Bug 14124 - pam_winbind with krb5_auth or wbinfo -K doesn't work for users of trusted domains/forests
pam_winbind with krb5_auth or wbinfo -K doesn't work for users of trusted dom...
Status: RESOLVED FIXED
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind
4.11.0rc4
All All
: P5 normal
: ---
Assigned To: Karolin Seeger
Samba QA Contact
:
Depends on: 12907
Blocks:
  Show dependency treegraph
 
Reported: 2019-09-13 12:46 UTC by Stefan Metzmacher
Modified: 2019-10-16 11:05 UTC (History)
2 users (show)

See Also:


Attachments
Patches for v4-11-test (64.42 KB, patch)
2019-09-25 09:39 UTC, Stefan Metzmacher
gd: review+
Details
Patches for v4-10-test (52.94 KB, patch)
2019-09-25 09:39 UTC, Stefan Metzmacher
gd: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Metzmacher 2019-09-13 12:46:08 UTC
pam_winbind with krb5_auth or wbinfo -K relies on
winbindd (on a domain member) having a complete picture of the trust topology
(which is managed by the DCs).

This is just not possible for a domain member!
There might be uPNSuffixes and msDS-SPNSuffixes values,
which don't belong to any AD domain at all.

With "winbind scan trusted domains = no" we don't even get an incomplete
picture of the topology.

Instead we should just rely on the [K]DCs of our primary domain
(e.g. PRIMARY.A.EXAMPLE.COM) and use enterprise principals e.g. upnfromB@B.EXAMPLE.COM@PRIMARY.A.EXAMPLE.COM and follow
the WRONG_REALM referrals in order to find the correct DC.

The final principal might be 
userfromB@INTERNALB.EXAMPLE.PRIVATE.
Comment 1 Stefan Metzmacher 2019-09-25 09:39:14 UTC
Created attachment 15489 [details]
Patches for v4-11-test
Comment 2 Stefan Metzmacher 2019-09-25 09:39:57 UTC
Created attachment 15490 [details]
Patches for v4-10-test
Comment 3 Guenther Deschner 2019-09-25 16:50:53 UTC
Comment on attachment 15489 [details]
Patches for v4-11-test

LGTM
Comment 4 Guenther Deschner 2019-09-25 16:51:25 UTC
Comment on attachment 15490 [details]
Patches for v4-10-test

LGTM
Comment 5 Guenther Deschner 2019-09-25 16:52:24 UTC
Karolin, please add to v4-10 and v4-11, Thanks!
Comment 6 Karolin Seeger 2019-09-25 18:20:52 UTC
(In reply to Guenther Deschner from comment #5)
Pushed to both branches.
Closing out bug report.

Thanks!
Comment 7 Karolin Seeger 2019-09-25 18:26:40 UTC
Pushed to autobuild.