kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An internal error occurred (bug #12369)

Uri Simchoni uri at
Tue Oct 11 06:15:34 UTC 2016

On 10/10/2016 11:03 PM, Stefan Metzmacher wrote:
> Hi,
> here's the correct patch (I forgot to pass the hash to "git format-patch
> --stdout -3" ...)
> metze
> Am 10.10.2016 um 18:08 schrieb Stefan Metzmacher:
>> Hi Uri,
>> it seems the patches for
>> introduced a regression (at least when using Heimdal).
>> See
>> The problem is that an kinit into a MEMORY: ccache doesn't imply
>> a kdestroy.
>> So while doing a new kinit to get a TGT, we still have the
>> expired service tickets in the cache. And gss_init_sec_context()
>> tries to use the old ticket.
>> With the patches for #12007 we now use MEMORY:ads_sasl_spnego_bind
>> instead of MEMORY:winbind_ccache. Which means the explicit
>> ads_kdestroy(WINBIND_CCACHE_NAME); has no effect.
>> With MIT krb5 a kinit to MEMORY ccache clear the existing cache,
>> I've added that to Heimdal too now.
>> I've tested the following patches just with heimdal
>> and the problem went away.
>> Please have a look and test.
>> Thanks!
>> metze
RB+ me too :).

I must have missed the part about winbindd not setting
ads->auth.ccache_name, which seems to also be a viable fix.

IIRC, the reason for setting KRB5_ENV_CCNAME in the first place was to
avoid the pattern where one needs to set an environment variable for a
function call to do what we intend (and not use the wrong ccache). So we
can either revert to the old pattern (as this patch does) or set

Still testing - that'll take a day or so.


More information about the samba-technical mailing list