HandlerFunc(testAppHandler)
 	c := service.NewConfig(kt)

testenv/ActiveDirectory.md

@@ -17,11 +17,19 @@
 | Display name | Attribute | Type |
 | -------------|-----------|------|
 | username | sAMAccountName | string |
-| msTSAllowLogon | msTSAllowLogon | boolean |
-| sAMAccountType | sAMAccountType | Integer |
+| otherIpPhone | otherIpPhone | multi-valued string |
 | objectClass | objectClass | multi-valued unsigned integer |
-| ou | ou | multi-valued string |
-| postalAddress | postalAddress | multi-valued string |
+| msDS-SupportedEncryptionTypes | msDS-SupportedEncryptionTypes | Integer |
+
+### Add Attributes to User
+* Edit testuser1 in Active Directory Users and Computers
+* Go to Telephones tab
+* Click the "Other" button next to IP Phone
+* Add these strings:
+  * str1
+  * str2
+  * str3
+  * str4
 
 ### Inspect Values
 ```