1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

s3:winbind: Fix idmap_ad creating an invalid local krb5.conf

In case of a trusted domain, we are providing the realm of the primary
trust but specify the KDC IP of the trusted domain. This leads to
Kerberos ticket requests to the trusted domain KDC which doesn't know
about the machine account. However we need a ticket from our primary
trust KDC.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15653

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Andreas Schneider 2024-05-28 13:54:24 +02:00 committed by Andrew Bartlett
parent 9dcc52d2a5
commit 8989aa47b7

View File

@ -298,7 +298,10 @@ static NTSTATUS idmap_ad_get_tldap_ctx(TALLOC_CTX *mem_ctx,
struct tldap_context **pld)
{
struct netr_DsRGetDCNameInfo *dcinfo;
struct sockaddr_storage dcaddr;
struct sockaddr_storage dcaddr = {
.ss_family = AF_UNSPEC,
};
struct sockaddr_storage *pdcaddr = NULL;
struct winbindd_domain *creds_domain = NULL;
struct cli_credentials *creds;
struct loadparm_context *lp_ctx;
@ -365,9 +368,13 @@ static NTSTATUS idmap_ad_get_tldap_ctx(TALLOC_CTX *mem_ctx,
* create_local_private_krb5_conf_for_domain() can deal with
* sitename==NULL
*/
if (strequal(domname, lp_realm()) || strequal(domname, lp_workgroup()))
{
pdcaddr = &dcaddr;
}
ok = create_local_private_krb5_conf_for_domain(
lp_realm(), lp_workgroup(), sitename, &dcaddr);
lp_realm(), lp_workgroup(), sitename, pdcaddr);
TALLOC_FREE(sitename);
if (!ok) {
DBG_DEBUG("Could not create private krb5.conf\n");