The Samba-Bugzilla – Bug 12488
Connections to Samba AD domain member fail when krb5.conf contains includedir statement
Last modified: 2018-06-25 11:00:52 UTC
Created attachment 12781 [details]
Level 10 debug log file
In an Active Directory, connections to Samba domain members fail if they have an "includedir" statement in the /etc/krb5.conf file.
Steps to reproduce:
1. Add the following line to /etc/krb5.conf:
Alternatively, update from CentOS 7.2 to 7.3.
The krb5-workstation-1.14.1-27 package shipped with 7.3 adds
the "includedir" statement.
2. Restart Samba.
3. Connect from Windows to a share on the Samba domain member or
Connections to the domain member fail and Samba logs the following errors:
[2016/12/29 19:32:48.400895, 3, pid=21622, effective(0, 0), real(0, 0)] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx status[NT_STATUS_UNSUCCESSFUL] || at ../source3/smbd/smb2_sesssetup.c:134
[2016/12/29 19:32:48.400904, 10, pid=21622, effective(0, 0), real(0, 0)] ../source3/smbd/smb2_server.c:2988(smbd_smb2_request_done_ex)
smbd_smb2_request_done_ex: idx status[NT_STATUS_UNSUCCESSFUL] body dyn[yes:1] at ../source3/smbd/smb2_server.c:3145
Connections to the domain member should succeed.
CentOS 7.3 (krb5-workstation-1.14.1-27) adds the following line to the /etc/krb5.conf file:
Users updating their AD domain member servers to 7.3, are no longer able to connect to shares until they remove the config entry.
Remove the "includedir" statement from /etc/krb5.conf. No smbd restart is required.
Created attachment 12782 [details]
Created attachment 12783 [details]
The attached krb5.conf file is the one provided by CentOS 7.3 from my test system. It is the same as on 7.2. The only difference is, that the one shipped with 7.3 (provided by krb5-workstation-1.14.1-26) contains the "includedir" statement.
Created attachment 12784 [details]
We have handled this issue in an other bug report:
Marking this as duplicate.
*** This bug has been marked as a duplicate of bug 11573 ***