[PATCH] spnego SPN fix when contacting trusted domains

Steven Danneman steven.danneman at isilon.com
Thu May 8 21:12:49 GMT 2008 

Doing some testing with W2K8 I found there's still a few more bugs using
proper Kerberos credentials when we're joined to a W2K3 domain, but
attempting to connect to a W2K8 domain which has a forest transitive
trust with our domain.

 

There are two patches against v3-0-test attached.  The first one is a
quick and dirty hack to get 3.0 head behaving like our in-house modified
3.0.24 which I originally wrote the second patch again.

 

0001:

 

Changes were made in winbindd_cm.c:cm_prepare_connection() to use
get_trust_creds() to fill in machine_krb5_principal and
machine_password.  Unfortunately, they're filled in incorrectly in the
case where we're trying to connect to a trusted domain.

 

Say our machine is called MACHINE, we're joined to a domain
W2K3.DOMAIN.COM, which has a transitive trust to W2K8.DOMAIN.COM.  The
first time we try to connect to W2K8, get_trust_creds() incorrectly
tells us to use the machine_password from W2K8, and a
machine_krb5_principal of MACHINE$@W2K8.DOMAIN.COM.  These should be the
machine_password from W2K3 and MACHINE$@W2K3.DOMAIN.COM.

 

So the first patch is a quick hack to fill in those values like they
were in 3.0.24.   These changes probably need to be put somewhere else,
and I haven't audited any other callers of the functions in that patch
to make sure they still work.

 

0002:

 

This is what I was trying to submit initially, and the patch explains
the changes and why they're necessary.  There are many ways to implement
this fix, I chose to change the function signature, and pass in a real
REALM so we could eventually stop relying on the negHint in
NegTokenInit2 all together. 

 

Steven Danneman | Software Development Engineer

Isilon Systems    P +1-206-315-7500    F  +1-206-315-7501

www.isilon.com     

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Use-machine-account-and-machine-password-from-our-do.patch
Type: application/octet-stream
Size: 1702 bytes
Desc: 0001-Use-machine-account-and-machine-password-from-our-do.patch
Url : http://lists.samba.org/archive/samba-technical/attachments/20080508/a2cc2b13/0001-Use-machine-account-and-machine-password-from-our-do.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-spnego-SPN-fix-when-contacting-trusted-domains.patch
Type: application/octet-stream
Size: 6977 bytes
Desc: 0002-spnego-SPN-fix-when-contacting-trusted-domains.patch
Url : http://lists.samba.org/archive/samba-technical/attachments/20080508/a2cc2b13/0002-spnego-SPN-fix-when-contacting-trusted-domains.obj

More information about the samba-technical mailing list