kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An internal error occurred (bug #12369)
uri at samba.org
Wed Oct 12 05:45:44 UTC 2016
On 10/11/2016 09:15 AM, Uri Simchoni wrote:
> On 10/10/2016 11:03 PM, Stefan Metzmacher wrote:
>> here's the correct patch (I forgot to pass the hash to "git format-patch
>> --stdout -3" ...)
>> Am 10.10.2016 um 18:08 schrieb Stefan Metzmacher:
>>> Hi Uri,
>>> it seems the patches for https://bugzilla.samba.org/show_bug.cgi?id=12007
>>> introduced a regression (at least when using Heimdal).
>>> See https://bugzilla.samba.org/show_bug.cgi?id=12369
>>> The problem is that an kinit into a MEMORY: ccache doesn't imply
>>> a kdestroy.
>>> So while doing a new kinit to get a TGT, we still have the
>>> expired service tickets in the cache. And gss_init_sec_context()
>>> tries to use the old ticket.
>>> With the patches for #12007 we now use MEMORY:ads_sasl_spnego_bind
>>> instead of MEMORY:winbind_ccache. Which means the explicit
>>> ads_kdestroy(WINBIND_CCACHE_NAME); has no effect.
>>> With MIT krb5 a kinit to MEMORY ccache clear the existing cache,
>>> I've added that to Heimdal too now.
>>> I've tested the following patches just with heimdal
>>> and the problem went away.
>>> Please have a look and test.
> RB+ me too :).
> I must have missed the part about winbindd not setting
> ads->auth.ccache_name, which seems to also be a viable fix.
> IIRC, the reason for setting KRB5_ENV_CCNAME in the first place was to
> avoid the pattern where one needs to set an environment variable for a
> function call to do what we intend (and not use the wrong ccache). So we
> can either revert to the old pattern (as this patch does) or set
> Still testing - that'll take a day or so.
Tested tools (net ads join / testjoin - success + look at packet
captures) and winbindd (renewal and looking at packet captures).
More information about the samba-technical