gss_import_name() called with GSS_C_NT_USER_NAME

[Andrew Bartlett]

> On Tue, 2015-10-27 at 15:54 -0400, Roland C. Dowdeswell wrote:
> instead of GSS_C_NT_HOSTBASED_SERVICE.
> 
> So, I'm debugging a problem where smbclient doesn't correctly
> traverse my multiple realm environment but can only connect to
> hosts in the same realm as the initiator.  I noticed the following
> approximate pseudo-code snippet:
>  
>         sprintf(princ, "%s/%s@%s", service, host, realm);
>         name_type = GSS_C_NT_USER_NAME;
>  
>         gss_import_name(..., princ, name_type, &name);
>  
> in source4/auth/gensec/gensec_gssapi.c lines 334-357 and
> source3/librpc/crypto/gse.c lines 219-242.
>  
> In the source3 file, it has a comment indicating that it is
> intentionally
> avoiding using the GSSAPI libraries because they may do DNS.
> 
> I would like to ask that this decision be reconsidered because I
> do not think that it makes sense in the modern world.  I have a
> few Kerberos realms and applications which use GSSAPI normally have
> no difficulty traversing them either via DNS or KDC referrals.

The issue is that while this works flawlessly in some Unix Kerberos
realms, in AD, the behaviour expected of clients is quite different -
you are expected to connect to your own KDC, and it will give the
referral.

That is why it is done that way, and a change would break a number of
working AD networks, I fear.

Andrew Bartlett