Hi All,

Used debug level 10 to determine that the krb5_kt_resolve call failed when
verifying incoming ticket.  Determined that the call failed at
libads/kerberos_verify.c:56;

        ret = krb5_kt_resolve(context, keytab_name, keytab);
        if (ret)
                return ret;

in other words a non-zero return value is an error.  mit-krb5-1.3.1 does not
support memory keytabs, at least without extra coding (i.e.
krb5_kt_register, but I could not find the appropriate krb5_kt_ops to use,
more about this later.

Tried to find out why manifest constant  HAVE_MEMORY_KEYTAB is set to true.
Found in the configure.in file that the logic sense is inverted (if I am
reading this correctly);

    AC_TRY_RUN([
#include<krb5.h>
  main()
  {
    krb5_context context;
    krb5_keytab keytab;

    krb5_init_context(&context);
    if (krb5_kt_resolve(context, "MEMORY:", &keytab))
      exit(0);
    exit(1);
  }],
  samba_cv_HAVE_MEMORY_KEYTAB=yes,
  samba_cv_HAVE_MEMORY_KEYTAB=no)])

  if test x"$samba_cv_HAVE_MEMORY_KEYTAB" = x"yes"; then
      AC_DEFINE(HAVE_MEMORY_KEYTAB,1,
               [Whether in-memory keytabs are supported])
  fi

The code in kerberos_verify.c does not seem ready to handle any other keytab
type in the function setup_keytab.  I'm not sure if this is correct, and I
am not certain how to proceed at this point.

1.  Should the code work properly if the configure.in script is fixed?
(i.e. do not use memory keytabs)
2.  Is the strategy to use memory keytabs by way of
krb5_kt_register/krb5_kt_ops?
3.  Is there something that I am completely missing?

Please note: I'm in the middle of a clean compile so I don't know if there are 
more issues to follow from this.

Thanks,
jonw