Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
For bugs related to Red Hat Enterprise Linux 5 product line. The current stable release is 5.10. For Red Hat Enterprise Linux 6 and above, please visit Red Hat JIRA https://issues.redhat.com/secure/CreateIssue!default.jspa?pid=12332745 to report new issues.

Bug 560239

Summary: cliconnect gets realm wrong with trusted domains
Product: Red Hat Enterprise Linux 5 Reporter: Jason Montleon <jmontleo>
Component: samba3xAssignee: Guenther Deschner <gdeschner>
Status: CLOSED ERRATA QA Contact: qe-baseos-daemons
Severity: medium Docs Contact:
Priority: low    
Version: 5.4CC: azelinka, dpal, tao
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: samba3x-3.3.12-0.53.el5 Doc Type: Bug Fix
Doc Text:
Service principal names were not always created correctly and as a result, the system was attempting to acquire a service ticket using a wrong hostname. This caused the Kerberos authentication to fail. With this update, service principal names are created correctly.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2011-01-13 22:44:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jason Montleon 2010-01-30 15:04:36 UTC 
Description of problem:
if you have a trust between an MIT kerberos realm and an Active Directory
Domain, say EXAMPLE.COM and AD.EXAMPLE.COM it will always guess that the server
principle is server$@EXAMPLE.COM and never try server$@AD.EXAMPLE.COM

so, if do a kinit for user then try to do a smbclient -k
//server.ad.example.com/whatever it will end up trying the principal
server$@EXAMPLE.COM instead of server$@AD.EXAMPLE.COM

Version-Release number of selected component (if applicable):
Fedora 12: 
samba-common-3.4.5-55.fc12.x86_64
samba-client-3.4.5-55.fc12.x86_64
samba-3.4.5-55.fc12.x86_64

Red Hat Enterprise Linux 5.4:
samba-common-3.0.33-3.15.el5_4.1
samba-3.0.33-3.15.el5_4.1
samba-client-3.0.33-3.15.el5_4.1

How reproducible:
Always

Steps to Reproduce:
1. Create a trust between the kerberos realm and Active Directory Domain
2. Do a kinit on linux system
3. smbclient -k //server.ad.example.com/whatever  

Actual results:
Connection Fails

Expected results:
Connection succeeds

Additional info:
Upstream bug report and patch: https://bugzilla.samba.org/show_bug.cgi?id=7079
Comment 7 Eva Kopalova 2010-12-15 07:55:11 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Service principal names were not always created correctly and as a result, the system was attempting to acquire a service ticket from a wrong host. This caused the Kerberos authentication to fail. With this update, service principal names are created correctly.
Comment 8 Eva Kopalova 2010-12-15 08:08:04 UTC 
    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -1 +1 @@
-Service principal names were not always created correctly and as a result, the system was attempting to acquire a service ticket from a wrong host. This caused the Kerberos authentication to fail. With this update, service principal names are created correctly.+Service principal names were not always created correctly and as a result, the system was attempting to acquire a service ticket using a wrong hostname. This caused the Kerberos authentication to fail. With this update, service principal names are created correctly.
Comment 10 errata-xmlrpc 2011-01-13 22:44:37 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0054.html