The branch, master has been updated
via c72554260c9 s3:libads: Make sure that REALM is always added to
keytab principals
via cf34645050d lib:krb5_wrap: Add smb_krb5_parse_name_flags()
from 8831eec914a docs-xml: enable SMB3 Unix Extensions by default
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit c72554260c950d0ef7652955a59f0f68a026f4f2
Author: Pavel Filipenský <pfilipen...@samba.org>
Date: Fri Mar 7 10:32:40 2025 +0100
s3:libads: Make sure that REALM is always added to keytab principals
The code responsible for adding SPNs to keytab should always set the
REALM part. Current code is not adding it for e.g. SPNs synced from AD.
If REALM is missing, krb5_parse_name() will succeed (and add the REALM)
only if the krb5.conf contains libdefaults section with
default_realm set and will fail otherwise. E.g.:
[libdefaults]
default_realm = SOMETESTDOMAIN1.MY.COM
When calling 'net ads join' we get the following error if SPN is missing
REALM and krb5.conf does not provide the default_realm:
pw2kt_process_add_info: Failed to parse principal:
RestrictedKrbHost/$MACHINE_NAME
Failed to join domain: failed to create kerberos keytab
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15727
Pair-Programmed-With: Noel Power <noel.po...@suse.com>
Signed-off-by: Pavel Filipenský <pfilipen...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Alexander Bokovoy <a...@samba.org>
Autobuild-User(master): Pavel Filipensky <pfilipen...@samba.org>
Autobuild-Date(master): Sun Mar 9 00:25:08 UTC 2025 on atb-devel-224
commit cf34645050df64d6b8c4fa45394c3feebe691e79
Author: Pavel Filipenský <pfilipen...@samba.org>
Date: Thu Mar 6 23:20:53 2025 +0100
lib:krb5_wrap: Add smb_krb5_parse_name_flags()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15727
Signed-off-by: Pavel Filipenský <pfilipen...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Alexander Bokovoy <a...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
lib/krb5_wrap/krb5_samba.c | 39 ++++++++++++++++++++++++++++++++-------
lib/krb5_wrap/krb5_samba.h | 5 +++++
source3/libads/kerberos_keytab.c | 19 ++++++++++++++++++-
3 files changed, 55 insertions(+), 8 deletions(-)
Changeset truncated at 500 lines:
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 451616c79e5..0a4a7ea986f 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -836,6 +836,29 @@ krb5_error_code smb_krb5_get_allowed_etypes(krb5_context
context,
krb5_error_code smb_krb5_parse_name(krb5_context context,
const char *name,
krb5_principal *principal)
+{
+ return smb_krb5_parse_name_flags(context, name, 0, principal);
+}
+
+/**
+ * @brief Convert a string principal name to a Kerberos principal.
+ *
+ * @param[in] context The library context
+ *
+ * @param[in] name The principal as a unix charset string.
+ *
+ * @param[in] flags Flags for krb5_parse_name_flags()
+ *
+ * @param[out] principal The newly allocated principal.
+ *
+ * Use krb5_free_principal() to free a principal when it is no longer needed.
+ *
+ * @return 0 on success, a Kerberos error code otherwise.
+ */
+krb5_error_code smb_krb5_parse_name_flags(krb5_context context,
+ const char *name,
+ int flags,
+ krb5_principal *principal)
{
krb5_error_code ret;
char *utf8_name;
@@ -843,17 +866,19 @@ krb5_error_code smb_krb5_parse_name(krb5_context context,
TALLOC_CTX *frame = talloc_stackframe();
if (!push_utf8_talloc(frame, &utf8_name, name, &converted_size)) {
- talloc_free(frame);
+ TALLOC_FREE(frame);
return ENOMEM;
}
+ TALLOC_FREE(frame);
- ret = krb5_parse_name(context, utf8_name, principal);
- if (ret == KRB5_PARSE_MALFORMED) {
- ret = krb5_parse_name_flags(context, utf8_name,
- KRB5_PRINCIPAL_PARSE_ENTERPRISE,
- principal);
+ ret = krb5_parse_name_flags(context, utf8_name, flags, principal);
+ if (ret != KRB5_PARSE_MALFORMED) {
+ return ret;
}
- TALLOC_FREE(frame);
+
+ flags |= KRB5_PRINCIPAL_PARSE_ENTERPRISE;
+ ret = krb5_parse_name_flags(context, utf8_name, flags, principal);
+
return ret;
}
diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h
index 173307f7c88..a562359e121 100644
--- a/lib/krb5_wrap/krb5_samba.h
+++ b/lib/krb5_wrap/krb5_samba.h
@@ -186,6 +186,11 @@ krb5_error_code smb_krb5_parse_name(krb5_context context,
const char *name, /* in unix charset */
krb5_principal *principal);
+krb5_error_code smb_krb5_parse_name_flags(krb5_context context,
+ const char *name, /* unix charset */
+ int flags,
+ krb5_principal *principal);
+
krb5_error_code smb_krb5_unparse_name(TALLOC_CTX *mem_ctx,
krb5_context context,
krb5_const_principal principal,
diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
index 5913db299ad..49a892e5a55 100644
--- a/source3/libads/kerberos_keytab.c
+++ b/source3/libads/kerberos_keytab.c
@@ -364,12 +364,29 @@ static krb5_error_code pw2kt_process_add_info(struct
pw2kt_keytab_state *state2,
krb5_principal princ = NULL;
krb5_principal *a = NULL;
size_t len;
+ const char *realm = NULL;
- ret = smb_krb5_parse_name(state2->context, princs, &princ);
+ ret = smb_krb5_parse_name_flags(state2->context,
+ princs,
+ KRB5_PRINCIPAL_PARSE_NO_DEF_REALM,
+ &princ);
if (ret != 0) {
DBG_ERR("Failed to parse principal: %s\n", princs);
return ret;
}
+ /* Add realm part if missing (e.g. SPNs synced from DC) */
+ realm = smb_krb5_principal_get_realm(state2, state2->context, princ);
+ if (realm == NULL || *realm == 0) {
+ ret = smb_krb5_principal_set_realm(state2->context,
+ princ,
+ lp_realm());
+ if (ret != 0) {
+ DBG_ERR("Failed to add realm to principal: %s\n",
+ princs);
+ return ret;
+ }
+ }
+
len = talloc_array_length(state2->princ_array);
a = talloc_realloc(state2,
state2->princ_array,
--
Samba Shared Repository
