Bug 912 - Configuration defaults to HAVE_MEMORY_KEYTAB=1
Summary: Configuration defaults to HAVE_MEMORY_KEYTAB=1
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: Config Files (show other bugs)
Version: 3.0.1
Hardware: All Linux
: P2 major
Target Milestone: none
Assignee: Jeremy Allison
QA Contact:
URL: http://www.blackkat.ca
: 863 (view as bug list)
Depends on:
Reported: 2003-12-22 18:52 UTC by jon wackley
Modified: 2005-08-24 10:27 UTC (History)
3 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description jon wackley 2003-12-22 18:52:00 UTC
Hi All,

Used debug level 10 to determine that the krb5_kt_resolve call failed when
verifying incoming ticket.  Determined that the call failed at

        ret = krb5_kt_resolve(context, keytab_name, keytab);
        if (ret)
                return ret;

in other words a non-zero return value is an error.  mit-krb5-1.3.1 does not
support memory keytabs, at least without extra coding (i.e.
krb5_kt_register, but I could not find the appropriate krb5_kt_ops to use,
more about this later.

Tried to find out why manifest constant  HAVE_MEMORY_KEYTAB is set to true.
Found in the configure.in file that the logic sense is inverted (if I am
reading this correctly);

    krb5_context context;
    krb5_keytab keytab;

    if (krb5_kt_resolve(context, "MEMORY:", &keytab))

  if test x"$samba_cv_HAVE_MEMORY_KEYTAB" = x"yes"; then
               [Whether in-memory keytabs are supported])

The code in kerberos_verify.c does not seem ready to handle any other keytab
type in the function setup_keytab.  I'm not sure if this is correct, and I
am not certain how to proceed at this point.

1.  Should the code work properly if the configure.in script is fixed?
(i.e. do not use memory keytabs)
2.  Is the strategy to use memory keytabs by way of
3.  Is there something that I am completely missing?

Please note: I'm in the middle of a clean compile so I don't know if there are 
more issues to follow from this.

Comment 1 jon wackley 2003-12-22 20:48:48 UTC
Fixed configure.in and then regenerated configure.  Could now authenticate to 
Win2K ADS.  Logs look good from quick glance.  BTW - I do not have CVS access 
so I will leave it to you to resolve this bug.

BTW - I was looking into another bug, I could not see/change the permissions of 
a directory from the win2K clinet.  Files work fine.  Any suggestions?  Will 
open another bug.
Comment 2 Gerald (Jerry) Carter (dead mail address) 2004-01-02 07:23:32 UTC
*** Bug 863 has been marked as a duplicate of this bug. ***
Comment 3 Gerald (Jerry) Carter (dead mail address) 2004-01-05 12:25:09 UTC
Yup.  The logic appears backwards.
Fix checked in.  Thanks.
Comment 4 Gerald (Jerry) Carter (dead mail address) 2005-08-24 10:27:49 UTC
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.