samba - Jan 2013 - Using samba4 with kerberos outside of an AD realm

Hello --

I'm trying to run a samba4 server (note: Fedora packaged version, 
samba-4.0.0-174.fc18.x86_64) under a kerberos realm that isn't AD.

This is a summation of the config that I'm using (works under samba 3.6):

         security = ADS
         passdb backend = tdbsam
         restrict anonymous = yes
         server signing = auto
         client signing = auto
         smb encrypt = auto
         realm = MYREALM.COM
         kerberos method = system keytab

However, whenever I try to access the samba server, the client fails to 
connect. I can see that a ticket has been issued for 
cifs/hostname at MYREALM.COM, but in /var/log/messages I get this:

Jan 21 11:27:00 elastic smbd[1573]: [2013/01/21 11:27:00.675545,  0] 
../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob)
Jan 21 11:27:00 elastic smbd[1573]:   obtaining PAC via GSSAPI 
gss_get_name_attribute failed: The operation or option is not available 
or unsupported: No such file or directory
Jan 21 11:27:07 elastic smbd[1574]: [2013/01/21 11:27:07.559656,  0] 
../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob)
Jan 21 11:27:07 elastic smbd[1574]:   obtaining PAC via GSSAPI 
gss_get_name_attribute failed: The operation or option is not available 
or unsupported: No such file or directory
Jan 21 11:27:07 elastic smbd[1576]: [2013/01/21 11:27:07.643158,  0] 
../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob)
Jan 21 11:27:07 elastic smbd[1576]:   obtaining PAC via GSSAPI 
gss_get_name_attribute failed: The operation or option is not available 
or unsupported: No such file or directory

Well, no kidding there is no PAC available, it's an MIT kerberos realm! :)

Does anyone know what I need to be doing to get this working again?

--Kyle

On Mon, 2013-01-21 at 11:34 -0700, Kyle Brantley wrote:
> Hello --
> 
> I'm trying to run a samba4 server (note: Fedora packaged version, 
> samba-4.0.0-174.fc18.x86_64) under a kerberos realm that isn't AD.
> 
> This is a summation of the config that I'm using (works under samba
3.6):
> 
>          security = ADS
>          passdb backend = tdbsam
>          restrict anonymous = yes
>          server signing = auto
>          client signing = auto
>          smb encrypt = auto
>          realm = MYREALM.COM
>          kerberos method = system keytab
> 
> However, whenever I try to access the samba server, the client fails to 
> connect. I can see that a ticket has been issued for 
> cifs/hostname at MYREALM.COM, but in /var/log/messages I get this:
> 
> Jan 21 11:27:00 elastic smbd[1573]: [2013/01/21 11:27:00.675545,  0] 
> ../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob)
> Jan 21 11:27:00 elastic smbd[1573]:   obtaining PAC via GSSAPI 
> gss_get_name_attribute failed: The operation or option is not available 
> or unsupported: No such file or directory
> Jan 21 11:27:07 elastic smbd[1574]: [2013/01/21 11:27:07.559656,  0] 
> ../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob)
> Jan 21 11:27:07 elastic smbd[1574]:   obtaining PAC via GSSAPI 
> gss_get_name_attribute failed: The operation or option is not available 
> or unsupported: No such file or directory
> Jan 21 11:27:07 elastic smbd[1576]: [2013/01/21 11:27:07.643158,  0] 
> ../auth/kerberos/gssapi_pac.c:116(gssapi_obtain_pac_blob)
> Jan 21 11:27:07 elastic smbd[1576]:   obtaining PAC via GSSAPI 
> gss_get_name_attribute failed: The operation or option is not available 
> or unsupported: No such file or directory
> 
> Well, no kidding there is no PAC available, it's an MIT kerberos realm!
:)
> 
> Does anyone know what I need to be doing to get this working again?
It is probably a bug in the reworked krb5 code.  The code paths to
support this are still there, but clearly something doesn't trigger
correctly.

The first thing to do would be to turn up the log level, to see what the
real failure is (the mentioned message shouldn't actually be fatal). 

Then, once we rule out it being something else, it probably just needs a
new test environment to be created in our 'make test' that tells our AD
server to not send the PAC.  This will allow this code path to be
covered, and prevent regressions. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org