From 83c60df6e8dd604c4954e1b444b8d2332dbff62b Mon Sep 17 00:00:00 2001 From: =?utf8?q?Pavel=20Filipensk=C3=BD?= Date: Fri, 7 Mar 2025 10:32:40 +0100 Subject: [PATCH] s3:libads: Make sure that REALM is always added to keytab principals MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit The code responsible for adding SPNs to keytab should always set the REALM part. Current code is not adding it for e.g. SPNs synced from AD. If REALM is missing, krb5_parse_name() will succeed (and add the REALM) only if the krb5.conf contains libdefaults section with default_realm set and will fail otherwise. E.g.: [libdefaults] default_realm = SOMETESTDOMAIN1.MY.COM When calling 'net ads join' we get the following error if SPN is missing REALM and krb5.conf does not provide the default_realm: pw2kt_process_add_info: Failed to parse principal: RestrictedKrbHost/$MACHINE_NAME Failed to join domain: failed to create kerberos keytab BUG: https://bugzilla.samba.org/show_bug.cgi?id=15727 Pair-Programmed-With: Noel Power Signed-off-by: Pavel Filipenský Reviewed-by: Stefan Metzmacher Reviewed-by: Alexander Bokovoy Autobuild-User(master): Pavel Filipensky Autobuild-Date(master): Sun Mar 9 00:25:08 UTC 2025 on atb-devel-224 (cherry picked from commit c72554260c950d0ef7652955a59f0f68a026f4f2) --- source3/libads/kerberos_keytab.c | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c index 5913db299ad..49a892e5a55 100644 --- a/source3/libads/kerberos_keytab.c +++ b/source3/libads/kerberos_keytab.c @@ -364,12 +364,29 @@ static krb5_error_code pw2kt_process_add_info(struct pw2kt_keytab_state *state2, krb5_principal princ = NULL; krb5_principal *a = NULL; size_t len; + const char *realm = NULL; - ret = smb_krb5_parse_name(state2->context, princs, &princ); + ret = smb_krb5_parse_name_flags(state2->context, + princs, + KRB5_PRINCIPAL_PARSE_NO_DEF_REALM, + &princ); if (ret != 0) { DBG_ERR("Failed to parse principal: %s\n", princs); return ret; } + /* Add realm part if missing (e.g. SPNs synced from DC) */ + realm = smb_krb5_principal_get_realm(state2, state2->context, princ); + if (realm == NULL || *realm == 0) { + ret = smb_krb5_principal_set_realm(state2->context, + princ, + lp_realm()); + if (ret != 0) { + DBG_ERR("Failed to add realm to principal: %s\n", + princs); + return ret; + } + } + len = talloc_array_length(state2->princ_array); a = talloc_realloc(state2, state2->princ_array, -- 2.47.2