Kerberos PAC verification fails (patch included)

Marcel Ritter Marcel.Ritter at
Sat Jun 18 03:13:33 MDT 2011


I'm trying to use Samba 4 as KDC for NFS authentication.

After solving some general problems concerning nfs-utils, I
was able to mount the filesystem (using nfs4 and sec=krb5),
however file access was denied for users (with valid ticket).

When attempting to access files Samba4 reported: 

[2011/06/18 10:06:54,  3] ../source4/auth/kerberos/krb5_init_context.c:69(smb_krb5_debug_wrapper)
  Kerberos: Verify PAC failed for nfs/ at MYDOMAIN.DE (user1 at MYDOMAIN.DE) from ipv4: with <unknown error: 22>

Digging the source code showed:

Function check_PAC (source4/heimdal/kdc/krb5tgs.c) returns EINVAL:
  _kdc_pac_verify() = 22 (EINVAL)

Looks like checking an unneeded PAC results in an error instead
of just being skipped:

_kdc_pac_verify (source4/heimdal/kdc/windc.c) calls samba_wdc_reget_pac (source4/kdc/wdc-samba4.c):

        /* The user account may be set not to want the PAC */
        if (!samba_princ_needs_pac(server)) {
                return EINVAL;

My trivial patch just returns "0" instead of "EINVAL" - and suddenly
file access is granted as expected.

There may be better places to fix this, however I hope the patch
helps to diagnose and fix the issue.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: samba-fix-pac-check.patch
Type: application/octet-stream
Size: 535 bytes
Desc: samba-fix-pac-check.patch
URL: <>

More information about the samba-technical mailing list