svn commit: samba r19630 - in branches/SAMBA_4_0/source/lib/cmdline: .

Andrew Bartlett abartlet at samba.org
Wed Nov 8 21:50:39 GMT 2006 

On Wed, 2006-11-08 at 22:01 +0100, Stefan (metze) Metzmacher wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Rafal Szczesniak schrieb:
> > On Wed, Nov 08, 2006 at 11:01:55AM +1100, Andrew Bartlett wrote:
> >> On Tue, 2006-11-07 at 23:48 +0000, mimir at samba.org wrote:
> >>> Author: mimir
> >>> Date: 2006-11-07 23:48:02 +0000 (Tue, 07 Nov 2006)
> >>> New Revision: 19630
> >>>
> >>> WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=19630
> >>>
> >>> Log:
> >>> Support specifying the realm name from command line.
> >>> Useful when testing calls against windows servers with krb auth.
> >> I'm quite happy with --realm, but I don't think taking 'r' is a good
> >> idea.  Lets just use long options.  
> >>
> >> For authentication, you can also do username at realm in the -U argument.
> > 
> > Oh, good to know - I didn't remember that. Indeed '-r' is a bit too
> > recursive option :)
> > 
> > On the other hand, setting the realm eitherway doesn't completely help
> > because kerberos still complains:
> > 
> > Server is not registered with our KDC:  Miscellaneous failure (see
> > text): Server (krbtgt/MIDNET.NET at TRITONNET.NET) unknown
> > 
> > This sounds complicated as my natural reaction would be - "let's join the
> > domain then" - but we don't support it yet. Any other interpretation
> > or hint ?
> 
> I also found this, the problem is that the
> smb_krb5_context->krb5_context that is used in gensec_gssapi.c is
> pointless as the the gssapi functions use the global _gsskrb5_context.
> 
> but we call krb5_set_default_realm() on the smb_krb5_context->krb5_context.

Yeah, that got lost in the recent Heimdal merge.  I don't expect it will
be a problem to add a hook in that area however.

> I think we need to cleanup a lot of stuff in that area:-(
> and we also need to provide callbacks for resolving the kdc address

I think MIT has a plugin API for that in some newer versions, so this is
something to look at.  

In the short term, ensure your krb5.conf matches your smb.conf.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20061109/2d2dd6d5/attachment.bin

More information about the samba-technical mailing list