Bug 6700 - Samba incorrectly guesses AD DC SPN
Summary: Samba incorrectly guesses AD DC SPN
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.4
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 3.4.0
Hardware: x64 Linux
: P3 normal
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-09-08 19:03 UTC by Robert LeBlanc
Modified: 2020-12-11 11:18 UTC (History)
0 users

See Also:


Attachments
git format-patch version (984 bytes, patch)
2009-09-08 19:34 UTC, Guenther Deschner
gd: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Robert LeBlanc 2009-09-08 19:03:42 UTC
I believe that it only affects Active Directory membership and when using Kerberos. I also believe it was an oversight as a few lines before, the debug output says it is going to do one thing, but in the actual function call, it uses a different variable. By changing the variable to what the debug output specifies, Samba correctly guesses the SPN for the DCs and there seems to be a large speed-up in reconnection after the DCs close the connections. The change is as follows:

--- winbindd/winbindd_cm.c.orig    2009-08-30 07:56:54.000000000 -0600
+++ winbindd/winbindd_cm.c    2009-08-28 12:01:44.000000000 -0600
@@ -836,7 +836,7 @@
                                   machine_krb5_principal,
                                   machine_password,
                                   lp_workgroup(),
-                                  domain->name);
+                                  domain->alt_name);
 
             if (!ADS_ERR_OK(ads_status)) {
                 DEBUG(4,("failed kerberos session setup with %s\n",

Very small change, 7 lines above is the debug message outputing domain->alt_name instead of domain->name. This sends DOMAIN.LOCAL to cli_session_setup_spnego instead of DOMAIN which is used to construct the SPN of DC1$@DOMAIN.LOCAL (which is valid) instead of DC1$@DOMAIN (which is invalid).

Again, I'm not sure what change that would have on anything else, but it seems important for Kerberos to work correctly.

The patch seems to work for Samba 3.2.x and 3.3.x, but hasn't been extensively tested on all versions.
Comment 1 Guenther Deschner 2009-09-08 19:33:28 UTC
Great catch! Applied your patch to master, thanks!
Comment 2 Guenther Deschner 2009-09-08 19:34:26 UTC
Created attachment 4666 [details]
git format-patch version

Jeremy, I think we should have this one also in 3.4 (and 3.3)
Comment 3 Jeremy Allison 2009-09-08 19:39:05 UTC
+1. This is an obvious typo with a large effect. Karolin, I think this one should be in 3.4.1 (and 3.3.x as well - probably the 3.2.x tree if you're feeling generous :-).

Jeremy.
Comment 4 Karolin Seeger 2009-09-09 05:26:30 UTC
Pushed to v3-3-test and v3-4-test.
3.2 is security fixes only.
Closing out bug report.

Thanks!