-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixed forest/domain name configuration in CredSpec #711
Conversation
The existing behavior for setting the DnsName and DnsTreeName values would only work in a single-domain forest because the values were swapped. This fix corrects the values so that credential specs can be generated in multi-domain forests.
That one actually breaks it for me, as processes running inside a container no check the wrong domain if I do e.g. Get-ADUser. But that might well be caused by some kind of misconfiguration in our AD structure |
@tfenster Well that isn't good! Do you have a single or multi-domain forest? |
@rpsqrd multi-domain. But it seems like something else went wrong, because gMSAs now don't work anymore for me even if I switch back to the old .psm1. Do you happen to know more in this area? I thought I had solved the problem described in issue #618 by allowing anonymous SID/Name translation, but now the same error happens again |
Thanks @rpsqrd for this very timely fix! Was able to successfully troubleshoot an issue this evening with a customer who runs a multi-domain forest. |
@tfenster Can you run In general we would not advise allowing anonymous name/SID translation in production environments. It could allow an attacker to more easily resolve resources in your domain. However, we're aware of issues with name/SID translation in containers that I hope to document soon -- stay tuned! @stevenfollis That's great to hear! So the updated script worked well for you? |
@rpsqrd I was able to get it back to work after restoring activation (the machine claimed that for whatever reason it had lost the connection to the activation server) and rebooting the machine. I then used your fixed script and now it works without allowing anonymous name/SID translation. Thanks a lot! It seems like the activation problem coincidentally happened at around the same time as I downloaded your fix and because of the timing thought your fix was causing the problem |
@scooley Could you help complete this pull request? |
Validation: Alt Text Added, Absolute Links Removed, Metadata Added
The existing behavior for setting the DnsName and DnsTreeName values would only work in a single-domain forest because the values were swapped. This fix corrects the values so that credential specs can be generated in multi-domain forests.