Bug 12488 - Connections to Samba AD domain member fail when krb5.conf contains includedir statement
Summary: Connections to Samba AD domain member fail when krb5.conf contains includedir...
Status: RESOLVED DUPLICATE of bug 11573
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services (show other bugs)
Version: 4.5.3
Hardware: All All
: P5 major (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-12-29 18:42 UTC by Marc Muehlfeld
Modified: 2018-06-25 11:00 UTC (History)
1 user (show)

See Also:


Attachments
Level 10 debug log file (93.61 KB, text/x-log)
2016-12-29 18:42 UTC, Marc Muehlfeld
no flags Details
smb.conf (505 bytes, text/plain)
2016-12-29 18:43 UTC, Marc Muehlfeld
no flags Details
krb5.conf (590 bytes, text/plain)
2016-12-29 18:46 UTC, Marc Muehlfeld
no flags Details
Screenshot Windows (54.75 KB, image/png)
2016-12-29 18:47 UTC, Marc Muehlfeld
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Marc Muehlfeld 2016-12-29 18:42:49 UTC
Created attachment 12781 [details]
Level 10 debug log file

Problem description:
In an Active Directory, connections to Samba domain members fail if they have an "includedir" statement in the /etc/krb5.conf file.


Steps to reproduce:
1. Add the following line to /etc/krb5.conf:
   includedir /etc/krb5.conf.d/
   Alternatively, update from CentOS 7.2 to 7.3.
   The krb5-workstation-1.14.1-27 package shipped with 7.3 adds
   the "includedir" statement.
2. Restart Samba.
3. Connect from Windows to a share on the Samba domain member or
   to \\host_name\.


Actual results:
Connections to the domain member fail and Samba logs the following errors:
[2016/12/29 19:32:48.400895,  3, pid=21622, effective(0, 0), real(0, 0)] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_UNSUCCESSFUL] || at ../source3/smbd/smb2_sesssetup.c:134
[2016/12/29 19:32:48.400904, 10, pid=21622, effective(0, 0), real(0, 0)] ../source3/smbd/smb2_server.c:2988(smbd_smb2_request_done_ex)
  smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_UNSUCCESSFUL] body[8] dyn[yes:1] at ../source3/smbd/smb2_server.c:3145


Expected results:
Connections to the domain member should succeed.


Additional information:
CentOS 7.3 (krb5-workstation-1.14.1-27) adds the following line to the /etc/krb5.conf file:
includedir /etc/krb5.conf.d/
Users updating their AD domain member servers to 7.3, are no longer able to connect to shares until they remove the config entry.


Workaround:
Remove the "includedir" statement from /etc/krb5.conf. No smbd restart is required.
Comment 1 Marc Muehlfeld 2016-12-29 18:43:09 UTC
Created attachment 12782 [details]
smb.conf
Comment 2 Marc Muehlfeld 2016-12-29 18:46:20 UTC
Created attachment 12783 [details]
krb5.conf

The attached krb5.conf file is the one provided by CentOS 7.3 from my test system. It is the same as on 7.2. The only difference is, that the one shipped with 7.3 (provided by krb5-workstation-1.14.1-26) contains the "includedir" statement.
Comment 3 Marc Muehlfeld 2016-12-29 18:47:35 UTC
Created attachment 12784 [details]
Screenshot Windows
Comment 4 Björn Baumbach 2018-06-25 11:00:52 UTC
We have handled this issue in an other bug report:
https://bugzilla.samba.org/show_bug.cgi?id=11573

Marking this as duplicate.

Björn

*** This bug has been marked as a duplicate of bug 11573 ***