kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An internal error occurred (bug #12369)

Stefan Metzmacher metze at samba.org
Mon Oct 10 16:08:18 UTC 2016 

Hi Uri,

it seems the patches for https://bugzilla.samba.org/show_bug.cgi?id=12007
introduced a regression (at least when using Heimdal).
See https://bugzilla.samba.org/show_bug.cgi?id=12369

The problem is that an kinit into a MEMORY: ccache doesn't imply
a kdestroy.

So while doing a new kinit to get a TGT, we still have the
expired service tickets in the cache. And gss_init_sec_context()
tries to use the old ticket.

With the patches for #12007 we now use MEMORY:ads_sasl_spnego_bind
instead of MEMORY:winbind_ccache. Which means the explicit
ads_kdestroy(WINBIND_CCACHE_NAME); has no effect.

With MIT krb5 a kinit to MEMORY ccache clear the existing cache,
I've added that to Heimdal too now.

I've tested the following patches just with heimdal
and the problem went away.

Please have a look and test.

Thanks!
metze
-------------- next part --------------
From 791c313a2fd8b69767a5827640542eeaefebfabb Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Sun, 25 Sep 2016 02:01:20 +0200
Subject: [PATCH 1/3] Revert "HACK large enumprinters trigger transs"

This reverts commit 7ffbe3e4590c89cba1203a95280afaa28fb05575.
---
 source3/rpcclient/cmd_spoolss.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source3/rpcclient/cmd_spoolss.c b/source3/rpcclient/cmd_spoolss.c
index 975afe6..55d41c8 100644
--- a/source3/rpcclient/cmd_spoolss.c
+++ b/source3/rpcclient/cmd_spoolss.c
@@ -370,7 +370,7 @@ static WERROR cmd_spoolss_enum_printers(struct rpc_pipe_client *cli,
 					     flags,
 					     name,
 					     level,
-					     4192,
+					     0,
 					     &count,
 					     &info);
 	if (W_ERROR_IS_OK(result)) {
-- 
1.9.1


From 1df1b5a63aa5335a721efa46ef5f07c86ad0ca71 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Sun, 25 Sep 2016 02:01:23 +0200
Subject: [PATCH 2/3] Revert "HACK force small buffers"

This reverts commit f98759046f93bcd2188b660b4f69190638d24628.
---
 source3/include/client.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source3/include/client.h b/source3/include/client.h
index e7fe83a..43ec39b 100644
--- a/source3/include/client.h
+++ b/source3/include/client.h
@@ -22,7 +22,7 @@
 #ifndef _CLIENT_H
 #define _CLIENT_H
 
-#define CLI_BUFFER_SIZE 4356 //SMB_BUFFER_SIZE_MAX
+#define CLI_BUFFER_SIZE SMB_BUFFER_SIZE_MAX
 
 /* default client timeout to 20 seconds on most commands */
 #define CLIENT_TIMEOUT (20 * 1000)
-- 
1.9.1


From 1f81213305ff2667fc91b3348578db0d2e676d2c Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Tue, 4 Oct 2016 15:51:19 +0200
Subject: [PATCH 3/3] fix build source3/librpc/crypto/gse.c TODO use this
 variable?

---
 source3/librpc/crypto/gse.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
index 0410a15..a8f1e22 100644
--- a/source3/librpc/crypto/gse.c
+++ b/source3/librpc/crypto/gse.c
@@ -214,7 +214,7 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx,
 	enum credentials_use_kerberos krb5_state =
 		cli_credentials_get_kerberos_state(creds);
 	bool is_anonymous = cli_credentials_is_anonymous(creds);
-	gss_name_t gss_username;
+	//gss_name_t gss_username;
 	char *server_name = NULL;
 	NTSTATUS status;
 
-- 
1.9.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20161010/a7341522/signature.sig>

More information about the samba-technical mailing list