[PATCH] spnego SPN fix when contacting trusted domains
Gerald (Jerry) Carter
jerry at samba.org
Fri May 9 20:34:24 GMT 2008
-----BEGIN PGP SIGNED MESSAGE-----
I think the change to secrets.c may break winbindd running
on a PDC. The change to winbindd_cm.c is ok since we only
do krb5 logins on a domain member server anyways.
I'd agree with the logic here after a quick review. No testing.
If no one has a Windows 2008 forest (other than Steven), I'll
add some trusts to mine and finish up testing on Monday.
Steven Danneman wrote:
> Doing some testing with W2K8 I found there's still a few more bugs using
> proper Kerberos credentials when we're joined to a W2K3 domain, but
> attempting to connect to a W2K8 domain which has a forest transitive
> trust with our domain.
> There are two patches against v3-0-test attached. The first one is a
> quick and dirty hack to get 3.0 head behaving like our in-house modified
> 3.0.24 which I originally wrote the second patch again.
> Changes were made in winbindd_cm.c:cm_prepare_connection() to use
> get_trust_creds() to fill in machine_krb5_principal and
> machine_password. Unfortunately, they're filled in incorrectly in the
> case where we're trying to connect to a trusted domain.
> Say our machine is called MACHINE, we're joined to a domain
> W2K3.DOMAIN.COM, which has a transitive trust to W2K8.DOMAIN.COM. The
> first time we try to connect to W2K8, get_trust_creds() incorrectly
> tells us to use the machine_password from W2K8, and a
> machine_krb5_principal of MACHINE$@W2K8.DOMAIN.COM. These should be the
> machine_password from W2K3 and MACHINE$@W2K3.DOMAIN.COM.
> So the first patch is a quick hack to fill in those values like they
> were in 3.0.24. These changes probably need to be put somewhere else,
> and I haven't audited any other callers of the functions in that patch
> to make sure they still work.
> This is what I was trying to submit initially, and the patch explains
> the changes and why they're necessary. There are many ways to implement
> this fix, I chose to change the function signature, and pass in a real
> REALM so we could eventually stop relying on the negHint in
> NegTokenInit2 all together.
> Steven Danneman | Software Development Engineer
> Isilon Systems P +1-206-315-7500 F +1-206-315-7501
Samba ------- http://www.samba.org
Likewise Software --------- http://www.likewisesoftware.com
"What man is a man who does not make the world better?" --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the samba-technical