s3:libads: Make sure that REALM is always added to keytab principals

The code responsible for adding SPNs to keytab should always set the
REALM part.  Current code is not adding it for e.g. SPNs synced from AD.

If REALM is missing, krb5_parse_name() will succeed (and add the REALM)
only if the krb5.conf contains libdefaults section with
default_realm set and will fail otherwise. E.g.:

[libdefaults]
	default_realm = SOMETESTDOMAIN1.MY.COM

When calling 'net ads join' we get the following error if SPN is missing
REALM and krb5.conf does not provide the default_realm:

pw2kt_process_add_info: Failed to parse principal:
RestrictedKrbHost/$MACHINE_NAME
Failed to join domain: failed to create kerberos keytab

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15727

Pair-Programmed-With: Noel Power <noel.power@suse.com>

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
Autobuild-Date(master): Sun Mar  9 00:25:08 UTC 2025 on atb-devel-224

(cherry picked from commit c72554260c950d0ef7652955a59f0f68a026f4f2)

diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
index 5913db299adfdc4cb97cff7735437906b7ee8f48..49a892e5a559360b298fa421d33ce900cf6333bb 100644 (file)
--- a/source3/libads/kerberos_keytab.c
+++ b/source3/libads/kerberos_keytab.c
@@ -364,12 +364,29 @@ static krb5_error_code pw2kt_process_add_info(struct pw2kt_keytab_state *state2,
        krb5_principal princ = NULL;
        krb5_principal *a = NULL;
        size_t len;
+       const char *realm = NULL;
 
-       ret = smb_krb5_parse_name(state2->context, princs, &princ);
+       ret = smb_krb5_parse_name_flags(state2->context,
+                                       princs,
+                                       KRB5_PRINCIPAL_PARSE_NO_DEF_REALM,
+                                       &princ);
        if (ret != 0) {
                DBG_ERR("Failed to parse principal: %s\n", princs);
                return ret;
        }
+       /* Add realm part if missing (e.g. SPNs synced from DC) */
+       realm = smb_krb5_principal_get_realm(state2, state2->context, princ);
+       if (realm == NULL || *realm == 0) {
+               ret = smb_krb5_principal_set_realm(state2->context,
+                                                  princ,
+                                                  lp_realm());
+               if (ret != 0) {
+                       DBG_ERR("Failed to add realm to principal: %s\n",
+                               princs);
+                       return ret;
+               }
+       }
+
        len = talloc_array_length(state2->princ_array);
        a = talloc_realloc(state2,
                           state2->princ_array,