Cross realm S4U2Self patches rebased on import-lorikeet-heimdal branch
Andrew Bartlett
abartlet at samba.org
Tue Sep 25 08:51:38 UTC 2018
On Mon, 2018-09-24 at 13:43 +0530, Isaac Boukris wrote:
> Hi Andrew,
>
> On github PR #204, Isaac Boukris wrote:
> >
> > I've rebased my work on top of (most commits from heimdal's PR #403
> > applied cleanly):
> > https://gitlab.com/catalyst-samba/samba/commits/import-lorikeet-hei
> > mdal-201809182344-fast-nofail
> >
> > Note, with new heimdal I somehow get the transitive-check errors
> > which I previously only had with transitive trust (with a child
> > domain involved).
> >
> > See this intringin error below:
> > Kerberos: TGS-REQ DC7$@SAMBA2008R2.EXAMPLE.COM from
> > ipv4:127.0.0.27:16308 for HOST/dc7.samba2008r2.example.com at SAMBA200
> > 8R2.EXAMPLE.COM [canonicalize, renewable, forwardable]
> > Kerberos: s4u2self DC7$@SAMBA2008R2.EXAMPLE.COM impersonating Admin
> > istrator at ADDOM.SAMBA.EXAMPLE.COM to service HOST/dc7.samba2008r2.ex
> > ample.com at SAMBA2008R2.EXAMPLE.COM
> > Kerberos: cross-realm SAMBA2008R2.EXAMPLE.COM ->
> > SAMBA2008R2.EXAMPLE.COM via [ADDOM.SAMBA.EXAMPLE.COM]
> > Kerberos: cross-realm SAMBA2008R2.EXAMPLE.COM ->
> > SAMBA2008R2.EXAMPLE.COM: no transit allowed through realm
> > ADDOM.SAMBA.EXAMPLE.COM from SAMBA2008R2.EXAMPLE.COM to
> > SAMBA2008R2.EXAMPLE.COM
> >
> I think I figured this error, see attached possible patch which I
> want
> to submit heimdal upstream (and to replace with it, the
> transitive-trust poc commits).
> I had hoped it would solve other transit errors I've seen before my
> changes, but alas it hadn't (these seem related to netbios and lower
> realm).
OK.
> >
> > I'll look into it tomorrow, but meanwhile I applied the POC commits
> > I had for transitive trust, and with it the cross-realm s4u2self
> > new test pass.
> > # make test TESTS=samba4.blackbox.kinit_trust FAIL_IMMEDIATELY=1
> > SAMBA_OPTIONS="-d3"
> >
> > Pipeline still running, but I guess there would be some failures:
> > https://gitlab.com/samba-team/devel/samba/pipelines/30858709
> The pipeline failed many krb5 torture tests, I'm looking around to
> see
> if I can figure out something, and mainly if my changes have
> introduced new errors.
>
> I think one significant change in cross realm client code between the
> two version, is the order of capath vs referral in
> _krb5_get_cred_kdc_any() which has changed (likely to break some
> torture expectations).
Any help you can provide to make these tests pass again would be most
appreciated. It is a big task, but we are close to having it pass
'make test', which is actually pretty amazing given the amount of
change.
> >
> > I've submitted a wip gitlab merge request with the changes against
> > master which are more stable, but the logic is the same:
> > https://gitlab.com/samba-team/samba/merge_requests/75
> btw, I've also started a discussion on krbdev mailing list about
> what's missing upstream to support xrealm S4U2Self with MIT backend
> (I
> hope to submit PRs soon):
> http://mailman.mit.edu/pipermail/krbdev/2018-September/012992.html
Thanks!
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list