Bug 12488 - Connections to Samba AD domain member fail when krb5.conf contains includedir statement
Connections to Samba AD domain member fail when krb5.conf contains includedir...
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services
4.5.3
All All
: P5 major
: ---
Assigned To: Samba QA Contact
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-12-29 18:42 UTC by Marc Muehlfeld
Modified: 2016-12-29 18:47 UTC (History)
0 users

See Also:


Attachments
Level 10 debug log file (93.61 KB, text/x-log)
2016-12-29 18:42 UTC, Marc Muehlfeld
no flags Details
smb.conf (505 bytes, text/plain)
2016-12-29 18:43 UTC, Marc Muehlfeld
no flags Details
krb5.conf (590 bytes, text/plain)
2016-12-29 18:46 UTC, Marc Muehlfeld
no flags Details
Screenshot Windows (54.75 KB, image/png)
2016-12-29 18:47 UTC, Marc Muehlfeld
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Marc Muehlfeld 2016-12-29 18:42:49 UTC
Created attachment 12781 [details]
Level 10 debug log file

Problem description:
In an Active Directory, connections to Samba domain members fail if they have an "includedir" statement in the /etc/krb5.conf file.


Steps to reproduce:
1. Add the following line to /etc/krb5.conf:
   includedir /etc/krb5.conf.d/
   Alternatively, update from CentOS 7.2 to 7.3.
   The krb5-workstation-1.14.1-27 package shipped with 7.3 adds
   the "includedir" statement.
2. Restart Samba.
3. Connect from Windows to a share on the Samba domain member or
   to \\host_name\.


Actual results:
Connections to the domain member fail and Samba logs the following errors:
[2016/12/29 19:32:48.400895,  3, pid=21622, effective(0, 0), real(0, 0)] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_UNSUCCESSFUL] || at ../source3/smbd/smb2_sesssetup.c:134
[2016/12/29 19:32:48.400904, 10, pid=21622, effective(0, 0), real(0, 0)] ../source3/smbd/smb2_server.c:2988(smbd_smb2_request_done_ex)
  smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_UNSUCCESSFUL] body[8] dyn[yes:1] at ../source3/smbd/smb2_server.c:3145


Expected results:
Connections to the domain member should succeed.


Additional information:
CentOS 7.3 (krb5-workstation-1.14.1-27) adds the following line to the /etc/krb5.conf file:
includedir /etc/krb5.conf.d/
Users updating their AD domain member servers to 7.3, are no longer able to connect to shares until they remove the config entry.


Workaround:
Remove the "includedir" statement from /etc/krb5.conf. No smbd restart is required.
Comment 1 Marc Muehlfeld 2016-12-29 18:43:09 UTC
Created attachment 12782 [details]
smb.conf
Comment 2 Marc Muehlfeld 2016-12-29 18:46:20 UTC
Created attachment 12783 [details]
krb5.conf

The attached krb5.conf file is the one provided by CentOS 7.3 from my test system. It is the same as on 7.2. The only difference is, that the one shipped with 7.3 (provided by krb5-workstation-1.14.1-26) contains the "includedir" statement.
Comment 3 Marc Muehlfeld 2016-12-29 18:47:35 UTC
Created attachment 12784 [details]
Screenshot Windows