On Mon, 2013-01-21 at 15:44 -0700, Kyle Brantley wrote: > On 1/21/2013 3:15 PM, Andrew Bartlett wrote: > > On Mon, 2013-01-21 at 11:34 -0700, Kyle Brantley wrote: > >> Hello -- > >> > >> I'm trying to run a samba4 server (note: Fedora packaged version, > >> samba-4.0.0-174.fc18.x86_64) under a kerberos realm that isn't AD. > >> > >> This is a summation of the config that I'm using (works under samba 3.6): > >> > >> security = ADS > >> passdb backend = tdbsam > >> restrict anonymous = yes > >> server signing = auto > >> client signing = auto > >> smb encrypt = auto > >> realm = MYREALM.COM > >> kerberos method = system keytab > >> > >> However, whenever I try to access the samba server, the client fails to > >> connect. I can see that a ticket has been issued for > >> cifs/[email protected], but in /var/log/messages I get this: > >> > >> Jan 21 11:27:00 elastic smbd[1573]: [2013/01/21 11:27:00.675545, 0] > >> ../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob) > >> Jan 21 11:27:00 elastic smbd[1573]: obtaining PAC via GSSAPI > >> gss_get_name_attribute failed: The operation or option is not available > >> or unsupported: No such file or directory > >> Jan 21 11:27:07 elastic smbd[1574]: [2013/01/21 11:27:07.559656, 0] > >> ../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob) > >> Jan 21 11:27:07 elastic smbd[1574]: obtaining PAC via GSSAPI > >> gss_get_name_attribute failed: The operation or option is not available > >> or unsupported: No such file or directory > >> Jan 21 11:27:07 elastic smbd[1576]: [2013/01/21 11:27:07.643158, 0] > >> ../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob) > >> Jan 21 11:27:07 elastic smbd[1576]: obtaining PAC via GSSAPI > >> gss_get_name_attribute failed: The operation or option is not available > >> or unsupported: No such file or directory > >> > >> Well, no kidding there is no PAC available, it's an MIT kerberos realm! :) > >> > >> Does anyone know what I need to be doing to get this working again? > > It is probably a bug in the reworked krb5 code. The code paths to > > support this are still there, but clearly something doesn't trigger > > correctly. > > > > The first thing to do would be to turn up the log level, to see what the > > real failure is (the mentioned message shouldn't actually be fatal). > > > > Then, once we rule out it being something else, it probably just needs a > > new test environment to be created in our 'make test' that tells our AD > > server to not send the PAC. This will allow this code path to be > > covered, and prevent regressions. > > > > Andrew Bartlett > > > As far as I can tell, prior to accepting a connection:
> Full logs: > http://averageurl.com/samba/samba-log.gz > http://averageurl.com/samba/samba-strace-log.gz > > I've already changed the keys out, so I'm not too worried about what key > data is actually in those logs. The logs were very helpful. The attached patch should fix it, or at least move the failure to somewhere else :-). Please file the bug, so we can get this into 4.0.2 Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org
>From c4675579b4f42c1e05de7ae5741c5cd941039822 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett <[email protected]> Date: Tue, 22 Jan 2013 14:45:14 +1100 Subject: [PATCH] gensec: Allow login without a PAC by default The sense of this test was inverted. We only want to take the ACCESS_DENIED error if gensec:require_pac=true. Andrew Bartlett --- auth/gensec/gensec_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/auth/gensec/gensec_util.c b/auth/gensec/gensec_util.c index d732213..64952b1 100644 --- a/auth/gensec/gensec_util.c +++ b/auth/gensec/gensec_util.c @@ -42,7 +42,7 @@ NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx, session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS; if (!pac_blob) { - if (!gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) { + if (gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) { DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access\n", principal_string)); return NT_STATUS_ACCESS_DENIED; -- 1.7.11.7
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
