Bug 8156 - net ads join fails to use the user's kerberos ticket
net ads join fails to use the user's kerberos ticket
Status: RESOLVED FIXED
Product: Samba 3.6
Classification: Unclassified
Component: Client Tools
3.6.0rc1
All Linux
: P5 major
: ---
Assigned To: Karolin Seeger
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-05-20 13:44 UTC by Kai Blin
Modified: 2011-09-30 19:08 UTC (History)
0 users

See Also:


Attachments
net ads join -k -d10 output (23.06 KB, text/plain)
2011-05-20 17:28 UTC, Kai Blin
no flags Details
git-am fix for 3.6.0 (2.27 KB, patch)
2011-05-20 23:11 UTC, Jeremy Allison
kai: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Kai Blin 2011-05-20 13:44:59 UTC
When trying to join a 3.6.0rc1 Samba to an Win2k8r2 AD DC using an existing kerberos ticket, net fails to pick up the user's kerberos credentials.

The following related settings and commands reproduce this for me reliably:

krb5.conf:
[libdefaults]
  default_realm = DEMO.HOME.KBLIN.ORG

smb.conf:
[global]
    realm = DEMO.HOME.KBLIN.ORG
    workgroup = DEMO
    security = ADS
    idmap config * : backend = tdb

As root, I ran:

# export KRB5CCNAME=/tmp/ticket
# kinit Administrator
<enter password>
# net ads join -k
Failed to join domain: failed to lookup DC info for domain 'DEMO.HOME.KBLIN.ORG' over rpc: Logon failure

Looking at the attched debuglevel 10 log, it seems like the client just tries to negotiate NTLMSSP as "root", instead of using the "Administrator" kerberos ticket.

Joining using net ads join -Uadministrator%password works just fine.
Comment 1 Jeremy Allison 2011-05-20 14:16:04 UTC
Important to fix, but not (IMHO) a blocker :-).

Jeremy.
Comment 2 Kai Blin 2011-05-20 17:19:02 UTC
Fair enough. gd asked me to file a block bug. :) Let's try to get it fixed, then this distinction doesn't matter.
Comment 3 Kai Blin 2011-05-20 17:28:05 UTC
Created attachment 6461 [details]
net ads join -k -d10 output

Hm, somehow the attachement didn't work on the first try. Here it is again.
Comment 4 Jeremy Allison 2011-05-20 23:11:58 UTC
Created attachment 6466 [details]
git-am fix for 3.6.0

Allow us to use a fallback when the krb5.conf can't map dns names to realms.
Jeremy.
Comment 5 Kai Blin 2011-05-21 21:57:19 UTC
Comment on attachment 6466 [details]
git-am fix for 3.6.0

Fixes the realm lookup for me.
Comment 6 Kai Blin 2011-05-21 21:57:43 UTC
Reassigning to Karolin.
Comment 7 Karolin Seeger 2011-05-23 18:42:55 UTC
Pushed to v3-6-test.
Closing out bug report.

Thanks!
Comment 8 Guenther Deschner 2011-09-30 08:57:32 UTC
This needs to be in v3-5-test as well.

Patch was fully acked and the patch can be easily cherrypicked.

Karolin, please add to 3.5.x.
Comment 9 Karolin Seeger 2011-09-30 19:08:29 UTC
(In reply to comment #8)
> This needs to be in v3-5-test as well.
> 
> Patch was fully acked and the patch can be easily cherrypicked.
> 
> Karolin, please add to 3.5.x.

Pushed to v3-5-test also.
Closing out bug report.

Thanks!