[Samba] [PATCH] Re: Using samba4 with kerberos outside of an AD realm

Kyle Brantley kyle at averageurl.com
Mon Jan 21 23:25:43 MST 2013 

On 1/21/2013 9:14 PM, Kyle Brantley wrote:
> On 1/21/2013 8:46 PM, Andrew Bartlett wrote:
>> On Mon, 2013-01-21 at 15:44 -0700, Kyle Brantley wrote:
>>> On 1/21/2013 3:15 PM, Andrew Bartlett wrote:
>>>> On Mon, 2013-01-21 at 11:34 -0700, Kyle Brantley wrote:
>>>>> Hello --
>>>>>
>>>>> I'm trying to run a samba4 server (note: Fedora packaged version,
>>>>> samba-4.0.0-174.fc18.x86_64) under a kerberos realm that isn't AD.
>>>>>
>>>>> This is a summation of the config that I'm using (works under 
>>>>> samba 3.6):
>>>>>
>>>>>            security = ADS
>>>>>            passdb backend = tdbsam
>>>>>            restrict anonymous = yes
>>>>>            server signing = auto
>>>>>            client signing = auto
>>>>>            smb encrypt = auto
>>>>>            realm = MYREALM.COM
>>>>>            kerberos method = system keytab
>>>>>
>>>>> However, whenever I try to access the samba server, the client 
>>>>> fails to
>>>>> connect. I can see that a ticket has been issued for
>>>>> cifs/hostname at MYREALM.COM, but in /var/log/messages I get this:
>>>>>
>>>>> Jan 21 11:27:00 elastic smbd[1573]: [2013/01/21 11:27:00.675545,  0]
>>>>> ../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob)
>>>>> Jan 21 11:27:00 elastic smbd[1573]:   obtaining PAC via GSSAPI
>>>>> gss_get_name_attribute failed: The operation or option is not 
>>>>> available
>>>>> or unsupported: No such file or directory
>>>>> Jan 21 11:27:07 elastic smbd[1574]: [2013/01/21 11:27:07.559656,  0]
>>>>> ../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob)
>>>>> Jan 21 11:27:07 elastic smbd[1574]:   obtaining PAC via GSSAPI
>>>>> gss_get_name_attribute failed: The operation or option is not 
>>>>> available
>>>>> or unsupported: No such file or directory
>>>>> Jan 21 11:27:07 elastic smbd[1576]: [2013/01/21 11:27:07.643158,  0]
>>>>> ../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob)
>>>>> Jan 21 11:27:07 elastic smbd[1576]:   obtaining PAC via GSSAPI
>>>>> gss_get_name_attribute failed: The operation or option is not 
>>>>> available
>>>>> or unsupported: No such file or directory
>>>>>
>>>>> Well, no kidding there is no PAC available, it's an MIT kerberos 
>>>>> realm! :)
>>>>>
>>>>> Does anyone know what I need to be doing to get this working again?
>>>> It is probably a bug in the reworked krb5 code.  The code paths to
>>>> support this are still there, but clearly something doesn't trigger
>>>> correctly.
>>>>
>>>> The first thing to do would be to turn up the log level, to see 
>>>> what the
>>>> real failure is (the mentioned message shouldn't actually be fatal).
>>>>
>>>> Then, once we rule out it being something else, it probably just 
>>>> needs a
>>>> new test environment to be created in our 'make test' that tells 
>>>> our AD
>>>> server to not send the PAC.  This will allow this code path to be
>>>> covered, and prevent regressions.
>>>>
>>>> Andrew Bartlett
>>>>
>>> As far as I can tell, prior to accepting a connection:
>>> Full logs:
>>> http://averageurl.com/samba/samba-log.gz
>>> http://averageurl.com/samba/samba-strace-log.gz
>>>
>>> I've already changed the keys out, so I'm not too worried about what 
>>> key
>>> data is actually in those logs.
>> The logs were very helpful.  The attached patch should fix it, or at
>> least move the failure to somewhere else :-).  Please file the bug, so
>> we can get this into 4.0.2
>>
>> Andrew Bartlett
>
> Thanks. I've filed the bug 
> (https://bugzilla.samba.org/show_bug.cgi?id=9581) and am currently 
> rebuilding samba with the patch applied. I'll let you know how it goes...
>
> --Kyle

That worked great. I've been able to enumerate the shares and connect to 
them now. I validated with wireshark that the kerberos authentication 
was occurring, and it looks like everything functions now thanks to your 
previously attached patch.

Thanks much!

--Kyle

More information about the samba mailing list