Kerberos PAC verification fails (patch included)
Matthieu Patou
mat at samba.org
Sat Jun 18 06:17:04 MDT 2011
On 18/06/2011 13:13, Marcel Ritter wrote:
> Hi,
>
> I'm trying to use Samba 4 as KDC for NFS authentication.
>
> After solving some general problems concerning nfs-utils, I
> was able to mount the filesystem (using nfs4 and sec=krb5),
> however file access was denied for users (with valid ticket).
>
> When attempting to access files Samba4 reported:
>
> [2011/06/18 10:06:54, 3] ../source4/auth/kerberos/krb5_init_context.c:69(smb_krb5_debug_wrapper)
> Kerberos: Verify PAC failed for nfs/test2.mydomain.de at MYDOMAIN.DE (user1 at MYDOMAIN.DE) from ipv4:192.168.1.199:57245 with<unknown error: 22>
>
> Digging the source code showed:
>
> Function check_PAC (source4/heimdal/kdc/krb5tgs.c) returns EINVAL:
> _kdc_pac_verify() = 22 (EINVAL)
>
> Looks like checking an unneeded PAC results in an error instead
> of just being skipped:
>
> _kdc_pac_verify (source4/heimdal/kdc/windc.c) calls samba_wdc_reget_pac (source4/kdc/wdc-samba4.c):
>
> <...>
> /* The user account may be set not to want the PAC */
> if (!samba_princ_needs_pac(server)) {
> talloc_free(mem_ctx);
> return EINVAL;
> }
> <...>
>
>
> My trivial patch just returns "0" instead of "EINVAL" - and suddenly
> file access is granted as expected.
Might be more clever when we issue the ticket for a service that don't
needs PAC not to put the PAC in the client's ticket ...
Andrew your point of view ?
--
Matthieu Patou
Samba Team http://samba.org
Private repo http://git.samba.org/?p=mat/samba.git;a=summary
More information about the samba-technical
mailing list