On 1/21/2013 9:14 PM, Kyle Brantley wrote:
On 1/21/2013 8:46 PM, Andrew Bartlett wrote:
On Mon, 2013-01-21 at 15:44 -0700, Kyle Brantley wrote:
On 1/21/2013 3:15 PM, Andrew Bartlett wrote:
On Mon, 2013-01-21 at 11:34 -0700, Kyle Brantley wrote:
Hello --
I'm trying to run a samba4 server (note: Fedora packaged version,
samba-4.0.0-174.fc18.x86_64) under a kerberos realm that isn't AD.
This is a summation of the config that I'm using (works under
samba 3.6):
security = ADS
passdb backend = tdbsam
restrict anonymous = yes
server signing = auto
client signing = auto
smb encrypt = auto
realm = MYREALM.COM
kerberos method = system keytab
However, whenever I try to access the samba server, the client
fails to
connect. I can see that a ticket has been issued for
cifs/[email protected], but in /var/log/messages I get this:
Jan 21 11:27:00 elastic smbd[1573]: [2013/01/21 11:27:00.675545, 0]
../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob)
Jan 21 11:27:00 elastic smbd[1573]: obtaining PAC via GSSAPI
gss_get_name_attribute failed: The operation or option is not
available
or unsupported: No such file or directory
Jan 21 11:27:07 elastic smbd[1574]: [2013/01/21 11:27:07.559656, 0]
../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob)
Jan 21 11:27:07 elastic smbd[1574]: obtaining PAC via GSSAPI
gss_get_name_attribute failed: The operation or option is not
available
or unsupported: No such file or directory
Jan 21 11:27:07 elastic smbd[1576]: [2013/01/21 11:27:07.643158, 0]
../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob)
Jan 21 11:27:07 elastic smbd[1576]: obtaining PAC via GSSAPI
gss_get_name_attribute failed: The operation or option is not
available
or unsupported: No such file or directory
Well, no kidding there is no PAC available, it's an MIT kerberos
realm! :)
Does anyone know what I need to be doing to get this working again?
It is probably a bug in the reworked krb5 code. The code paths to
support this are still there, but clearly something doesn't trigger
correctly.
The first thing to do would be to turn up the log level, to see
what the
real failure is (the mentioned message shouldn't actually be fatal).
Then, once we rule out it being something else, it probably just
needs a
new test environment to be created in our 'make test' that tells
our AD
server to not send the PAC. This will allow this code path to be
covered, and prevent regressions.
Andrew Bartlett
As far as I can tell, prior to accepting a connection:
Full logs:
http://averageurl.com/samba/samba-log.gz
http://averageurl.com/samba/samba-strace-log.gz
I've already changed the keys out, so I'm not too worried about what
key
data is actually in those logs.
The logs were very helpful. The attached patch should fix it, or at
least move the failure to somewhere else :-). Please file the bug, so
we can get this into 4.0.2
Andrew Bartlett
Thanks. I've filed the bug
(https://bugzilla.samba.org/show_bug.cgi?id=9581) and am currently
rebuilding samba with the patch applied. I'll let you know how it goes...
--Kyle
That worked great. I've been able to enumerate the shares and connect to
them now. I validated with wireshark that the kerberos authentication
was occurring, and it looks like everything functions now thanks to your
previously attached patch.
Thanks much!
--Kyle
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
