WIP | For Testing | Cross realm S4U2Self

github at samba.org github at samba.org
Fri Sep 21 18:18:07 UTC 2018

New comment by frenche on Samba Github repository

I've rebased my work on top of (most commits from heimdal's PR #403 applied cleanly):

Note, with new heimdal I somehow get the transitive-check errors which I previously only had with transitive trust (with a child domain involved).

See this intringin error below:
Kerberos: TGS-REQ DC7$@SAMBA2008R2.EXAMPLE.COM from ipv4: for HOST/dc7.samba2008r2.example.com at SAMBA2008R2.EXAMPLE.COM [canonicalize, renewable, forwardable]
Kerberos: s4u2self DC7$@SAMBA2008R2.EXAMPLE.COM impersonating Administrator at ADDOM.SAMBA.EXAMPLE.COM to service HOST/dc7.samba2008r2.example.com at SAMBA2008R2.EXAMPLE.COM
Kerberos: cross-realm SAMBA2008R2.EXAMPLE.COM -> SAMBA2008R2.EXAMPLE.COM: no transit allowed through realm ADDOM.SAMBA.EXAMPLE.COM from SAMBA2008R2.EXAMPLE.COM to SAMBA2008R2.EXAMPLE.COM

I'll look into it tomorrow, but meanwhile I applied the POC commits I had for transitive trust, and with it the cross-realm s4u2self new test pass.
# make test TESTS=samba4.blackbox.kinit_trust FAIL_IMMEDIATELY=1 SAMBA_OPTIONS="-d3"

Pipeline still running, but I guess there would be some failures:

btw, I can't see the CI logs from your branch, it would be helpful to compare.

I've submitted a wip gitlab merge request with the changes against master which are more stable, but the logic is the same:

More information about the samba-technical mailing list