WIP | For Testing | Cross realm S4U2Self
github at samba.org
github at samba.org
Fri Sep 21 18:18:29 UTC 2018
New comment by frenche on Samba Github repository
https://github.com/samba-team/samba/pull/204#issuecomment-423627675
Comment:
I've rebased my work on top of (most commits from heimdal's PR #403 applied cleanly):
https://gitlab.com/catalyst-samba/samba/commits/import-lorikeet-heimdal-201809182344-fast-nofail
Note, with new heimdal I somehow get the transitive-check errors which I previously only had with transitive trust (with a child domain involved).
See this intringin error below:
Kerberos: TGS-REQ DC7$@SAMBA2008R2.EXAMPLE.COM from ipv4:127.0.0.27:16308 for HOST/dc7.samba2008r2.example.com at SAMBA2008R2.EXAMPLE.COM [canonicalize, renewable, forwardable]
Kerberos: s4u2self DC7$@SAMBA2008R2.EXAMPLE.COM impersonating Administrator at ADDOM.SAMBA.EXAMPLE.COM to service HOST/dc7.samba2008r2.example.com at SAMBA2008R2.EXAMPLE.COM
Kerberos: cross-realm SAMBA2008R2.EXAMPLE.COM -> SAMBA2008R2.EXAMPLE.COM via [ADDOM.SAMBA.EXAMPLE.COM]
Kerberos: cross-realm SAMBA2008R2.EXAMPLE.COM -> SAMBA2008R2.EXAMPLE.COM: no transit allowed through realm ADDOM.SAMBA.EXAMPLE.COM from SAMBA2008R2.EXAMPLE.COM to SAMBA2008R2.EXAMPLE.COM
I'll look into it tomorrow, but meanwhile I applied the POC commits I had for transitive trust, and with it the cross-realm s4u2self new test pass.
$ make test TESTS=samba4.blackbox.kinit_trust FAIL_IMMEDIATELY=1 SAMBA_OPTIONS="-d3"
Pipeline still running, but I guess there would be some failures:
https://gitlab.com/samba-team/devel/samba/pipelines/30858709
btw, I can't see the CI logs from your branch, it would be helpful to compare.
I've submitted a wip gitlab merge request with the changes against master which are more stable, but the logic is the same:
https://gitlab.com/samba-team/samba/merge_requests/75
More information about the samba-technical
mailing list