[PATCH] Fix spnego with machine$@DOMAIN

Thu Dec 1 19:17:03 UTC 2016

On Thu, Dec 01, 2016 at 01:11:02PM +0100, Andreas Schneider wrote:
> Hello,
> 
> if you join a domain with Kerberos (MIT) you get the following error:
> 
> samba-cli01:~ # net ads join -k
> Kinit for SAMBA-CLI01$@EARTH to access WINSRV-DC02.earth.milkyway.site failed: 
> KDC reply did not match expectations
> 
> The reason is that after the latest changes to libsmb we use:
> 
> 	SAMBA-CLI01$@EARTH
> 
> as the principal for kinit. Windows allows to use the domain name (netbios 
> name) in the principal but for that you need to turn on canonicalization 
> support. We do not do that if Samba is compiled with MIT Kerberos.
> 
> 
> The attached patch is part of my MIT KDC working branch since last year, I 
> think it is time to push it to master :)
> 
> 
> Please review and push!

LGTM (except changed new True -> true).

Pushed.

> 
> 
> 	Andreas
> 
> 
> -- 
> Andreas Schneider                   GPG-ID: CC014E3D
> Samba Team                             asn at samba.org
> www.samba.org

> From ed9b3e8fd8ca7cf6a093dfc42f320d49ea932b85 Mon Sep 17 00:00:00 2001
> From: Andreas Schneider <asn at samba.org>
> Date: Mon, 15 Feb 2016 12:09:59 +0100
> Subject: [PATCH] s3-libads: Fix canonicalization support with MIT Kerberos
> 
> Signed-off-by: Andreas Schneider <asn at samba.org>
> ---
>  source3/libads/kerberos.c | 13 ++++++++++++-
>  1 file changed, 12 insertions(+), 1 deletion(-)
> 
> diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
> index b7962cf..d91d94e 100644
> --- a/source3/libads/kerberos.c
> +++ b/source3/libads/kerberos.c
> @@ -269,6 +269,7 @@ int kerberos_kinit_password_ext(const char *principal,
>  	krb5_error_code code = 0;
>  	krb5_ccache cc = NULL;
>  	krb5_principal me = NULL;
> +	krb5_principal canon_princ = NULL;
>  	krb5_creds my_creds;
>  	krb5_get_init_creds_opt *opt = NULL;
>  	smb_krb5_addresses *addr = NULL;
> @@ -302,6 +303,11 @@ int kerberos_kinit_password_ext(const char *principal,
>  
>  	krb5_get_init_creds_opt_set_renew_life(opt, renewable_time);
>  	krb5_get_init_creds_opt_set_forwardable(opt, True);
> +
> +	/* Turn on canonicalization for lower case realm support */
> +#ifndef SAMBA4_USES_HEIMDAL /* MIT */
> +	krb5_get_init_creds_opt_set_canonicalize(opt, True);
> +#endif /* MIT */
>  #if 0
>  	/* insane testing */
>  	krb5_get_init_creds_opt_set_tkt_life(opt, 60);
> @@ -328,7 +334,12 @@ int kerberos_kinit_password_ext(const char *principal,
>  		goto out;
>  	}
>  
> -	if ((code = krb5_cc_initialize(ctx, cc, me))) {
> +	canon_princ = me;
> +#ifndef SAMBA4_USES_HEIMDAL /* MIT */
> +	canon_princ = my_creds.client;
> +#endif /* MIT */
> +
> +	if ((code = krb5_cc_initialize(ctx, cc, canon_princ))) {
>  		goto out;
>  	}
>  
> -- 
> 2.10.2
> 