On Mon, 2013-01-21 at 23:25 -0700, Kyle Brantley wrote: > On 1/21/2013 9:14 PM, Kyle Brantley wrote: > > On 1/21/2013 8:46 PM, Andrew Bartlett wrote: > >> On Mon, 2013-01-21 at 15:44 -0700, Kyle Brantley wrote: > >>> On 1/21/2013 3:15 PM, Andrew Bartlett wrote: > >>>> On Mon, 2013-01-21 at 11:34 -0700, Kyle Brantley wrote: > >>>>> Hello -- > >>>>> > >>>>> I'm trying to run a samba4 server (note: Fedora packaged version, > >>>>> samba-4.0.0-174.fc18.x86_64) under a kerberos realm that isn't AD. > >>>>> > >>>>> This is a summation of the config that I'm using (works under > >>>>> samba 3.6): > >>>>> > >>>>> security = ADS > >>>>> passdb backend = tdbsam > >>>>> restrict anonymous = yes > >>>>> server signing = auto > >>>>> client signing = auto > >>>>> smb encrypt = auto > >>>>> realm = MYREALM.COM > >>>>> kerberos method = system keytab > >>>>> > >>>>> However, whenever I try to access the samba server, the client > >>>>> fails to > >>>>> connect. I can see that a ticket has been issued for > >>>>> cifs/[email protected], but in /var/log/messages I get this: > >>>>> > >>>>> Jan 21 11:27:00 elastic smbd[1573]: [2013/01/21 11:27:00.675545, 0] > >>>>> ../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob) > >>>>> Jan 21 11:27:00 elastic smbd[1573]: obtaining PAC via GSSAPI > >>>>> gss_get_name_attribute failed: The operation or option is not > >>>>> available > >>>>> or unsupported: No such file or directory > >>>>> Jan 21 11:27:07 elastic smbd[1574]: [2013/01/21 11:27:07.559656, 0] > >>>>> ../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob) > >>>>> Jan 21 11:27:07 elastic smbd[1574]: obtaining PAC via GSSAPI > >>>>> gss_get_name_attribute failed: The operation or option is not > >>>>> available > >>>>> or unsupported: No such file or directory > >>>>> Jan 21 11:27:07 elastic smbd[1576]: [2013/01/21 11:27:07.643158, 0] > >>>>> ../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob) > >>>>> Jan 21 11:27:07 elastic smbd[1576]: obtaining PAC via GSSAPI > >>>>> gss_get_name_attribute failed: The operation or option is not > >>>>> available > >>>>> or unsupported: No such file or directory > >>>>> > >>>>> Well, no kidding there is no PAC available, it's an MIT kerberos > >>>>> realm! :) > >>>>> > >>>>> Does anyone know what I need to be doing to get this working again? > >>>> It is probably a bug in the reworked krb5 code. The code paths to > >>>> support this are still there, but clearly something doesn't trigger > >>>> correctly. > >>>> > >>>> The first thing to do would be to turn up the log level, to see > >>>> what the > >>>> real failure is (the mentioned message shouldn't actually be fatal). > >>>> > >>>> Then, once we rule out it being something else, it probably just > >>>> needs a > >>>> new test environment to be created in our 'make test' that tells > >>>> our AD > >>>> server to not send the PAC. This will allow this code path to be > >>>> covered, and prevent regressions. > >>>> > >>>> Andrew Bartlett > >>>> > >>> As far as I can tell, prior to accepting a connection: > >>> Full logs: > >>> http://averageurl.com/samba/samba-log.gz > >>> http://averageurl.com/samba/samba-strace-log.gz > >>> > >>> I've already changed the keys out, so I'm not too worried about what > >>> key > >>> data is actually in those logs. > >> The logs were very helpful. The attached patch should fix it, or at > >> least move the failure to somewhere else :-). Please file the bug, so > >> we can get this into 4.0.2 > >> > >> Andrew Bartlett > > > > Thanks. I've filed the bug > > (https://bugzilla.samba.org/show_bug.cgi?id=9581) and am currently > > rebuilding samba with the patch applied. I'll let you know how it goes... > > > > --Kyle > > That worked great. I've been able to enumerate the shares and connect to > them now. I validated with wireshark that the kerberos authentication > was occurring, and it looks like everything functions now thanks to your > previously attached patch.
Metze, Can you get this into master? I'll try and follow-up with a testcase (setting the UF_NO_AUTH_DATA_REQUIRED on an account and doing a kerberos login) soon, but this much needs to get to 4.0.2 -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org
>From c4675579b4f42c1e05de7ae5741c5cd941039822 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett <[email protected]> Date: Tue, 22 Jan 2013 14:45:14 +1100 Subject: [PATCH] gensec: Allow login without a PAC by default The sense of this test was inverted. We only want to take the ACCESS_DENIED error if gensec:require_pac=true. Andrew Bartlett --- auth/gensec/gensec_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/auth/gensec/gensec_util.c b/auth/gensec/gensec_util.c index d732213..64952b1 100644 --- a/auth/gensec/gensec_util.c +++ b/auth/gensec/gensec_util.c @@ -42,7 +42,7 @@ NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx, session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS; if (!pac_blob) { - if (!gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) { + if (gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) { DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access\n", principal_string)); return NT_STATUS_ACCESS_DENIED; -- 1.7.11.7
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
