SPNEGO failure with spnego:simulate_w2k=yes after MIT patches
Andrew Bartlett
abartlet at samba.org
Wed Jun 14 10:18:43 UTC 2017
On Mon, 2017-06-12 at 14:15 +1200, Andrew Bartlett via samba-technical
wrote:
> On Mon, 2017-06-12 at 13:30 +1200, Andrew Bartlett wrote:
> > On Sun, 2017-06-11 at 23:20 +0200, Stefan Metzmacher wrote:
> > > Hi Andrew,
> > >
> > > > > What I don't understand is why this passes as part of a full
> > > > > make
> > > > > test,
> > > > > but fails when only running the test on its own.
> > > > >
> > > > > The level 4 logs give this clue:
> > > > >
> > > > > kerberos_get_realm_from_hostname VAMPIRE2000DC: failed Cannot
> > > > > determine
> > > > > realm for host
> > > > > SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for
> > > > > ldap/VAMPIRE2000DC
> > > > > failed (next[ntlmssp]): NT_STATUS_NO_MEMORY
> > >
> > > Given the above message the attached patch may fix it...
> > >
> > > metze
> >
> > Yes, that fixes it. It is annoying that it only fails during the
> > individual test run. Do you have any ideas on how we could write a
> > test to trigger it every time? Would attempting gensec_gssapi to an
> > unqualified hostname be enough?
>
> Specifically, this patch to samba.tests.gensec was not enough to
> trigger it in my testing. Does the environment, such as the krb5.conf
> matter? (This tests executes in ad_dc_ntvfs:local).
Just a note to say that this patch (the test, not the fix) is in a push
to autobuild. It doesn't prove anything right now, but we can build on
it to make a regression test for this bug.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list