The Samba-Bugzilla – Bug 12554
The kerberos client should not only rely on automatic cross-realm referrals
Last modified: 2017-03-23 11:15:08 UTC
This is the client side of bug #12553.
We may need to fallback to
our KDC returns PRINCIPAL_UNKNOWN for
In winbindd we should use the trust information of
It seems that the users of source3/librpc/crypto/gse.c handle this fine,
if heimdal is used. In that case smb_krb5_get_principal_from_service_hostname()
selects the target realm based on the host's dnsname by removing the hostname
Internally _krb5_get_cred_kdc_any() tries get_cred_kdc_referral()
first, which replaces the realm with the realm of the client principal
in order to get automatic forest trust referrals. If that fails
(typically with S_PRINCIPAL_UNKNOWN, if it's an external trust)
it falls back to get_cred_kdc_capath() which tries the original
dnshostname based realm and asks for an explicit referral ticket
from the clients kdc.
With MIT smb_krb5_get_principal_from_service_hostname() uses
the passed default realm (the one from the client principal)
unless a [domain_realm] is explicitly configured in krb5.conf.
Internally MIT only tries the given target principal and returns
without a possible fallback. For all cases except the winbindd use case
this behavior hasn't changed since 4.5, but for the winbindd case
we now fallback to NTLMSSP, when accessing a dc of an external trust.
(In reply to Stefan Metzmacher from comment #1)
I guess the best approach would be to get the credentials with
raw krb5 functions before calling gss_init_sec_context(),
so that we can control possible fallbacks in our code.
Is this a blocker for 4.6.0?
Ask metze, patches for master are here (including tests): https://git.samba.org/?p=asn/samba.git;a=shortlog;h=refs/heads/master-trusts
(In reply to Karolin Seeger from comment #3)
As the behavior change is only happens if all of the following statements are true:
- use within winbindd
- only external (non-forest) trusts to AD domain
- only with MIT krb5
and we do a proper fallback to NTLMSSP in that case.
I don't think it's still a blocker.
We can think about a possible fix for the first
4.6 maintenance release.
Created attachment 13052 [details]
patch for 4.6
I need the first patch to be able to compile source3/lib/system.c ...
Comment on attachment 13052 [details]
patch for 4.6
I think we should have a separate bug report for the libreplace patch,
so people can find the bug report.
Created attachment 13054 [details]
patch for 4.6 v2
#12686 is the bug for the build issue.
Pushed to autobuild-v4-6-test.
Pushed to v4-6-test.
Closing out bug report.