kinit succeeded but ads_sasl_spnego_gensec_bind(KRB5) failed: An internal error occurred (bug #12369)
Stefan Metzmacher
metze at samba.org
Mon Oct 10 16:08:18 UTC 2016
Hi Uri,
it seems the patches for https://bugzilla.samba.org/show_bug.cgi?id=12007
introduced a regression (at least when using Heimdal).
See https://bugzilla.samba.org/show_bug.cgi?id=12369
The problem is that an kinit into a MEMORY: ccache doesn't imply
a kdestroy.
So while doing a new kinit to get a TGT, we still have the
expired service tickets in the cache. And gss_init_sec_context()
tries to use the old ticket.
With the patches for #12007 we now use MEMORY:ads_sasl_spnego_bind
instead of MEMORY:winbind_ccache. Which means the explicit
ads_kdestroy(WINBIND_CCACHE_NAME); has no effect.
With MIT krb5 a kinit to MEMORY ccache clear the existing cache,
I've added that to Heimdal too now.
I've tested the following patches just with heimdal
and the problem went away.
Please have a look and test.
Thanks!
metze
-------------- next part --------------
From 791c313a2fd8b69767a5827640542eeaefebfabb Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Sun, 25 Sep 2016 02:01:20 +0200
Subject: [PATCH 1/3] Revert "HACK large enumprinters trigger transs"
This reverts commit 7ffbe3e4590c89cba1203a95280afaa28fb05575.
---
source3/rpcclient/cmd_spoolss.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source3/rpcclient/cmd_spoolss.c b/source3/rpcclient/cmd_spoolss.c
index 975afe6..55d41c8 100644
--- a/source3/rpcclient/cmd_spoolss.c
+++ b/source3/rpcclient/cmd_spoolss.c
@@ -370,7 +370,7 @@ static WERROR cmd_spoolss_enum_printers(struct rpc_pipe_client *cli,
flags,
name,
level,
- 4192,
+ 0,
&count,
&info);
if (W_ERROR_IS_OK(result)) {
--
1.9.1
From 1df1b5a63aa5335a721efa46ef5f07c86ad0ca71 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Sun, 25 Sep 2016 02:01:23 +0200
Subject: [PATCH 2/3] Revert "HACK force small buffers"
This reverts commit f98759046f93bcd2188b660b4f69190638d24628.
---
source3/include/client.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source3/include/client.h b/source3/include/client.h
index e7fe83a..43ec39b 100644
--- a/source3/include/client.h
+++ b/source3/include/client.h
@@ -22,7 +22,7 @@
#ifndef _CLIENT_H
#define _CLIENT_H
-#define CLI_BUFFER_SIZE 4356 //SMB_BUFFER_SIZE_MAX
+#define CLI_BUFFER_SIZE SMB_BUFFER_SIZE_MAX
/* default client timeout to 20 seconds on most commands */
#define CLIENT_TIMEOUT (20 * 1000)
--
1.9.1
From 1f81213305ff2667fc91b3348578db0d2e676d2c Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Tue, 4 Oct 2016 15:51:19 +0200
Subject: [PATCH 3/3] fix build source3/librpc/crypto/gse.c TODO use this
variable?
---
source3/librpc/crypto/gse.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
index 0410a15..a8f1e22 100644
--- a/source3/librpc/crypto/gse.c
+++ b/source3/librpc/crypto/gse.c
@@ -214,7 +214,7 @@ static NTSTATUS gse_init_client(TALLOC_CTX *mem_ctx,
enum credentials_use_kerberos krb5_state =
cli_credentials_get_kerberos_state(creds);
bool is_anonymous = cli_credentials_is_anonymous(creds);
- gss_name_t gss_username;
+ //gss_name_t gss_username;
char *server_name = NULL;
NTSTATUS status;
--
1.9.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20161010/a7341522/signature.sig>
More information about the samba-technical
mailing list