[Samba] Using samba4 with kerberos outside of an AD realm

Andrew Bartlett abartlet at samba.org
Mon Jan 21 15:15:01 MST 2013 

On Mon, 2013-01-21 at 11:34 -0700, Kyle Brantley wrote:
> Hello --
> 
> I'm trying to run a samba4 server (note: Fedora packaged version, 
> samba-4.0.0-174.fc18.x86_64) under a kerberos realm that isn't AD.
> 
> This is a summation of the config that I'm using (works under samba 3.6):
> 
>          security = ADS
>          passdb backend = tdbsam
>          restrict anonymous = yes
>          server signing = auto
>          client signing = auto
>          smb encrypt = auto
>          realm = MYREALM.COM
>          kerberos method = system keytab
> 
> However, whenever I try to access the samba server, the client fails to 
> connect. I can see that a ticket has been issued for 
> cifs/hostname at MYREALM.COM, but in /var/log/messages I get this:
> 
> Jan 21 11:27:00 elastic smbd[1573]: [2013/01/21 11:27:00.675545,  0] 
> ../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob)
> Jan 21 11:27:00 elastic smbd[1573]:   obtaining PAC via GSSAPI 
> gss_get_name_attribute failed: The operation or option is not available 
> or unsupported: No such file or directory
> Jan 21 11:27:07 elastic smbd[1574]: [2013/01/21 11:27:07.559656,  0] 
> ../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob)
> Jan 21 11:27:07 elastic smbd[1574]:   obtaining PAC via GSSAPI 
> gss_get_name_attribute failed: The operation or option is not available 
> or unsupported: No such file or directory
> Jan 21 11:27:07 elastic smbd[1576]: [2013/01/21 11:27:07.643158,  0] 
> ../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob)
> Jan 21 11:27:07 elastic smbd[1576]:   obtaining PAC via GSSAPI 
> gss_get_name_attribute failed: The operation or option is not available 
> or unsupported: No such file or directory
> 
> Well, no kidding there is no PAC available, it's an MIT kerberos realm! :)
> 
> Does anyone know what I need to be doing to get this working again?

It is probably a bug in the reworked krb5 code.  The code paths to
support this are still there, but clearly something doesn't trigger
correctly.

The first thing to do would be to turn up the log level, to see what the
real failure is (the mentioned message shouldn't actually be fatal). 

Then, once we rule out it being something else, it probably just needs a
new test environment to be created in our 'make test' that tells our AD
server to not send the PAC.  This will allow this code path to be
covered, and prevent regressions. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list