Red Hat Bugzilla – Bug 560239
cliconnect gets realm wrong with trusted domains
Last modified: 2011-01-13 17:44:37 EST
Description of problem: if you have a trust between an MIT kerberos realm and an Active Directory Domain, say EXAMPLE.COM and AD.EXAMPLE.COM it will always guess that the server principle is server$@EXAMPLE.COM and never try server$@AD.EXAMPLE.COM so, if do a kinit for user@EXAMPLE.COM then try to do a smbclient -k //server.ad.example.com/whatever it will end up trying the principal server$@EXAMPLE.COM instead of server$@AD.EXAMPLE.COM Version-Release number of selected component (if applicable): Fedora 12: samba-common-3.4.5-55.fc12.x86_64 samba-client-3.4.5-55.fc12.x86_64 samba-3.4.5-55.fc12.x86_64 Red Hat Enterprise Linux 5.4: samba-common-3.0.33-3.15.el5_4.1 samba-3.0.33-3.15.el5_4.1 samba-client-3.0.33-3.15.el5_4.1 How reproducible: Always Steps to Reproduce: 1. Create a trust between the kerberos realm and Active Directory Domain 2. Do a kinit on linux system 3. smbclient -k //server.ad.example.com/whatever Actual results: Connection Fails Expected results: Connection succeeds Additional info: Upstream bug report and patch: https://bugzilla.samba.org/show_bug.cgi?id=7079
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Service principal names were not always created correctly and as a result, the system was attempting to acquire a service ticket from a wrong host. This caused the Kerberos authentication to fail. With this update, service principal names are created correctly.
Technical note updated. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. Diffed Contents: @@ -1 +1 @@ -Service principal names were not always created correctly and as a result, the system was attempting to acquire a service ticket from a wrong host. This caused the Kerberos authentication to fail. With this update, service principal names are created correctly.+Service principal names were not always created correctly and as a result, the system was attempting to acquire a service ticket using a wrong hostname. This caused the Kerberos authentication to fail. With this update, service principal names are created correctly.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0054.html