I have been working diligently since my last post to solve the error I've been receiving. I did manage to fix the credentials problem, but now I am at the same point where many others are, mainly, when doing hostname mapping (net use X: \\foo\bar), Samba prompts for a username and password and does not use Kerberos.
In my error logs:
[2004/01/05 15:51:59, 10] libads/kerberos_verify.c:create_keytab(56)
creating keytab: MEMORY:
[2004/01/05 15:51:59, 10] libads/kerberos_verify.c:create_keytab(59)
going to krb5_kt_resolveunable to create MEMORY: keytab (Unknown Key table type)
[2004/01/05 15:51:59, 3] libads/kerberos_verify.c:ads_verify_ticket(283)
ads_verify_ticket: unable to setup keytab
[2004/01/05 15:51:59, 1] smbd/sesssetup.c:reply_spnego_kerberos(172)
Failed to verify incoming ticket!
[2004/01/05 15:51:59, 3] smbd/error.c:error_packet(118)
error packet at smbd/sesssetup.c(173) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
After looking at kerberos_verify.c and doing some debugging, I found exactly where the problem is occuring (I think). The krb5_kt_resolve immediately before is returning KRB5_KT_UNKNOWN_TYPE. Doing some looking at the source for MIT krb5, and a bit of reading, it looks like there are two key table types defined: FILE and WRFILE. Specifically, in lib/krb5/keytab/ktbase.c:krb5_kt_resolve(112), it cycles through a list of registered key table types, and MEMORY is definitely not one of them. It has no associated krb5_kt_ops struct, at least not one that I can locate.
However, this definition _does_ exist in Heimdal Kerberos 0.6 (keytab_memory.c), along with a corresponding krb5_kt_ops struct.
What gives? Am I just making this up, or does this seem slightly reasonable?
I'm using FreeBSD 5.1; when I compiled Samba 3.0 with Heimdal (the system krb5 libs) I couldn't even get Samba to join a Windows 2003 domain, no matter what the krb5.conf said. Only after I went to MIT and recompiled was I able to join and do queries on the domain.
Does anyone have Samba 3.0 + FreeBSD 5 + Heimdal working? If so, please let me know? :)
Thoughts, questions, flames? Any errors are a result of my ignorance.
-Justin
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
