diff options
author | Gerald W. Carter <jerry@samba.org> | 2008-05-23 16:01:45 -0500 |
---|---|---|
committer | Gerald W. Carter <jerry@samba.org> | 2008-05-23 16:01:45 -0500 |
commit | 4d2f71e53f5a6cdc5b84a0eeab5822a7f8ca48b9 (patch) | |
tree | c5dbe7cba0b8779e6099a441327c088a2ac5d5eb /source3/winbindd | |
parent | b72fc49f441c969a44b3325677cde55670416b24 (diff) | |
download | samba-4d2f71e53f5a6cdc5b84a0eeab5822a7f8ca48b9.tar.gz samba-4d2f71e53f5a6cdc5b84a0eeab5822a7f8ca48b9.tar.bz2 samba-4d2f71e53f5a6cdc5b84a0eeab5822a7f8ca48b9.zip |
Manually merge Steven Danneman's patch for SPNEGO auth to a trusted
Win2008 domain (merged from v3-0-test).
commit 8dc4e979776aae0ecaa74b51dc1eac78a7631405
Author: Steven Danneman <sdanneman@isilon.com>
Date: Wed May 7 13:34:26 2008 -0700
spnego SPN fix when contacting trusted domains
cli_session_setup_spnego() was not taking into consideration the situation
where we're connecting to a trusted domain, specifically one (like W2K8)
which doesn't return a SPN in the NegTokenInit.
This caused two problems:
1) When guessing the SPN using kerberos_get_default_realm_from_ccache() we
were always using our default realm, not the realm of the domain we're
connecting to.
2) When falling back on NTLMSSP for authentication we were passing the name
of the domain we're connecting to for use in our credentials when we should be
passing our own workgroup name.
The fix for both was to split the single "domain" parameter into
"user_domain" and "dest_realm" parameters. We use the "user_domain"
parameter to pass into the NTLM call, and we used "dest_realm" to create an SPN
if none was returned in the NegTokenInit2 packet. If no "dest_realm" is
provided we assume we're connecting to our own domain and use the credentials
cache to build the SPN.
Since we have a reasonable guess at the SPN, I removed the check that defaults
us directly to NTLM when negHint is empty.
(This used to be commit b78b14c88e8354aadf9ba7644bdb1c29245fe419)
Diffstat (limited to 'source3/winbindd')
-rw-r--r-- | source3/winbindd/winbindd_cm.c | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c index 9bab80377a..2ee0fae6db 100644 --- a/source3/winbindd/winbindd_cm.c +++ b/source3/winbindd/winbindd_cm.c @@ -827,14 +827,15 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain, (*cli)->use_kerberos = True; DEBUG(5, ("connecting to %s from %s with kerberos principal " - "[%s]\n", controller, global_myname(), - machine_krb5_principal)); + "[%s] and realm [%s]\n", controller, global_myname(), + machine_krb5_principal, domain->alt_name)); winbindd_set_locator_kdc_envs(domain); ads_status = cli_session_setup_spnego(*cli, machine_krb5_principal, - machine_password, + machine_password, + lp_workgroup(), domain->name); if (!ADS_ERR_OK(ads_status)) { @@ -855,12 +856,13 @@ static NTSTATUS cm_prepare_connection(const struct winbindd_domain *domain, DEBUG(5, ("connecting to %s from %s with username " "[%s]\\[%s]\n", controller, global_myname(), - domain->name, machine_account)); + lp_workgroup(), machine_account)); ads_status = cli_session_setup_spnego(*cli, machine_account, machine_password, - domain->name); + lp_workgroup(), + NULL); if (!ADS_ERR_OK(ads_status)) { DEBUG(4, ("authenticated session setup failed with %s\n", ads_errstr(ads_status))); |