problem with krb5 and samba-tool - recent opensuse 13.1

Simo simo at samba.org
Wed Dec 11 18:57:12 MST 2013 

On Mon, 2013-12-09 at 02:48 +0100, Günter Kukkukk wrote:
> Hi all,
> 
> I've got a question regarding kerberos.
> 
> Former opensuse 12.3 used Kerberos 5 version 1.10.2
> Recent opensuse 13.1 uses Kerberos 5 version 1.11.3
> 
> In the past i used:
>   kinit administrator at ADDLZ.KUKKUKK.COM
> and got with klist:
>   Ticket cache: FILE:/tmp/krb5cc_0
> 
> Now with opensuse 13.1 when i use:
>   kinit administrator at ADDLZ.KUKKUKK.COM
> i get with klist:
>   Ticket cache: DIR::/run/user/0/krb5cc/tktN44gIn
> 
> Note that a different location is used now and the first one starts with
>    "FILE:"
> and the 2nd with
>     "DIR::"
> and DIR::/run/user/0/krb5cc/tktN44gIn points to a ticket _file_, too!?
> 
> With opensuse, in the default case no KRB5CCNAME environment variable is set.
> 
> Now my problem:
> In the past i used
>   kinit administrator at ADDLZ.KUKKUKK.COM
> to get a ticket and so for example with
>   samba-tool dns query ....
> it was not needed to specify -Uadministrator and supply a password at all.
> Without -Uadministrator i now get:
> Password for [ADDLZ\root]:
> which is wrong.
> 
> When i set
>    export KRB5CCNAME=FILE:/run/user/0/krb5cc/tktN44gIn
> all is working again. NOTE, that i needed "FILE:" above.
> 
> Without that env var a  strace samba-tool .... shows that only /tmp/krb5cc_0 is tried.
> 
> Interestingly enough, when i use
>   klist -k /run/user/0/krb5cc/tktN44gIn
> i get
>   Keytab name: FILE:/run/user/0/krb5cc/tktN44gIn
>   klist: Unsupported key table format version number while starting keytab scan
> 
> Sorry, i'm no krb5 expert, hopefully someone can shed some light into this.

If you rebuild samba using the system MIT Kerberos libraries you'll have
no problems.

MIT added recently the DIR ccache type and in 1.12 we revived the
KEYRING file type too making it collection enabled. These two ccache
types are goign to be deault in modern distributions.

Unfortunately Heimdal does not support these ccache types, and that's
what's embedded in samba at the moment.

HTH,
Simo.

More information about the samba-technical mailing list