mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
s3:winbind: Fix idmap_ad creating an invalid local krb5.conf
In case of a trusted domain, we are providing the realm of the primary trust but specify the KDC IP of the trusted domain. This leads to Kerberos ticket requests to the trusted domain KDC which doesn't know about the machine account. However we need a ticket from our primary trust KDC. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15653 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
parent
9dcc52d2a5
commit
8989aa47b7
@ -298,7 +298,10 @@ static NTSTATUS idmap_ad_get_tldap_ctx(TALLOC_CTX *mem_ctx,
|
||||
struct tldap_context **pld)
|
||||
{
|
||||
struct netr_DsRGetDCNameInfo *dcinfo;
|
||||
struct sockaddr_storage dcaddr;
|
||||
struct sockaddr_storage dcaddr = {
|
||||
.ss_family = AF_UNSPEC,
|
||||
};
|
||||
struct sockaddr_storage *pdcaddr = NULL;
|
||||
struct winbindd_domain *creds_domain = NULL;
|
||||
struct cli_credentials *creds;
|
||||
struct loadparm_context *lp_ctx;
|
||||
@ -365,9 +368,13 @@ static NTSTATUS idmap_ad_get_tldap_ctx(TALLOC_CTX *mem_ctx,
|
||||
* create_local_private_krb5_conf_for_domain() can deal with
|
||||
* sitename==NULL
|
||||
*/
|
||||
if (strequal(domname, lp_realm()) || strequal(domname, lp_workgroup()))
|
||||
{
|
||||
pdcaddr = &dcaddr;
|
||||
}
|
||||
|
||||
ok = create_local_private_krb5_conf_for_domain(
|
||||
lp_realm(), lp_workgroup(), sitename, &dcaddr);
|
||||
lp_realm(), lp_workgroup(), sitename, pdcaddr);
|
||||
TALLOC_FREE(sitename);
|
||||
if (!ok) {
|
||||
DBG_DEBUG("Could not create private krb5.conf\n");
|
||||
|
Loading…
Reference in New Issue
Block a user