From: Andreas Schneider <asn@samba.org>
Date: Tue, 28 May 2024 11:54:24 +0000 (+0200)
Subject: s3:winbind: Fix idmap_ad creating an invalid local krb5.conf
X-Git-Tag: tdb-1.4.11~471
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=8989aa47b7493e6b7978c2efc4a40c781e9a2aee;p=thirdparty%2Fsamba.git

s3:winbind: Fix idmap_ad creating an invalid local krb5.conf

In case of a trusted domain, we are providing the realm of the primary
trust but specify the KDC IP of the trusted domain. This leads to
Kerberos ticket requests to the trusted domain KDC which doesn't know
about the machine account. However we need a ticket from our primary
trust KDC.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15653

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/source3/winbindd/idmap_ad.c b/source3/winbindd/idmap_ad.c
index df14ca818dc..00a75a6f3ec 100644
--- a/source3/winbindd/idmap_ad.c
+++ b/source3/winbindd/idmap_ad.c
@@ -298,7 +298,10 @@ static NTSTATUS idmap_ad_get_tldap_ctx(TALLOC_CTX *mem_ctx,
 				       struct tldap_context **pld)
 {
 	struct netr_DsRGetDCNameInfo *dcinfo;
-	struct sockaddr_storage dcaddr;
+	struct sockaddr_storage dcaddr = {
+		.ss_family = AF_UNSPEC,
+	};
+	struct sockaddr_storage *pdcaddr = NULL;
 	struct winbindd_domain *creds_domain = NULL;
 	struct cli_credentials *creds;
 	struct loadparm_context *lp_ctx;
@@ -365,9 +368,13 @@ static NTSTATUS idmap_ad_get_tldap_ctx(TALLOC_CTX *mem_ctx,
 	 * create_local_private_krb5_conf_for_domain() can deal with
 	 * sitename==NULL
 	 */
+	if (strequal(domname, lp_realm()) || strequal(domname, lp_workgroup()))
+	{
+		pdcaddr = &dcaddr;
+	}
 
 	ok = create_local_private_krb5_conf_for_domain(
-		lp_realm(), lp_workgroup(), sitename, &dcaddr);
+		lp_realm(), lp_workgroup(), sitename, pdcaddr);
 	TALLOC_FREE(sitename);
 	if (!ok) {
 		DBG_DEBUG("Could not create private krb5.conf\n");