problem with krb5 and samba-tool - recent opensuse 13.1

Günter Kukkukk linux at kukkukk.com
Sun Dec 8 18:48:10 MST 2013


Hi all,

I've got a question regarding kerberos.

Former opensuse 12.3 used Kerberos 5 version 1.10.2
Recent opensuse 13.1 uses Kerberos 5 version 1.11.3

In the past i used:
  kinit administrator at ADDLZ.KUKKUKK.COM
and got with klist:
  Ticket cache: FILE:/tmp/krb5cc_0

Now with opensuse 13.1 when i use:
  kinit administrator at ADDLZ.KUKKUKK.COM
i get with klist:
  Ticket cache: DIR::/run/user/0/krb5cc/tktN44gIn

Note that a different location is used now and the first one starts with
   "FILE:"
and the 2nd with
    "DIR::"
and DIR::/run/user/0/krb5cc/tktN44gIn points to a ticket _file_, too!?

With opensuse, in the default case no KRB5CCNAME environment variable is set.

Now my problem:
In the past i used
  kinit administrator at ADDLZ.KUKKUKK.COM
to get a ticket and so for example with
  samba-tool dns query ....
it was not needed to specify -Uadministrator and supply a password at all.
Without -Uadministrator i now get:
Password for [ADDLZ\root]:
which is wrong.

When i set
   export KRB5CCNAME=FILE:/run/user/0/krb5cc/tktN44gIn
all is working again. NOTE, that i needed "FILE:" above.

Without that env var a  strace samba-tool .... shows that only /tmp/krb5cc_0 is tried.

Interestingly enough, when i use
  klist -k /run/user/0/krb5cc/tktN44gIn
i get
  Keytab name: FILE:/run/user/0/krb5cc/tktN44gIn
  klist: Unsupported key table format version number while starting keytab scan

Sorry, i'm no krb5 expert, hopefully someone can shed some light into this.

Cheers, Günter


More information about the samba-technical mailing list