Bug 12907 - pam_winbind with krb5_auth or wbinfo -K doesn't work for users of trusted domains with more than 1 hop between server and user realm when using heimdal
pam_winbind with krb5_auth or wbinfo -K doesn't work for users of trusted dom...
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind
4.7.0rc2
All All
: P5 normal
: ---
Assigned To: Stefan Metzmacher
Samba QA Contact
:
Depends on:
Blocks: 14125 14124
  Show dependency treegraph
 
Reported: 2017-07-14 12:45 UTC by Stefan Metzmacher
Modified: 2019-09-26 06:04 UTC (History)
3 users (show)

See Also:


Attachments
Work in progress for master (33.32 KB, patch)
2019-09-26 06:04 UTC, Stefan Metzmacher
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Metzmacher 2017-07-14 12:45:09 UTC
I have the following setup:

Member in W4EDOM-L4.BASE
user in S2-W2012-L4.S1-W2012-L4.W2012R2-L4.BASE
chain:
W4EDOM-L4.BASE
<=Forest-Trust=>
W2012R2-L4.BASE
<=Parent-Child-Trust=>
S1-W2012-L4.W2012R2-L4.BASE
<=Parent-Child-Trust=>
S2-W2012-L4.S1-W2012-L4.W2012R2-L4.BASE

The ticket for administrator@S2-W2012-L4.S1-W2012-L4.W2012R2-L4.BASE
arrives on the member with transited = S1-W2012-L4.W2012R2-L4.BASE,
which was added by the DC of W2012R2-L4.BASE.

The function krb5_check_transited() is called via gss_accept_sec_context()
and fails with KRB5KRB_AP_ERR_ILL_CR_TKT; Which causes krb5_decrypt_ticket()
to fail, in the log file it seems that the provided keytab didn't
have the correct key to decrypt.
Comment 1 Stefan Metzmacher 2019-09-13 12:26:04 UTC
The same problem happens with MIT Kerberos.
Comment 2 Stefan Metzmacher 2019-09-23 22:39:36 UTC
There were a discussion about this in August 2017:
https://lists.samba.org/archive/samba-technical/2017-August/thread.html#122422
Comment 3 Stefan Metzmacher 2019-09-26 06:04:37 UTC
Created attachment 15491 [details]
Work in progress for master