Foreign Principal Mapping

Eric Horst erich at cac.washington.edu
Thu Oct 23 21:01:57 GMT 2003


>    This is a patch which will allow a samba system acting as a Win2k
> domain member to use the kerberos user mappings in AD.
>
>    So, say you have a samba box as a member of the Win2k domain 'MS'.
> That domain trusts the kerberos realm 'MIT'. If you present a tkt as
> joe at MIT to the samba system, it will lookup a matching
> altSecurityIdentities attribute in AD for the MS domain, and if found
> you are now joe.schmoe at MS or whatever account it got matched to.

I was working on the same issue and have it working without your big
patch.  Let me describe what I saw and how I changed the behaviour.

I have a Samba box as member of the Windows domain 'NDOM'.  That domain
trusts the kerberos realm 'UREL'.  A client computer is member of Windows
domain 'NDOM'.  Log in to client computer as user at UREL.  Accessing Windows
shares works.  Accessing Samba shares don't.  Error log:

smbd/sesssetup.c:reply_spnego_kerberos(178)  Ticket name is [user at UREL]
smbd/sesssetup.c:reply_spnego_kerberos(190)  Ticket for foreign realm
user at UREL smbd/sesssetup.c:reply_spnego_kerberos(218)  Username UREL\user is invalid on this system
smbd/error.c:error_packet(94) error string = No such file or directory

Now, to test (using brute force) I simply went into sesssetup.c and
changed line 196 to read 'foreign = False;' to force it to never consider
the ticket foreign.  Now I can access Samba shares using the UREL ticket.

So what is happening?  It appears that if I force Samba to not consider
the ticket foreign then it will forward the ticket along to the NDOM DC.
The NDOM DC must look at the foreign ticket, the altSecurityIdentity, and
decide that it looks OK and issues the cifs ticket.

My problem is solved.  However, is modifying Samba to not refuse foreign
realm tickets the right solution?  Is your mapping solution better?  In
some ways it seems that your patch is simply duplicating what the NDOM DC
is doing automatically.

Does any of this make any sense?  I'm slowly getting up to speed on this
Kerberos stuff.

--Eric




More information about the samba-technical mailing list