[PATCH] Re: [Samba] Using samba4 with kerberos outside of an AD realm

Kyle Brantley kyle at averageurl.com
Mon Jan 21 21:14:39 MST 2013


On 1/21/2013 8:46 PM, Andrew Bartlett wrote:
> On Mon, 2013-01-21 at 15:44 -0700, Kyle Brantley wrote:
>> On 1/21/2013 3:15 PM, Andrew Bartlett wrote:
>>> On Mon, 2013-01-21 at 11:34 -0700, Kyle Brantley wrote:
>>>> Hello --
>>>>
>>>> I'm trying to run a samba4 server (note: Fedora packaged version,
>>>> samba-4.0.0-174.fc18.x86_64) under a kerberos realm that isn't AD.
>>>>
>>>> This is a summation of the config that I'm using (works under samba 3.6):
>>>>
>>>>            security = ADS
>>>>            passdb backend = tdbsam
>>>>            restrict anonymous = yes
>>>>            server signing = auto
>>>>            client signing = auto
>>>>            smb encrypt = auto
>>>>            realm = MYREALM.COM
>>>>            kerberos method = system keytab
>>>>
>>>> However, whenever I try to access the samba server, the client fails to
>>>> connect. I can see that a ticket has been issued for
>>>> cifs/hostname at MYREALM.COM, but in /var/log/messages I get this:
>>>>
>>>> Jan 21 11:27:00 elastic smbd[1573]: [2013/01/21 11:27:00.675545,  0]
>>>> ../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob)
>>>> Jan 21 11:27:00 elastic smbd[1573]:   obtaining PAC via GSSAPI
>>>> gss_get_name_attribute failed: The operation or option is not available
>>>> or unsupported: No such file or directory
>>>> Jan 21 11:27:07 elastic smbd[1574]: [2013/01/21 11:27:07.559656,  0]
>>>> ../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob)
>>>> Jan 21 11:27:07 elastic smbd[1574]:   obtaining PAC via GSSAPI
>>>> gss_get_name_attribute failed: The operation or option is not available
>>>> or unsupported: No such file or directory
>>>> Jan 21 11:27:07 elastic smbd[1576]: [2013/01/21 11:27:07.643158,  0]
>>>> ../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob)
>>>> Jan 21 11:27:07 elastic smbd[1576]:   obtaining PAC via GSSAPI
>>>> gss_get_name_attribute failed: The operation or option is not available
>>>> or unsupported: No such file or directory
>>>>
>>>> Well, no kidding there is no PAC available, it's an MIT kerberos realm! :)
>>>>
>>>> Does anyone know what I need to be doing to get this working again?
>>> It is probably a bug in the reworked krb5 code.  The code paths to
>>> support this are still there, but clearly something doesn't trigger
>>> correctly.
>>>
>>> The first thing to do would be to turn up the log level, to see what the
>>> real failure is (the mentioned message shouldn't actually be fatal).
>>>
>>> Then, once we rule out it being something else, it probably just needs a
>>> new test environment to be created in our 'make test' that tells our AD
>>> server to not send the PAC.  This will allow this code path to be
>>> covered, and prevent regressions.
>>>
>>> Andrew Bartlett
>>>
>> As far as I can tell, prior to accepting a connection:
>> Full logs:
>> http://averageurl.com/samba/samba-log.gz
>> http://averageurl.com/samba/samba-strace-log.gz
>>
>> I've already changed the keys out, so I'm not too worried about what key
>> data is actually in those logs.
> The logs were very helpful.  The attached patch should fix it, or at
> least move the failure to somewhere else :-).  Please file the bug, so
> we can get this into 4.0.2
>
> Andrew Bartlett

Thanks. I've filed the bug 
(https://bugzilla.samba.org/show_bug.cgi?id=9581) and am currently 
rebuilding samba with the patch applied. I'll let you know how it goes...

--Kyle


More information about the samba-technical mailing list