Bug 11142 - KDC does not support enterprise UPNs properly
Summary: KDC does not support enterprise UPNs properly
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.2.0rc4
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks: 11145
  Show dependency treegraph
 
Reported: 2015-03-09 03:45 UTC by Andrew Bartlett
Modified: 2016-07-29 00:21 UTC (History)
3 users (show)

See Also:


Attachments
4.2 patch cherry-picked from master (337.67 KB, patch)
2015-03-09 04:14 UTC, Andrew Bartlett
no flags Details
4.2 patch cherry-picked from master (346.01 KB, patch)
2015-03-10 03:35 UTC, Andrew Bartlett
garming: review+
Details
additional patches pending commit in master (11.69 KB, patch)
2015-03-11 03:47 UTC, Andrew Bartlett
no flags Details
4.2 patch cherry-picked from master (3.65 KB, patch)
2015-03-12 21:25 UTC, Andrew Bartlett
metze: review-
Details
4.2 patch cherry-picked from master (369.94 KB, patch)
2015-03-15 20:46 UTC, Andrew Bartlett
abartlet: review? (metze)
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Bartlett 2015-03-09 03:45:11 UTC
Bug to allow backport to Samba 4.2 of patches in master supporting enterprise UPNs in a realm not equal to the primary realm.
Comment 1 Andrew Bartlett 2015-03-09 04:14:40 UTC
Created attachment 10829 [details]
4.2 patch cherry-picked from master

The attached patch brings this change, and the patches on which it depends, into 4.2.

The one thing I'm not totally comfortable about is that we bring in the KDC trusted domain patches from master.  These look like they fix things (which is great), but don't currently have tests.
Comment 2 Andrew Bartlett 2015-03-09 04:17:27 UTC
We also need the patches from my mail on samba-technical: 
 [PATCH] Improved eUPN support in S4U2Self
Comment 3 Andrew Bartlett 2015-03-10 03:35:46 UTC
Created attachment 10836 [details]
4.2 patch cherry-picked from master

This version of the patch includes the S4U2Self validation and fix patches that recently hit master.  

The remaining issue is that metze's trusted domain patches are not tested.  I've been looking at a way of doing that in rpc.lsa.trusted.domains using the technology from the krb5.kdc tests
Comment 4 Andrew Bartlett 2015-03-11 03:47:05 UTC
Created attachment 10851 [details]
additional patches pending commit in master

Metze found a number of other issues with the eUPN code.  These patches fix an issue that happens with the MIT krb5 client, but not with Windows clients. 

These will be in master shortly, I hope, and then I'll cherry-pick them into the main patch.
Comment 5 Andrew Bartlett 2015-03-12 21:25:28 UTC
Created attachment 10870 [details]
4.2 patch cherry-picked from master

This is the patch series Garming reviewed, minus the trusted domain test changes (pointless), and plus all the changes that just got into master, and one more that allows the tests to work in 4.2. 

BUG references have been added to all the extra patches, to aid tracking. 

It passes krb5.kdc and local.pac tests.
Comment 6 Stefan Metzmacher 2015-03-13 10:15:26 UTC
Comment on attachment 10870 [details]
4.2 patch cherry-picked from master

You missed the --stdout argument...
Comment 7 Andrew Bartlett 2015-03-15 20:46:44 UTC
Created attachment 10874 [details]
4.2 patch cherry-picked from master

Sorry about that.  See attached correct patch.

Also, do you see this as a feature, or a bug-fix, in terms of it belonging in Samba 4.2 and (to a lessor extent) 4.1?  I see it as quite a bit of both, but either way what is really important, even more than the eUPN feature, is the extra tests.

Thanks,
Comment 8 Stefan Metzmacher 2015-04-13 10:13:22 UTC
Comment on attachment 10874 [details]
4.2 patch cherry-picked from master

Please also include 8421c403e206a8eb1b55ce512e6d2d4174bed0ac then I'm fine.
Comment 9 Stefan Metzmacher 2015-04-13 10:14:02 UTC
(In reply to Stefan (metze) Metzmacher from comment #8)

And maybe 85827c5292fca0eef565b0361948405aa662c59b if possible without conflicts.
Comment 10 Andrew Bartlett 2016-07-29 00:21:31 UTC
Fixed in Samba 4.3.