summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSamuel Cabrero <scabrero@samba.org>2022-07-07 11:32:39 +0200
committerJule Anger <janger@samba.org>2022-07-18 09:40:12 +0000
commit89b914b3c515f4fc91f8870031c359652ebb77a7 (patch)
treeb3674c81ba3b7ab81ba9c0cff88a0383a070dff9
parente388fe2b70120253be6eed5ed7e53cec9ea0b0ef (diff)
downloadsamba-89b914b3c515f4fc91f8870031c359652ebb77a7.tar.gz
s3:winbind: Use the canonical realm name to renew the credentials
Consider the following AD topology where all trusts are parent-child trusts: ADOM.AFOREST.AD | ACHILD.ADOM.AFOREST.AD | AGRANDCHILD.ACHILD.ADOM.AFOREST.AD <-- Samba joined When logging into the Samba machine using pam_winbind with kerberos enabled with user ACHILD\user1, the ccache content is: Default principal: user1@ACHILD.ADOM.AFOREST.AD Valid starting Expires Service principal 07/06/2022 16:09:23 07/06/2022 16:14:23 krbtgt/ACHILD.ADOM.AFOREST.AD@ACHILD.ADOM.AFOREST.AD renew until 07/13/2022 16:09:23 --> 07/06/2022 16:09:23 07/06/2022 16:14:23 krbtgt/AGRANDCHILD.ACHILD.ADOM.AFOREST.AD@ACHILD.ADOM.AFOREST.AD <-- NOTE this TGT ticket renew until 07/13/2022 16:09:23 07/06/2022 16:09:23 07/06/2022 16:14:23 SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD renew until 07/13/2022 16:09:23 But when logging in with user ADOM\user1, the ccache content is: Default principal: user1@ADOM.AFOREST.AD Valid starting Expires Service principal 07/06/2022 16:04:37 07/06/2022 16:09:37 krbtgt/ADOM.AFOREST.AD@ADOM.AFOREST.AD renew until 07/13/2022 16:04:37 07/06/2022 16:04:37 07/06/2022 16:09:37 SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD renew until 07/13/2022 16:04:37 MIT does not store the intermediate TGTs when there is more than one hop: ads_krb5_cli_get_ticket: Getting ticket for service [SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD] using creds from [FILE:/tmp/krb5cc_11105] and impersonating [(null)] Getting credentials user1@ADOM.AFOREST.AD -> SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD using ccache FILE:/tmp/krb5cc_11105 Starting with TGT for client realm: user1@ADOM.AFOREST.AD -> krbtgt/ADOM.AFOREST.AD@ADOM.AFOREST.AD Requesting TGT krbtgt/AGRANDCHILD.ACHILD.ADOM.AFOREST.AD@ADOM.AFOREST.AD using TGT krbtgt/ADOM.AFOREST.AD@ADOM.AFOREST.AD Sending request to ADOM.AFOREST.AD Received answer from stream 192.168.101.32:88 TGS reply is for user1@ADOM.AFOREST.AD -> krbtgt/ACHILD.ADOM.AFOREST.AD@ADOM.AFOREST.AD with session key rc4-hmac/D88B --> Received TGT for offpath realm ACHILD.ADOM.AFOREST.AD <-- NOTE this TGT ticket is not stored Requesting TGT krbtgt/AGRANDCHILD.ACHILD.ADOM.AFOREST.AD@ACHILD.ADOM.AFOREST.AD using TGT krbtgt/ACHILD.ADOM.AFOREST.AD@ADOM.AFOREST.AD Sending request (1748 bytes) to ACHILD.ADOM.AFOREST.AD Received answer (1628 bytes) from stream 192.168.101.33:88 TGS reply is for user1@ADOM.AFOREST.AD -> krbtgt/AGRANDCHILD.ACHILD.ADOM.AFOREST.AD@ACHILD.ADOM.AFOREST.AD with session key rc4-hmac/D015 --> Received TGT for service realm: krbtgt/AGRANDCHILD.ACHILD.ADOM.AFOREST.AD@ACHILD.ADOM.AFOREST.AD <-- NOTE this TGT is not stored Requesting tickets for SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD, referrals on Sending request (1721 bytes) to AGRANDCHILD.ACHILD.ADOM.AFOREST.AD Received answer (1647 bytes) from stream 192.168.101.34:88 TGS reply is for user1@ADOM.AFOREST.AD -> SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD with session key aes256-cts/345A Received creds for desired service SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD Storing user1@ADOM.AFOREST.AD -> SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD in FILE:/tmp/krb5cc_11105 In the case of ACHILD\user1: ads_krb5_cli_get_ticket: Getting ticket for service [SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD] using creds from [FILE:/tmp/krb5cc_2000] and impersonating [(null)] Getting credentials user1@ACHILD.ADOM.AFOREST.AD -> SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD using ccache FILE:/tmp/krb5cc_2000 Starting with TGT for client realm: user1@ACHILD.ADOM.AFOREST.AD -> krbtgt/ACHILD.ADOM.AFOREST.AD@ACHILD.ADOM.AFOREST.AD Requesting TGT krbtgt/AGRANDCHILD.ACHILD.ADOM.AFOREST.AD@ACHILD.ADOM.AFOREST.AD using TGT krbtgt/ACHILD.ADOM.AFOREST.AD@ACHILD.ADOM.AFOREST.AD Sending request to ACHILD.ADOM.AFOREST.AD Received answer from stream 192.168.101.33:88 TGS reply is for user1@ACHILD.ADOM.AFOREST.AD -> krbtgt/AGRANDCHILD.ACHILD.ADOM.AFOREST.AD@ACHILD.ADOM.AFOREST.AD with session key rc4-hmac/0F60 --> Storing user1@ACHILD.ADOM.AFOREST.AD -> krbtgt/AGRANDCHILD.ACHILD.ADOM.AFOREST.AD@ACHILD.ADOM.AFOREST.AD in FILE:/tmp/krb5cc_2000 <-- NOTE this TGT is stored Received TGT for service realm: krbtgt/AGRANDCHILD.ACHILD.ADOM.AFOREST.AD@ACHILD.ADOM.AFOREST.AD Requesting tickets for SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD, referrals on Sending request (1745 bytes) to AGRANDCHILD.ACHILD.ADOM.AFOREST.AD Received answer (1675 bytes) from stream 192.168.101.34:88 TGS reply is for user1@ACHILD.ADOM.AFOREST.AD -> SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD with session key aes256-cts/3576 Received creds for desired service SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD Storing user1@ACHILD.ADOM.AFOREST.AD -> SAMBA$@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD in FILE:/tmp/krb5cc_2000 The result is that winbindd can't refresh the tickets for ADOM\user1 because the local realm is used to build the TGT service name. smb_krb5_renew_ticket: Using FILE:/tmp/krb5cc_11105 as ccache for client 'user1@ADOM.AFOREST.AD' and service 'krbtgt/AGRANDCHILD.ACHILD.ADOM.AFOREST.AD@AGRANDCHILD.ACHILD.ADOM.AFOREST.AD' Retrieving user1@ADOM.AFOREST.AD -> krbtgt/AGRANDCHILD.ACHILD.ADOM.AFOREST.AD@ADOM.AFOREST.AD from FILE:/tmp/krb5cc_11105 with result: -1765328243/Matching credential not found (filename: /tmp/krb5cc_11105) The canonical realm name must be used instead: smb_krb5_renew_ticket: Using FILE:/tmp/krb5cc_11105 as ccache for client 'user1@ADOM.AFOREST.AD' and service 'krbtgt/ADOM.AFOREST.AD@ADOM.AFOREST.AD' Retrieving user1@ADOM.AFOREST.AD -> krbtgt/ADOM.AFOREST.AD@ADOM.AFOREST.AD from FILE:/tmp/krb5cc_11105 with result: 0/Success Get cred via TGT krbtgt/ADOM.AFOREST.AD@ADOM.AFOREST.AD after requesting krbtgt/ADOM.AFOREST.AD@ADOM.AFOREST.AD (canonicalize off) Sending request to ADOM.AFOREST.AD Received answer from stream 192.168.101.32:88 TGS reply is for user1@ADOM.AFOREST.AD -> krbtgt/ADOM.AFOREST.AD@ADOM.AFOREST.AD with session key aes256-cts/8C7B Storing user1@ADOM.AFOREST.AD -> krbtgt/ADOM.AFOREST.AD@ADOM.AFOREST.AD in FILE:/tmp/krb5cc_11105 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979 Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Tue Jul 12 12:38:55 UTC 2022 on sn-devel-184 (cherry picked from commit 116af0df4f74aa450cbb77c79f8cac4bfc288631) Autobuild-User(v4-16-test): Jule Anger <janger@samba.org> Autobuild-Date(v4-16-test): Mon Jul 18 09:40:12 UTC 2022 on sn-devel-184
Diffstat
-rw-r--r--source3/winbindd/winbindd_cred_cache.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/source3/winbindd/winbindd_cred_cache.c b/source3/winbindd/winbindd_cred_cache.c
index 2fbef1ec8a9..9d27cbe8f78 100644
--- a/source3/winbindd/winbindd_cred_cache.c
+++ b/source3/winbindd/winbindd_cred_cache.c
@@ -638,8 +638,8 @@ NTSTATUS add_ccache_to_list(const char *princ_name,
entry->service = talloc_asprintf(entry,
"%s/%s@%s",
KRB5_TGS_NAME,
- realm,
- realm);
+ canon_realm,
+ canon_realm);
if (entry->service == NULL) {
goto no_mem;
}
View Lorry Controller Status