[PATCHES] site-aware Kerberos authentication during domain join
Andreas Schneider
asn at samba.org
Wed Jun 15 06:29:47 UTC 2016
On Tuesday, 14 June 2016 22:50:28 CEST Alexander Bokovoy wrote:
> On Mon, 07 Mar 2016, Jeremy Allison wrote:
> > On Thu, Mar 03, 2016 at 09:44:46AM +0200, Uri Simchoni wrote:
> > > Hi,
> > >
> > > Attached please find a fix for
> > > https://bugzilla.samba.org/show_bug.cgi?id=11769.
> > >
> > > The bug description explains why this may be important.
> > >
> > > The fix enables site-aware Kerberos during execution of "net ads
> > > join -k", even if winbindd is not started (so the locator cannot be
> > > used).
> > >
> > > This works only if the user specified the domain's DNS name (which
> > > is assumed to be equal to the Kerberos realm). If the user didn't
> > > specify it (e.g. only specified flat domain name or server to use),
> > > we need to securely contact a DC to determine the domain's DNS name,
> > > so we cannot pre-configure Kerberos.
> > >
> > > Review appreciated.
> >
> > LGTM. Pushed ! Thanks.
>
> I think this is not enough. We don't use discovered site name later in
> the process as private krb5.conf will be rewritten after the call to
> libnet_join_check_config.
>
> Attached patch makes sure we pass sitename to the new krb5.conf.
Awesome, we need backports of this!!!
--
Andreas Schneider GPG-ID: CC014E3D
Samba Team asn at samba.org
www.samba.org
More information about the samba-technical
mailing list