[Samba] Privilege Attribute Certificate (PAC) Disabled/Samba authentication

Don Riden samba at riden.org.uk
Mon Feb 20 14:06:53 MST 2012


I'm currently attempting to setup a Linux Samba and Kerberized NFS
server using a Windows 2008 R2 Domain controller as a KDC and I've run
into an issue.

Currently I can make Kerberized NFS or Samba fileserving work but not
both at the same time.

Specifically: The Linux kerberized NFS daemon (rpc.svcgssd) appears to only be
able to deal with service tickets up to a certain size. Active Directory adds a
PAC to service tickets which makes them much larger than they otherwise would
be. In order to work around this I've added 'NO_AUTH_DATA_REQUIRED' to the
UserAccountControl attribute on the machine account in AD (as per this
Microsoft KB article http://support.microsoft.com/kb/832572). This enables
kerberized NFS to work correctly but appears to break the Samba authentication.

Output from the samba logs initially looks promising

[2012/02/20 07:37:33.548998,3] libads/kerberos_verify.c:678(ads_verify_ticket)
libads/kerberos_verify.c:678: did not retrieve auth data. continuing without

but then degenerates from there.

Is it possible to make Samba work in this configuration? The clients are
running Windows 7 and I'm using Samba 3.6.1.



More information about the samba mailing list