Bug 12907 - pam_winbind with krb5_auth or wbinfo -K doesn't work for users of trusted domains with more than 1 hop between server and user realm when using heimdal
pam_winbind with krb5_auth or wbinfo -K doesn't work for users of trusted dom...
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind
4.7.0rc2
All All
: P5 normal
: ---
Assigned To: Stefan Metzmacher
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-14 12:45 UTC by Stefan Metzmacher
Modified: 2017-07-14 13:52 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Metzmacher 2017-07-14 12:45:09 UTC
I have the following setup:

Member in W4EDOM-L4.BASE
user in S2-W2012-L4.S1-W2012-L4.W2012R2-L4.BASE
chain:
W4EDOM-L4.BASE
<=Forest-Trust=>
W2012R2-L4.BASE
<=Parent-Child-Trust=>
S1-W2012-L4.W2012R2-L4.BASE
<=Parent-Child-Trust=>
S2-W2012-L4.S1-W2012-L4.W2012R2-L4.BASE

The ticket for administrator@S2-W2012-L4.S1-W2012-L4.W2012R2-L4.BASE
arrives on the member with transited = S1-W2012-L4.W2012R2-L4.BASE,
which was added by the DC of W2012R2-L4.BASE.

The function krb5_check_transited() is called via gss_accept_sec_context()
and fails with KRB5KRB_AP_ERR_ILL_CR_TKT; Which causes krb5_decrypt_ticket()
to fail, in the log file it seems that the provided keytab didn't
have the correct key to decrypt.