Kerberos PAC verification fails (patch included)
Marcel Ritter
Marcel.Ritter at rrze.uni-erlangen.de
Sat Jun 18 03:13:33 MDT 2011
Hi,
I'm trying to use Samba 4 as KDC for NFS authentication.
After solving some general problems concerning nfs-utils, I
was able to mount the filesystem (using nfs4 and sec=krb5),
however file access was denied for users (with valid ticket).
When attempting to access files Samba4 reported:
[2011/06/18 10:06:54, 3] ../source4/auth/kerberos/krb5_init_context.c:69(smb_krb5_debug_wrapper)
Kerberos: Verify PAC failed for nfs/test2.mydomain.de at MYDOMAIN.DE (user1 at MYDOMAIN.DE) from ipv4:192.168.1.199:57245 with <unknown error: 22>
Digging the source code showed:
Function check_PAC (source4/heimdal/kdc/krb5tgs.c) returns EINVAL:
_kdc_pac_verify() = 22 (EINVAL)
Looks like checking an unneeded PAC results in an error instead
of just being skipped:
_kdc_pac_verify (source4/heimdal/kdc/windc.c) calls samba_wdc_reget_pac (source4/kdc/wdc-samba4.c):
<...>
/* The user account may be set not to want the PAC */
if (!samba_princ_needs_pac(server)) {
talloc_free(mem_ctx);
return EINVAL;
}
<...>
My trivial patch just returns "0" instead of "EINVAL" - and suddenly
file access is granted as expected.
There may be better places to fix this, however I hope the patch
helps to diagnose and fix the issue.
Bye,
Marcel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: samba-fix-pac-check.patch
Type: application/octet-stream
Size: 535 bytes
Desc: samba-fix-pac-check.patch
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20110618/1c94cd89/attachment.obj>
More information about the samba-technical
mailing list