Bug 12553 - Automatic cross realm tickets based on (cross)forest/domain routing table should only be done based on the msDS-TrustForestTrustInfo values
Summary: Automatic cross realm tickets based on (cross)forest/domain routing table sho...
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.6.0rc1
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-02-01 15:57 UTC by Stefan Metzmacher
Modified: 2017-03-09 13:33 UTC (History)
5 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Metzmacher 2017-02-01 15:57:21 UTC 
Automatic cross realm tickets based on (cross)forest/domain routing table e.g. for cifs/dc.otherdomain.com@MYDOMAIN.COM should only be done based on the msDS-TrustForestTrustInfo values.

Without msDS-TrustForestTrustInfo or for external trusts the KDC
should return PRINCIPAL_UNKNOWN.
The client can still explicitly ask for the cross-realm TGT,
e.g. krbtgt/OTHERDOMAIN.COM@MYDOMAIN.COM.

Windows clients seem to use the trust information they got from
netr_LogonGetDomainInfo if and how they should construct a possible
initial target principal name.

This also effects our client side code, I'll open a separate bug for that.