12457 – Fix spnego with machine$@DOMAIN using MIT Kerberos

Bug 12457 - Fix spnego with machine$@DOMAIN using MIT Kerberos

Summary: Fix spnego with machine$@DOMAIN using MIT Kerberos

Status:	CLOSED FIXED

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	Winbind (show other bugs)
Version:	4.4.4
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Andreas Schneider
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2016-12-01 14:38 UTC by Andreas Schneider
Modified:	2017-02-27 14:29 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andreas Schneider 2016-12-01 14:38:00 UTC

If you join a domain with Kerberos (MIT) you might get the following error:

samba-cli01:~ # net ads join -k
Kinit for SAMBA-CLI01$@EARTH to access WINSRV-DC02.earth.milkyway.site failed: 
KDC reply did not match expectations

The reason is that after the latest changes to libsmb we use:

	SAMBA-CLI01$@EARTH

as the principal for kinit. Windows allows to use the domain name (netbios 
name) in the principal but for that you need to turn on canonicalization 
support. We do not do that if Samba is compiled with MIT Kerberos.

Comment 1 Stefan Metzmacher 2017-02-22 19:24:44 UTC

Is this still broken?

Comment 2 Andreas Schneider 2017-02-27 14:29:06 UTC

samba-cli01:~ # net ads join -k
Using short domain name -- EARTH
Joined 'SAMBA-CLI01' to dns domain 'earth.milkyway.site'