This is the client side of bug #12553. We may need to fallback to cifs/dc.otherdomain.com@OTHERDOMAIN.COM if our KDC returns PRINCIPAL_UNKNOWN for cifs/dc.otherdomain.com@MYDOMAIN.COM. In winbindd we should use the trust information of netr_LogonGetDomainInfo().
It seems that the users of source3/librpc/crypto/gse.c handle this fine, if heimdal is used. In that case smb_krb5_get_principal_from_service_hostname() selects the target realm based on the host's dnsname by removing the hostname part. Internally _krb5_get_cred_kdc_any() tries get_cred_kdc_referral() first, which replaces the realm with the realm of the client principal in order to get automatic forest trust referrals. If that fails (typically with S_PRINCIPAL_UNKNOWN, if it's an external trust) it falls back to get_cred_kdc_capath() which tries the original dnshostname based realm and asks for an explicit referral ticket from the clients kdc. With MIT smb_krb5_get_principal_from_service_hostname() uses the passed default realm (the one from the client principal) unless a [domain_realm] is explicitly configured in krb5.conf. Internally MIT only tries the given target principal and returns without a possible fallback. For all cases except the winbindd use case this behavior hasn't changed since 4.5, but for the winbindd case we now fallback to NTLMSSP, when accessing a dc of an external trust.
(In reply to Stefan Metzmacher from comment #1) I guess the best approach would be to get the credentials with raw krb5 functions before calling gss_init_sec_context(), so that we can control possible fallbacks in our code.
Is this a blocker for 4.6.0?
Ask metze, patches for master are here (including tests): https://git.samba.org/?p=asn/samba.git;a=shortlog;h=refs/heads/master-trusts
(In reply to Karolin Seeger from comment #3) As the behavior change is only happens if all of the following statements are true: - use within winbindd - only external (non-forest) trusts to AD domain - only with MIT krb5 and we do a proper fallback to NTLMSSP in that case. I don't think it's still a blocker. We can think about a possible fix for the first 4.6 maintenance release.
Created attachment 13052 [details] patch for 4.6
I need the first patch to be able to compile source3/lib/system.c ...
Comment on attachment 13052 [details] patch for 4.6 I think we should have a separate bug report for the libreplace patch, so people can find the bug report.
Created attachment 13054 [details] patch for 4.6 v2
#12686 is the bug for the build issue.
Pushed to autobuild-v4-6-test.
Pushed to v4-6-test. Closing out bug report. Thanks!