[PATCH] spnego SPN fix when contacting trusted domains

Gerald (Jerry) Carter jerry at samba.org
Fri May 9 20:34:24 GMT 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Steven,


0001-Use-machine....
  I think the change to secrets.c may break winbindd running
  on a PDC.  The change to winbindd_cm.c is ok since we only
  do krb5 logins on a domain member server anyways.

0002-spnego-SPN-fix.....
  I'd agree with the logic here after a quick review.  No testing.
  If no one has a Windows 2008 forest (other than Steven), I'll
  add some trusts to mine and finish up testing on Monday.




cheers, jerry

Steven Danneman wrote:
> Doing some testing with W2K8 I found there's still a few more bugs using
> proper Kerberos credentials when we're joined to a W2K3 domain, but
> attempting to connect to a W2K8 domain which has a forest transitive
> trust with our domain.
> 
>  
> 
> There are two patches against v3-0-test attached.  The first one is a
> quick and dirty hack to get 3.0 head behaving like our in-house modified
> 3.0.24 which I originally wrote the second patch again.
> 
>  
> 
> 0001:
> 
>  
> 
> Changes were made in winbindd_cm.c:cm_prepare_connection() to use
> get_trust_creds() to fill in machine_krb5_principal and
> machine_password.  Unfortunately, they're filled in incorrectly in the
> case where we're trying to connect to a trusted domain.
> 
>  
> 
> Say our machine is called MACHINE, we're joined to a domain
> W2K3.DOMAIN.COM, which has a transitive trust to W2K8.DOMAIN.COM.  The
> first time we try to connect to W2K8, get_trust_creds() incorrectly
> tells us to use the machine_password from W2K8, and a
> machine_krb5_principal of MACHINE$@W2K8.DOMAIN.COM.  These should be the
> machine_password from W2K3 and MACHINE$@W2K3.DOMAIN.COM.
> 
>  
> 
> So the first patch is a quick hack to fill in those values like they
> were in 3.0.24.   These changes probably need to be put somewhere else,
> and I haven't audited any other callers of the functions in that patch
> to make sure they still work.
> 
>  
> 
> 0002:
> 
>  
> 
> This is what I was trying to submit initially, and the patch explains
> the changes and why they're necessary.  There are many ways to implement
> this fix, I chose to change the function signature, and pass in a real
> REALM so we could eventually stop relying on the negHint in
> NegTokenInit2 all together. 
> 
>  
> 
> Steven Danneman | Software Development Engineer
> 
> Isilon Systems    P +1-206-315-7500    F  +1-206-315-7501
> 
> www.isilon.com     
> 


- --
=====================================================================
Samba                                    ------- http://www.samba.org
Likewise Software          ---------  http://www.likewisesoftware.com
"What man is a man who does not make the world better?"      --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIJLVQIR7qMdg1EfYRAlaDAKCjNwXDjmAiyfw0klywqc/2CAahnACfTNwz
SXqP09jc3EVKll8KiKHvyjA=
=nBVF
-----END PGP SIGNATURE-----

More information about the samba-technical mailing list