Bug 12553 - Automatic cross realm tickets based on (cross)forest/domain routing table should only be done based on the msDS-TrustForestTrustInfo values
Automatic cross realm tickets based on (cross)forest/domain routing table sho...
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB
4.6.0rc1
All All
: P5 normal
: ---
Assigned To: Andrew Bartlett
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-02-01 15:57 UTC by Stefan Metzmacher
Modified: 2017-03-09 13:33 UTC (History)
5 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Metzmacher 2017-02-01 15:57:21 UTC
Automatic cross realm tickets based on (cross)forest/domain routing table e.g. for cifs/dc.otherdomain.com@MYDOMAIN.COM should only be done based on the msDS-TrustForestTrustInfo values.

Without msDS-TrustForestTrustInfo or for external trusts the KDC
should return PRINCIPAL_UNKNOWN.
The client can still explicitly ask for the cross-realm TGT,
e.g. krbtgt/OTHERDOMAIN.COM@MYDOMAIN.COM.

Windows clients seem to use the trust information they got from
netr_LogonGetDomainInfo if and how they should construct a possible
initial target principal name.

This also effects our client side code, I'll open a separate bug for that.