[Bug 553342] [NEW] spnego references incorrect realm via winbind when joined to AD and spnego is enabled
Aaron J. Zirbes
ajz at umn.edu
Thu Apr 1 15:27:17 BST 2010
Public bug reported:
Binary package hint: samba
After successfully joined to Windows 2008 AD domain, spnego via winbind passes incorrect principal to
libsmb/clikrb5.c:852: ads_krb5_mk_req()
This happens immediately on startup.
The principal should be based the REALM, not the WORKGROUP.
I think the fix involves cli_session_setup_spnego() guessing a little
better at the realm name that it gets back from the
spnego_parse_negTokenInit() function, by checking if the principal
returned is @DOMAIN, and then replacing the principal as @REALM?
Thoughts?
Principal Passed: dc$@AD
Expected Principal: dc$@AD.UMN.EDU
smb.conf:
[global]
# Name
netbios name = enhs-samba-test
# AD Membership pointers
workgroup = AD
security = ADS
realm = AD.UMN.EDU
preferred master = no
# Security options
encrypt passwords = true
guest account = nobody
client plaintext auth = no
client lanman auth = no
client ntlmv2 auth = yes
client signing = yes
client schannel = yes
client use spnego = yes
ntlm auth = no
lanman auth = no
# Active Directory user mapping options
idmap uid = 1000000-1999999
idmap gid = 1000000-1999999
winbind use default domain = yes
winbind offline logon = true
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
winbind refresh tickets = yes
log.winbindd log when running at log level = 1 :
[2010/04/01 08:50:11, 1] libsmb/clikrb5.c:697(ads_krb5_mk_req)
ads_krb5_mk_req: krb5_get_credentials failed for dcstp2$@AD (Cannot resolve network address for KDC in requested realm)
[2010/04/01 08:50:11, 1] libsmb/cliconnect.c:745(cli_session_setup_kerberos)
cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot resolve network address for KDC in requested realm
log.winbindd log when running at log level = 99 :
[2010/04/01 09:10:35, 10] libads/kerberos.c:187(kerberos_kinit_password_ext)
kerberos_kinit_password: as ENHS-SAMBA-TEST$@AD.UMN.EDU using [MEMORY:cliconnect] as ccache and config [(null)]
[2010/04/01 09:10:35, 3] libsmb/cliconnect.c:1018(cli_session_setup_spnego)
cli_session_setup_spnego: got a bad server principal, trying to guess ...
[2010/04/01 09:10:35, 3] libsmb/cliconnect.c:1047(cli_session_setup_spnego)
cli_session_setup_spnego: guessed server principal=dcwb2$@AD
[2010/04/01 09:10:35, 2] libsmb/cliconnect.c:738(cli_session_setup_kerberos)
Doing kerberos session setup
[2010/04/01 09:10:35, 1] libsmb/clikrb5.c:697(ads_krb5_mk_req)
ads_krb5_mk_req: krb5_get_credentials failed for dcwb2$@AD (Cannot resolve network address for KDC in requested realm)
[2010/04/01 09:10:35, 1] libsmb/cliconnect.c:745(cli_session_setup_kerberos)
cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot resolve network address for KDC in requested realm
... for now I'll just turn spenego off, but this could be fixed.
** Affects: samba (Ubuntu)
Importance: Undecided
Status: New
--
spnego references incorrect realm via winbind when joined to AD and spnego is enabled
https://bugs.launchpad.net/bugs/553342
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in ubuntu.
More information about the Ubuntu-server-bugs
mailing list