Bug to allow backport to Samba 4.2 of patches in master supporting enterprise UPNs in a realm not equal to the primary realm.
Created attachment 10829 [details] 4.2 patch cherry-picked from master The attached patch brings this change, and the patches on which it depends, into 4.2. The one thing I'm not totally comfortable about is that we bring in the KDC trusted domain patches from master. These look like they fix things (which is great), but don't currently have tests.
We also need the patches from my mail on samba-technical: [PATCH] Improved eUPN support in S4U2Self
Created attachment 10836 [details] 4.2 patch cherry-picked from master This version of the patch includes the S4U2Self validation and fix patches that recently hit master. The remaining issue is that metze's trusted domain patches are not tested. I've been looking at a way of doing that in rpc.lsa.trusted.domains using the technology from the krb5.kdc tests
Created attachment 10851 [details] additional patches pending commit in master Metze found a number of other issues with the eUPN code. These patches fix an issue that happens with the MIT krb5 client, but not with Windows clients. These will be in master shortly, I hope, and then I'll cherry-pick them into the main patch.
Created attachment 10870 [details] 4.2 patch cherry-picked from master This is the patch series Garming reviewed, minus the trusted domain test changes (pointless), and plus all the changes that just got into master, and one more that allows the tests to work in 4.2. BUG references have been added to all the extra patches, to aid tracking. It passes krb5.kdc and local.pac tests.
Comment on attachment 10870 [details] 4.2 patch cherry-picked from master You missed the --stdout argument...
Created attachment 10874 [details] 4.2 patch cherry-picked from master Sorry about that. See attached correct patch. Also, do you see this as a feature, or a bug-fix, in terms of it belonging in Samba 4.2 and (to a lessor extent) 4.1? I see it as quite a bit of both, but either way what is really important, even more than the eUPN feature, is the extra tests. Thanks,
Comment on attachment 10874 [details] 4.2 patch cherry-picked from master Please also include 8421c403e206a8eb1b55ce512e6d2d4174bed0ac then I'm fine.
(In reply to Stefan (metze) Metzmacher from comment #8) And maybe 85827c5292fca0eef565b0361948405aa662c59b if possible without conflicts.
Fixed in Samba 4.3.