kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An internal error occurred (bug #12369)
Uri Simchoni
uri at samba.org
Tue Oct 11 06:15:34 UTC 2016
On 10/10/2016 11:03 PM, Stefan Metzmacher wrote:
> Hi,
>
> here's the correct patch (I forgot to pass the hash to "git format-patch
> --stdout -3" ...)
>
> metze
> Am 10.10.2016 um 18:08 schrieb Stefan Metzmacher:
>> Hi Uri,
>>
>> it seems the patches for https://bugzilla.samba.org/show_bug.cgi?id=12007
>> introduced a regression (at least when using Heimdal).
>> See https://bugzilla.samba.org/show_bug.cgi?id=12369
>>
>> The problem is that an kinit into a MEMORY: ccache doesn't imply
>> a kdestroy.
>>
>> So while doing a new kinit to get a TGT, we still have the
>> expired service tickets in the cache. And gss_init_sec_context()
>> tries to use the old ticket.
>>
>> With the patches for #12007 we now use MEMORY:ads_sasl_spnego_bind
>> instead of MEMORY:winbind_ccache. Which means the explicit
>> ads_kdestroy(WINBIND_CCACHE_NAME); has no effect.
>>
>> With MIT krb5 a kinit to MEMORY ccache clear the existing cache,
>> I've added that to Heimdal too now.
>>
>> I've tested the following patches just with heimdal
>> and the problem went away.
>>
>> Please have a look and test.
>>
>> Thanks!
>> metze
>>
RB+ me too :).
I must have missed the part about winbindd not setting
ads->auth.ccache_name, which seems to also be a viable fix.
IIRC, the reason for setting KRB5_ENV_CCNAME in the first place was to
avoid the pattern where one needs to set an environment variable for a
function call to do what we intend (and not use the wrong ccache). So we
can either revert to the old pattern (as this patch does) or set
ads->auth.cc_name.
Still testing - that'll take a day or so.
Thanks,
Uri.
More information about the samba-technical
mailing list