Chaning password with kpasswd (e.g. net ads changetrustpw) fails when built with MIT Kerberos. This is because upstream MIT has a bug when requesting canonicalization for non krbtgt requests. For example: `kinit -C aDmInIsTrAtOr@ACME.COM -S kadmin/changepw@ACME.COM` We need to revert the MIT part of commit 03b7e59a286896888ee2473995fc50bb2b5ce5e.
MR: https://gitlab.com/samba-team/samba/merge_requests/840
(In reply to Andreas Schneider from comment #0) This is about commit 303b7e59a286896888ee2473995fc50bb2b5ce5e and not 03b7e59a286896888ee2473995fc50bb2b5ce5e...
Can you be more specific on what wrong? Does that only happens if the service is kadmin/changepw@* ? Is there an MIT bug report?
As discussed in MR 840, MIT client won't allow name canonicalization in AS exchange if the service is anything but krbtgt, see: https://github.com/krb5/krb5/blob/154551ad22e90d2e5f60103059fbaaadac017420/src/lib/krb5/krb/get_in_tkt.c#L231 Per RFC 6806 it should be okay, especially since it's the client name that changed not server, and especially if we check PA-REQ-ENC-PA-REP in returned encrypted padata, which MIT does (as does heimdal upstream). So I want to add a check in case we verified returned PA-REQ-ENC-PA-REP to allow canonicalization even for non krbtgt servers. I'll update once I submit a PR upstream.
Upstream PR: https://github.com/krb5/krb5/pull/986
Created attachment 15532 [details] patch for 4.11
Created attachment 15533 [details] patch for 4.10
Created attachment 15534 [details] patch for 4.10
Both patches do not apply on current test branches. Re-assigning to Andreas.
Karolin, they are already applied on both branches ... Metze pushed them. commit 3ad42536f873f21cc2db774ca3ea694ca7142253 (HEAD -> v4-10-test, origin/v4-10-test) Author: Andreas Schneider <asn@samba.org> AuthorDate: Wed Oct 9 16:32:47 2019 +0200 Commit: Stefan Metzmacher <metze@samba.org> CommitDate: Wed Oct 16 16:43:59 2019 +0000 Closing :-)
FYI the upstream MIT PR 986 has landed so the fix will be in v1.18 once released.