15653 – idmap_ad creates an incorrect local krb5.conf in case of trusted domain lookups

Bug 15653 - idmap_ad creates an incorrect local krb5.conf in case of trusted domain lookups

Summary: idmap_ad creates an incorrect local krb5.conf in case of trusted domain lookups

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	Winbind (show other bugs)
Version:	4.20.1
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Jule Anger
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2024-05-29 17:29 UTC by Andreas Schneider
Modified:	2024-06-19 14:35 UTC (History)
CC List:	2 users (show)

See Also:	https://gitlab.com/samba-team/samba/-/merge_requests/3650

Attachments
patch for 4.20 (4.57 KB, patch) 2024-06-05 12:10 UTC, Andreas Schneider	pfilipensky: review+	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andreas Schneider 2024-05-29 17:29:42 UTC

idmap_ad creates an incorrect local krb5.conf in case of trusted domain lookups. 

In case we have idmap_ad and trusted domain and connect to a trusted domain we create a krb5.conf for our realm but with the IP of the trusted domain KDC. Thus we try to get a krbtgt from the trusted domain for our machine account and fail. The trusted domain KDC doesn't know about our machine account.

We need to look up the KDC IP in this case instead of providing one.


Patch will follow.

Comment 1 Samba QA Contact 2024-06-04 20:53:06 UTC

This bug was referenced in samba master:

28aa0b815baf4668e3df01d52597c40fd430e2fb
9dcc52d2a57314ec9ddaae82b3c49da051d1f1d2
8989aa47b7493e6b7978c2efc4a40c781e9a2aee

Comment 2 Andreas Schneider 2024-06-05 12:10:11 UTC

Created attachment 18326 [details]
patch for 4.20

Comment 3 Andreas Schneider 2024-06-05 13:53:06 UTC

Jule, could you please apply the patch to 4.20? Thanks a lot!

Comment 4 Samba QA Contact 2024-06-05 15:02:11 UTC

This bug was referenced in samba v4-20-test:

069729202c3b287642e36c777e2b0863f593bca4
fb4c338f03034ef47231e1fb7ec1056ac5d3aa4f
65e781a30b247ab1056405322a8c9cbfb4bae03a

Comment 5 Jule Anger 2024-06-10 13:21:21 UTC

Closing out bug report.

Thanks!

Comment 6 Samba QA Contact 2024-06-19 14:35:28 UTC

This bug was referenced in samba v4-20-stable (Release samba-4.20.2):

069729202c3b287642e36c777e2b0863f593bca4
fb4c338f03034ef47231e1fb7ec1056ac5d3aa4f
65e781a30b247ab1056405322a8c9cbfb4bae03a