svn commit: samba r19630 -
in branches/SAMBA_4_0/source/lib/cmdline: .
Andrew Bartlett
abartlet at samba.org
Wed Nov 8 21:50:39 GMT 2006
On Wed, 2006-11-08 at 22:01 +0100, Stefan (metze) Metzmacher wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Rafal Szczesniak schrieb:
> > On Wed, Nov 08, 2006 at 11:01:55AM +1100, Andrew Bartlett wrote:
> >> On Tue, 2006-11-07 at 23:48 +0000, mimir at samba.org wrote:
> >>> Author: mimir
> >>> Date: 2006-11-07 23:48:02 +0000 (Tue, 07 Nov 2006)
> >>> New Revision: 19630
> >>>
> >>> WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=19630
> >>>
> >>> Log:
> >>> Support specifying the realm name from command line.
> >>> Useful when testing calls against windows servers with krb auth.
> >> I'm quite happy with --realm, but I don't think taking 'r' is a good
> >> idea. Lets just use long options.
> >>
> >> For authentication, you can also do username at realm in the -U argument.
> >
> > Oh, good to know - I didn't remember that. Indeed '-r' is a bit too
> > recursive option :)
> >
> > On the other hand, setting the realm eitherway doesn't completely help
> > because kerberos still complains:
> >
> > Server is not registered with our KDC: Miscellaneous failure (see
> > text): Server (krbtgt/MIDNET.NET at TRITONNET.NET) unknown
> >
> > This sounds complicated as my natural reaction would be - "let's join the
> > domain then" - but we don't support it yet. Any other interpretation
> > or hint ?
>
> I also found this, the problem is that the
> smb_krb5_context->krb5_context that is used in gensec_gssapi.c is
> pointless as the the gssapi functions use the global _gsskrb5_context.
>
> but we call krb5_set_default_realm() on the smb_krb5_context->krb5_context.
Yeah, that got lost in the recent Heimdal merge. I don't expect it will
be a problem to add a hook in that area however.
> I think we need to cleanup a lot of stuff in that area:-(
> and we also need to provide callbacks for resolving the kdc address
I think MIT has a plugin API for that in some newer versions, so this is
something to look at.
In the short term, ensure your krb5.conf matches your smb.conf.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc. http://redhat.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20061109/2d2dd6d5/attachment.bin
More information about the samba-technical
mailing list