[PATCH] Re: [Samba] Using samba4 with kerberos outside of an AD realm

Andrew Bartlett abartlet at samba.org
Mon Jan 21 20:46:38 MST 2013 

On Mon, 2013-01-21 at 15:44 -0700, Kyle Brantley wrote:
> On 1/21/2013 3:15 PM, Andrew Bartlett wrote:
> > On Mon, 2013-01-21 at 11:34 -0700, Kyle Brantley wrote:
> >> Hello --
> >>
> >> I'm trying to run a samba4 server (note: Fedora packaged version,
> >> samba-4.0.0-174.fc18.x86_64) under a kerberos realm that isn't AD.
> >>
> >> This is a summation of the config that I'm using (works under samba 3.6):
> >>
> >>           security = ADS
> >>           passdb backend = tdbsam
> >>           restrict anonymous = yes
> >>           server signing = auto
> >>           client signing = auto
> >>           smb encrypt = auto
> >>           realm = MYREALM.COM
> >>           kerberos method = system keytab
> >>
> >> However, whenever I try to access the samba server, the client fails to
> >> connect. I can see that a ticket has been issued for
> >> cifs/hostname at MYREALM.COM, but in /var/log/messages I get this:
> >>
> >> Jan 21 11:27:00 elastic smbd[1573]: [2013/01/21 11:27:00.675545,  0]
> >> ../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob)
> >> Jan 21 11:27:00 elastic smbd[1573]:   obtaining PAC via GSSAPI
> >> gss_get_name_attribute failed: The operation or option is not available
> >> or unsupported: No such file or directory
> >> Jan 21 11:27:07 elastic smbd[1574]: [2013/01/21 11:27:07.559656,  0]
> >> ../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob)
> >> Jan 21 11:27:07 elastic smbd[1574]:   obtaining PAC via GSSAPI
> >> gss_get_name_attribute failed: The operation or option is not available
> >> or unsupported: No such file or directory
> >> Jan 21 11:27:07 elastic smbd[1576]: [2013/01/21 11:27:07.643158,  0]
> >> ../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob)
> >> Jan 21 11:27:07 elastic smbd[1576]:   obtaining PAC via GSSAPI
> >> gss_get_name_attribute failed: The operation or option is not available
> >> or unsupported: No such file or directory
> >>
> >> Well, no kidding there is no PAC available, it's an MIT kerberos realm! :)
> >>
> >> Does anyone know what I need to be doing to get this working again?
> > It is probably a bug in the reworked krb5 code.  The code paths to
> > support this are still there, but clearly something doesn't trigger
> > correctly.
> >
> > The first thing to do would be to turn up the log level, to see what the
> > real failure is (the mentioned message shouldn't actually be fatal).
> >
> > Then, once we rule out it being something else, it probably just needs a
> > new test environment to be created in our 'make test' that tells our AD
> > server to not send the PAC.  This will allow this code path to be
> > covered, and prevent regressions.
> >
> > Andrew Bartlett
> >
> As far as I can tell, prior to accepting a connection:

> Full logs:
> http://averageurl.com/samba/samba-log.gz
> http://averageurl.com/samba/samba-strace-log.gz
> 
> I've already changed the keys out, so I'm not too worried about what key 
> data is actually in those logs.

The logs were very helpful.  The attached patch should fix it, or at
least move the failure to somewhere else :-).  Please file the bug, so
we can get this into 4.0.2

Andrew Bartlett
-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-gensec-Allow-login-without-a-PAC-by-default.patch
Type: text/x-patch
Size: 1088 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20130122/d8979df0/attachment.bin>

More information about the samba-technical mailing list