SPNEGO failure with spnego:simulate_w2k=yes after MIT patches

Andrew Bartlett abartlet at samba.org
Wed Jun 14 10:18:43 UTC 2017


On Mon, 2017-06-12 at 14:15 +1200, Andrew Bartlett via samba-technical
wrote:
> On Mon, 2017-06-12 at 13:30 +1200, Andrew Bartlett wrote:
> > On Sun, 2017-06-11 at 23:20 +0200, Stefan Metzmacher wrote:
> > > Hi Andrew,
> > > 
> > > > > What I don't understand is why this passes as part of a full
> > > > > make
> > > > > test,
> > > > > but fails when only running the test on its own.
> > > > > 
> > > > > The level 4 logs give this clue:
> > > > > 
> > > > > kerberos_get_realm_from_hostname VAMPIRE2000DC: failed Cannot
> > > > > determine
> > > > > realm for host
> > > > > SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for
> > > > > ldap/VAMPIRE2000DC
> > > > > failed (next[ntlmssp]): NT_STATUS_NO_MEMORY
> > > 
> > > Given the above message the attached patch may fix it...
> > > 
> > > metze
> > 
> > Yes, that fixes it.  It is annoying that it only fails during the
> > individual test run.  Do you have any ideas on how we could write a
> > test to trigger it every time?  Would attempting gensec_gssapi to an
> > unqualified hostname be enough?
> 
> Specifically, this patch to samba.tests.gensec was not enough to
> trigger it in my testing.  Does the environment, such as the krb5.conf
> matter?  (This tests executes in ad_dc_ntvfs:local).

Just a note to say that this patch (the test, not the fix) is in a push
to autobuild.  It doesn't prove anything right now, but we can build on
it to make a regression test for this bug.

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba




More information about the samba-technical mailing list