AW: Kerberos PAC verification fails (patch included)

Marcel Ritter Marcel.Ritter at
Tue Jun 21 00:55:07 MDT 2011

Hi Matthieu,

I did some LDB searches for the accounts involved:

# test2-nfs (Host: NFS Server):
dn: CN=test2-nfs,CN=Computers,DC=mydomain,DC=de
userAccountControl: 33558528

# test1-nfs (Host: NFS Client)
dn: CN=test1-nfs,CN=Computers,DC=mydomain,DC=de
userAccountControl: 33558528

# User Account:
dn: CN=testuser1,CN=Users,DC=mydomain,DC=de
userAccountControl: 66048

The host accounts were created with msktutil-0.4 and
I tried to get rid of the mentioned flag by using the
"--no-pac" option.

However msktutil did not reset this bit on update
(seems this is only supported during creation of principals).

So I removed the two host objects and recreated them
(now with correct userAccountControl(s)) ... but at the same
time the whole setup collapsed:

The mount command itself does no longer work, all I get
on the samba side are error messages like:
   "Kerberos: UNKNOWN --- nfs/ at MYDOMAIN.DE: no such entry in hdb"

I'll have to figure out what went wrong before I can
continue testing... 


Von: samba-technical-bounces at [samba-technical-bounces at]" im Auftrag von "Matthieu Patou [mat at]
Gesendet: Samstag, 18. Juni 2011 14:11
Bis: samba-technical at
Betreff: Re: Kerberos PAC verification fails (patch included)

On 18/06/2011 13:13, Marcel Ritter wrote:
> Hi,
> I'm trying to use Samba 4 as KDC for NFS authentication.
> After solving some general problems concerning nfs-utils, I
> was able to mount the filesystem (using nfs4 and sec=krb5),
> however file access was denied for users (with valid ticket).
> When attempting to access files Samba4 reported:
> [2011/06/18 10:06:54,  3] ../source4/auth/kerberos/krb5_init_context.c:69(smb_krb5_debug_wrapper)
>    Kerberos: Verify PAC failed for nfs/ at MYDOMAIN.DE (user1 at MYDOMAIN.DE) from ipv4: with<unknown error: 22>
> Digging the source code showed:
> Function check_PAC (source4/heimdal/kdc/krb5tgs.c) returns EINVAL:
>    _kdc_pac_verify() = 22 (EINVAL)
> Looks like checking an unneeded PAC results in an error instead
> of just being skipped:
> _kdc_pac_verify (source4/heimdal/kdc/windc.c) calls samba_wdc_reget_pac (source4/kdc/wdc-samba4.c):
>          <...>
>          /* The user account may be set not to want the PAC */
>          if (!samba_princ_needs_pac(server)) {
>                  talloc_free(mem_ctx);
>                  return EINVAL;
>          }
>          <...>
Well this part of the code isn't wrong it's more the handling of
_kdc_pac_verify that is a problem

Can you extract the userAccountControl field for this particular user (I
guess it"s the account associated with your NFS server) ? for instance
like this:

  ./bin/ldbsearch -H <path_to_samba_provision>/private/sam.ldb
'(cn=<myuser>)' userAccountControl

You should get something like:
# record 1
dn: CN=Administrator,CN=Users,DC=home,DC=matws,DC=net
userAccountControl: 640

Also I suggest to try to remove the bit that says that this account
didn't need AUTH_DATA, this flag has the value  0x2000000 (33554432).


> My trivial patch just returns "0" instead of "EINVAL" - and suddenly
> file access is granted as expected.
> There may be better places to fix this, however I hope the patch
> helps to diagnose and fix the issue.
> Bye,
>     Marcel

Matthieu Patou
Samba Team
Private repo;a=summary

More information about the samba-technical mailing list