Bug 4226 - SAMBA_3_0: pam_winbind krb5_auth fails with heimdal 0.7.2
SAMBA_3_0: pam_winbind krb5_auth fails with heimdal 0.7.2
Product: Samba 3.0
Classification: Unclassified
Component: winbind
Other Linux
: P3 normal
: none
Assigned To: Guenther Deschner
Samba QA Contact
Depends on:
  Show dependency treegraph
Reported: 2006-11-14 11:03 UTC by Simo Sorce
Modified: 2007-02-01 09:10 UTC (History)
0 users

See Also:

use init_creds_opt_alloc (3.84 KB, patch)
2006-11-17 10:42 UTC, Guenther Deschner
no flags Details
slightly modified version of that patch (3.84 KB, patch)
2006-11-20 05:47 UTC, Guenther Deschner
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Simo Sorce 2006-11-14 11:03:34 UTC
If pam_winbind is comfigured to do krb5_auth then the following error is returned:

   winbindd_raw_kerberos_login: kinit failed for 'administrator@EXAMPLE.COM' with: Invalid argument (22)

Authentication always falls back to samlogon (not that cached_login does not work in this situation).

Further investigation with gdb reveals that the failing function is:
krb5_get_init_creds_opt_set_pac_request() called by kerberos_kinit_password_ext()
Comment 1 Simo Sorce 2006-11-15 14:15:06 UTC
It's in the title but just to make it clear.
This happen with heimdal 0.7.1, on Ubuntu 6.10 (Edgy)
Comment 2 Simo Sorce 2006-11-15 14:16:45 UTC
CORRECTION: it is with heimdal 0.7.2 and NOT with 0.7.1
Comment 3 Guenther Deschner 2006-11-16 09:48:13 UTC
Simo, just to make sure: this is with a w2k3dc (sp1), right?
Comment 4 Simo Sorce 2006-11-16 10:17:05 UTC
Windows 2003 SP1
Comment 5 Guenther Deschner 2006-11-17 10:42:19 UTC
Created attachment 2224 [details]
use init_creds_opt_alloc

Simo, can you test this patch, please?
Comment 6 Guenther Deschner 2006-11-17 10:42:44 UTC
This is against 3_0_RELEASE, btw.
Comment 7 Guenther Deschner 2006-11-20 05:47:50 UTC
Created attachment 2227 [details]
slightly modified version of that patch
Comment 8 Guenther Deschner 2006-11-23 11:18:27 UTC
Simo ?
Comment 9 Gerald (Jerry) Carter 2006-12-21 11:32:40 UTC
Guenther,  please apply if not already in the tree.  We have 
at least one confirmation on the mailing of the patch.
Comment 10 Guenther Deschner 2007-02-01 09:10:45 UTC
Fixed with rev 21110.