Used debug level 10 to determine that the krb5_kt_resolve call failed when
verifying incoming ticket. Determined that the call failed at
ret = krb5_kt_resolve(context, keytab_name, keytab);
in other words a non-zero return value is an error. mit-krb5-1.3.1 does not
support memory keytabs, at least without extra coding (i.e.
krb5_kt_register, but I could not find the appropriate krb5_kt_ops to use,
more about this later.
Tried to find out why manifest constant HAVE_MEMORY_KEYTAB is set to true.
Found in the configure.in file that the logic sense is inverted (if I am
reading this correctly);
if (krb5_kt_resolve(context, "MEMORY:", &keytab))
if test x"$samba_cv_HAVE_MEMORY_KEYTAB" = x"yes"; then
[Whether in-memory keytabs are supported])
The code in kerberos_verify.c does not seem ready to handle any other keytab
type in the function setup_keytab. I'm not sure if this is correct, and I
am not certain how to proceed at this point.
1. Should the code work properly if the configure.in script is fixed?
(i.e. do not use memory keytabs)
2. Is the strategy to use memory keytabs by way of
3. Is there something that I am completely missing?
Please note: I'm in the middle of a clean compile so I don't know if there are
more issues to follow from this.
Fixed configure.in and then regenerated configure. Could now authenticate to
Win2K ADS. Logs look good from quick glance. BTW - I do not have CVS access
so I will leave it to you to resolve this bug.
BTW - I was looking into another bug, I could not see/change the permissions of
a directory from the win2K clinet. Files work fine. Any suggestions? Will
open another bug.
*** Bug 863 has been marked as a duplicate of this bug. ***
Yup. The logic appears backwards.
Fix checked in. Thanks.
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.