s3:winbind: Fix idmap_ad creating an invalid local krb5.conf

In case of a trusted domain, we are providing the realm of the primary
trust but specify the KDC IP of the trusted domain. This leads to
Kerberos ticket requests to the trusted domain KDC which doesn't know
about the machine account. However we need a ticket from our primary
trust KDC.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15653

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source3/winbindd/idmap_ad.c b/source3/winbindd/idmap_ad.c
index df14ca818dc4612b727e92f7856b76f5d9e86726..00a75a6f3ecb5a35cee1be93c26e7c9ba1e0711d 100644 (file)
--- a/source3/winbindd/idmap_ad.c
+++ b/source3/winbindd/idmap_ad.c
@@ -298,7 +298,10 @@ static NTSTATUS idmap_ad_get_tldap_ctx(TALLOC_CTX *mem_ctx,
                                       struct tldap_context **pld)
 {
        struct netr_DsRGetDCNameInfo *dcinfo;
-       struct sockaddr_storage dcaddr;
+       struct sockaddr_storage dcaddr = {
+               .ss_family = AF_UNSPEC,
+       };
+       struct sockaddr_storage *pdcaddr = NULL;
        struct winbindd_domain *creds_domain = NULL;
        struct cli_credentials *creds;
        struct loadparm_context *lp_ctx;
@@ -365,9 +368,13 @@ static NTSTATUS idmap_ad_get_tldap_ctx(TALLOC_CTX *mem_ctx,
         * create_local_private_krb5_conf_for_domain() can deal with
         * sitename==NULL
         */
+       if (strequal(domname, lp_realm()) || strequal(domname, lp_workgroup()))
+       {
+               pdcaddr = &dcaddr;
+       }
 
        ok = create_local_private_krb5_conf_for_domain(
-               lp_realm(), lp_workgroup(), sitename, &dcaddr);
+               lp_realm(), lp_workgroup(), sitename, pdcaddr);
        TALLOC_FREE(sitename);
        if (!ok) {
                DBG_DEBUG("Could not create private krb5.conf\n");