[PATCH] Fix spnego with machine$@DOMAIN
Jeremy Allison
jra at samba.org
Thu Dec 1 19:17:03 UTC 2016
On Thu, Dec 01, 2016 at 01:11:02PM +0100, Andreas Schneider wrote:
> Hello,
>
> if you join a domain with Kerberos (MIT) you get the following error:
>
> samba-cli01:~ # net ads join -k
> Kinit for SAMBA-CLI01$@EARTH to access WINSRV-DC02.earth.milkyway.site failed:
> KDC reply did not match expectations
>
> The reason is that after the latest changes to libsmb we use:
>
> SAMBA-CLI01$@EARTH
>
> as the principal for kinit. Windows allows to use the domain name (netbios
> name) in the principal but for that you need to turn on canonicalization
> support. We do not do that if Samba is compiled with MIT Kerberos.
>
>
> The attached patch is part of my MIT KDC working branch since last year, I
> think it is time to push it to master :)
>
>
> Please review and push!
LGTM (except changed new True -> true).
Pushed.
>
>
> Andreas
>
>
> --
> Andreas Schneider GPG-ID: CC014E3D
> Samba Team asn at samba.org
> www.samba.org
> From ed9b3e8fd8ca7cf6a093dfc42f320d49ea932b85 Mon Sep 17 00:00:00 2001
> From: Andreas Schneider <asn at samba.org>
> Date: Mon, 15 Feb 2016 12:09:59 +0100
> Subject: [PATCH] s3-libads: Fix canonicalization support with MIT Kerberos
>
> Signed-off-by: Andreas Schneider <asn at samba.org>
> ---
> source3/libads/kerberos.c | 13 ++++++++++++-
> 1 file changed, 12 insertions(+), 1 deletion(-)
>
> diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
> index b7962cf..d91d94e 100644
> --- a/source3/libads/kerberos.c
> +++ b/source3/libads/kerberos.c
> @@ -269,6 +269,7 @@ int kerberos_kinit_password_ext(const char *principal,
> krb5_error_code code = 0;
> krb5_ccache cc = NULL;
> krb5_principal me = NULL;
> + krb5_principal canon_princ = NULL;
> krb5_creds my_creds;
> krb5_get_init_creds_opt *opt = NULL;
> smb_krb5_addresses *addr = NULL;
> @@ -302,6 +303,11 @@ int kerberos_kinit_password_ext(const char *principal,
>
> krb5_get_init_creds_opt_set_renew_life(opt, renewable_time);
> krb5_get_init_creds_opt_set_forwardable(opt, True);
> +
> + /* Turn on canonicalization for lower case realm support */
> +#ifndef SAMBA4_USES_HEIMDAL /* MIT */
> + krb5_get_init_creds_opt_set_canonicalize(opt, True);
> +#endif /* MIT */
> #if 0
> /* insane testing */
> krb5_get_init_creds_opt_set_tkt_life(opt, 60);
> @@ -328,7 +334,12 @@ int kerberos_kinit_password_ext(const char *principal,
> goto out;
> }
>
> - if ((code = krb5_cc_initialize(ctx, cc, me))) {
> + canon_princ = me;
> +#ifndef SAMBA4_USES_HEIMDAL /* MIT */
> + canon_princ = my_creds.client;
> +#endif /* MIT */
> +
> + if ((code = krb5_cc_initialize(ctx, cc, canon_princ))) {
> goto out;
> }
>
> --
> 2.10.2
>
More information about the samba-technical
mailing list