[Bug 553342] [NEW] spnego references incorrect realm via winbind when joined to AD and spnego is enabled

Thu, 01 Apr 2010 07:35:59 -0700 

Public bug reported:

Binary package hint: samba

After successfully joined to Windows 2008 AD domain, spnego via winbind passes 
incorrect principal to 
    libsmb/clikrb5.c:852: ads_krb5_mk_req()

This happens immediately on startup.

The principal should be based the REALM, not the WORKGROUP.

I think the fix involves cli_session_setup_spnego() guessing a little
better at the realm name that it gets back from the
spnego_parse_negTokenInit() function, by checking if the principal
returned is @DOMAIN, and then replacing the principal as @REALM?

Thoughts?

Principal Passed: d...@ad
Expected Principal: d...@ad.umn.edu

smb.conf:
[global]

   # Name
   netbios name = enhs-samba-test

   # AD Membership pointers
   workgroup = AD
   security = ADS
   realm = AD.UMN.EDU
   preferred master = no

   # Security options
   encrypt passwords = true
   guest account = nobody
   client plaintext auth = no
   client lanman auth = no
   client ntlmv2 auth = yes
   client signing = yes
   client schannel = yes
   client use spnego = yes
   ntlm auth = no
   lanman auth = no

   # Active Directory user mapping options
   idmap uid = 1000000-1999999
   idmap gid = 1000000-1999999

   winbind use default domain = yes
   winbind offline logon = true
   winbind enum users = yes
   winbind enum groups = yes
   winbind nested groups = yes
   winbind refresh tickets = yes

log.winbindd log when running at log level = 1 :

[2010/04/01 08:50:11,  1] libsmb/clikrb5.c:697(ads_krb5_mk_req)
  ads_krb5_mk_req: krb5_get_credentials failed for dcst...@ad (Cannot resolve 
network address for KDC in requested realm)
[2010/04/01 08:50:11,  1] libsmb/cliconnect.c:745(cli_session_setup_kerberos)
  cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot resolve 
network address for KDC in requested realm

log.winbindd log when running at log level = 99 :

[2010/04/01 09:10:35, 10] libads/kerberos.c:187(kerberos_kinit_password_ext)
  kerberos_kinit_password: as enhs-samba-te...@ad.umn.edu using 
[MEMORY:cliconnect] as ccache and config [(null)]
[2010/04/01 09:10:35,  3] libsmb/cliconnect.c:1018(cli_session_setup_spnego)
  cli_session_setup_spnego: got a bad server principal, trying to guess ...
[2010/04/01 09:10:35,  3] libsmb/cliconnect.c:1047(cli_session_setup_spnego)
  cli_session_setup_spnego: guessed server principal=dcw...@ad
[2010/04/01 09:10:35,  2] libsmb/cliconnect.c:738(cli_session_setup_kerberos)
  Doing kerberos session setup
[2010/04/01 09:10:35,  1] libsmb/clikrb5.c:697(ads_krb5_mk_req)
  ads_krb5_mk_req: krb5_get_credentials failed for dcw...@ad (Cannot resolve 
network address for KDC in requested realm)
[2010/04/01 09:10:35,  1] libsmb/cliconnect.c:745(cli_session_setup_kerberos)
  cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot resolve 
network address for KDC in requested realm


... for now I'll just turn spenego off, but this could be fixed.

** Affects: samba (Ubuntu)
     Importance: Undecided
         Status: New

-- 
spnego references incorrect realm via winbind when joined to AD and spnego is 
enabled
https://bugs.launchpad.net/bugs/553342
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to