Bug 9581 - Samba4 running under a kerberos only realm (not AD) fails to authenticate
Summary: Samba4 running under a kerberos only realm (not AD) fails to authenticate
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: File services (show other bugs)
Version: 4.0.0
Hardware: All Linux
: P5 major (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-01-22 04:12 UTC by Kyle Brantley
Modified: 2013-01-28 19:08 UTC (History)
1 user (show)

See Also:

Attachments
smbd debug log of the connection attempt (492.96 KB, application/octet-stream)
2013-01-22 04:12 UTC, Kyle Brantley 		no flags Details
proposed patch by Andrew (1.09 KB, patch)
2013-01-22 04:13 UTC, Kyle Brantley 		no flags Details
Patch for v4-0-test (1.19 KB, patch)
2013-01-27 13:47 UTC, Stefan Metzmacher 		abartlet: review+
Details
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Kyle Brantley 2013-01-22 04:12:16 UTC 
Created attachment 8462 [details]
smbd debug log of the connection attempt

When using samba4 (samba-4.0.0-174.fc18.x86_64, samba-common-4.0.0-174.fc18.x86_64, samba-libs-4.0.0-174.fc18.x86_64) under a kerberos only realm:

security = ADS
passdb backend = tdbsam
restrict anonymous = yes
server signing = auto
client signing = auto
smb encrypt = auto
realm = MYREALM.COM
kerberos method = system keytab

Attempting to connect to the samba server yields the following messages in /var/log/messages:

Jan 21 11:27:00 elastic smbd[1573]: [2013/01/21 11:27:00.675545,  0]
../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob)
Jan 21 11:27:00 elastic smbd[1573]:   obtaining PAC via GSSAPI
gss_get_name_attribute failed: The operation or option is not available
or unsupported: No such file or directory
Jan 21 11:27:07 elastic smbd[1574]: [2013/01/21 11:27:07.559656,  0]
../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob)
Jan 21 11:27:07 elastic smbd[1574]:   obtaining PAC via GSSAPI
gss_get_name_attribute failed: The operation or option is not available
or unsupported: No such file or directory
Jan 21 11:27:07 elastic smbd[1576]: [2013/01/21 11:27:07.643158,  0]
../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob)
Jan 21 11:27:07 elastic smbd[1576]:   obtaining PAC via GSSAPI
gss_get_name_attribute failed: The operation or option is not available
or unsupported: No such file or directory

The connection is then terminated.
Comment 1 Kyle Brantley 2013-01-22 04:13:03 UTC 
Created attachment 8463 [details]
proposed patch by Andrew
Comment 2 Kyle Brantley 2013-01-22 06:28:57 UTC 
Mailing list discussion: http://thread.gmane.org/gmane.network.samba.general/128444
Comment 3 Stefan Metzmacher 2013-01-27 13:47:37 UTC 
Created attachment 8499 [details]
Patch for v4-0-test
Comment 4 Karolin Seeger 2013-01-28 10:13:29 UTC 
Pushed to autobuild-v4-0-test.
Comment 5 Karolin Seeger 2013-01-28 19:08:20 UTC 
Pushed to v4-0-test.
Closing out bug report.

Thanks!