[PATCH] spnego SPN fix when contacting trusted domains

> Doing some testing with W2K8 I found there's still a few more bugs using
> proper Kerberos credentials when we're joined to a W2K3 domain, but
> attempting to connect to a W2K8 domain which has a forest transitive
> trust with our domain.
>
>  
>
> There are two patches against v3-0-test attached.  The first one is a
> quick and dirty hack to get 3.0 head behaving like our in-house modified
> 3.0.24 which I originally wrote the second patch again.

>
> Sorry, my message was a bit confusing.
>
> 0002 is the patch I want you to review/integrate.  In applying it from
> my 3.0.24 codebase to 3.0.28a, I found another blocking bug that exists
> in 3.0.28a.
>
> I didn't have time to also thoroughly fix it, so 0001 is a quick hack
> fix for this blocking bug, that should be applied before 0002 so you can
> see that 0002 works.  However, the bug fixed by 0001 needs to be
> addressed first.
>
> I can file a more specific bug report on the issue fixed by 0001.
>
> Bah, this is confusing.  I'm on IRC for the next 40 minutes if you want
> to hash it out.

> Doing some testing with W2K8 I found there's still a few more bugs using
> proper Kerberos credentials when we're joined to a W2K3 domain, but
> attempting to connect to a W2K8 domain which has a forest transitive
> trust with our domain.
>
>  
>
> There are two patches against v3-0-test attached.  The first one is a
> quick and dirty hack to get 3.0 head behaving like our in-house modified
> 3.0.24 which I originally wrote the second patch again.
>
>  
>
> 0001:
>
>  
>
> Changes were made in winbindd_cm.c:cm_prepare_connection() to use
> get_trust_creds() to fill in machine_krb5_principal and
> machine_password.  Unfortunately, they're filled in incorrectly in the
> case where we're trying to connect to a trusted domain.
>
>  
>
> Say our machine is called MACHINE, we're joined to a domain
> W2K3.DOMAIN.COM, which has a transitive trust to W2K8.DOMAIN.COM.  The
> first time we try to connect to W2K8, get_trust_creds() incorrectly
> tells us to use the machine_password from W2K8, and a
> machine_krb5_principal of MACHINE$@....  These should be the
> machine_password from W2K3 and MACHINE$@....
>
>  
>
> So the first patch is a quick hack to fill in those values like they
> were in 3.0.24.   These changes probably need to be put somewhere else,
> and I haven't audited any other callers of the functions in that patch
> to make sure they still work.
>
>  
>
> 0002:
>
>  
>
> This is what I was trying to submit initially, and the patch explains
> the changes and why they're necessary.  There are many ways to implement
> this fix, I chose to change the function signature, and pass in a real
> REALM so we could eventually stop relying on the negHint in
> NegTokenInit2 all together.
>
>  
>
> Steven Danneman | Software Development Engineer
>
> Isilon Systems    P +1-206-315-7500    F  +1-206-315-7501
>
> www.isilon.com    
>