[Bug 1892145] Re: smbclient cannot connect anonymously in Kerberos context (freeipa)

Mon, 31 Aug 2020 08:06:38 -0700 

I'm using a focal container for this test, with kdc and samba on localhost, but 
using fqdn's for the access.
krb5-kdc       1.17-6ubuntu4
samba          2:4.11.6+dfsg-0ubuntu1.4


With the default ccache_type of FILE in ubuntu/debian:
$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: ubu...@example.com
...

smbclient //focal-smbclient-kerberos.lxd/storage -k (after kinit)
smbclient -L focal-smbclient-kerberos.lxd -k (after kinit)
smbclient -L focal-smbclient-kerberos.lxd -N (with or without kinit)

work.

The moment I set this in /etc/krb5.conf:

default_ccache_name = KEYRING:persistent:%{uid}

(is that the setting you have?)

Then some things change, but I don't get a core dump.

This works with or without kinit:
smbclient -L focal-smbclient-kerberos -N 


These don't work after kinit:

$ smbclient -L focal-smbclient-kerberos -k
gensec_spnego_client_negTokenInit_step: Could not find a suitable mechtype in 
NEG_TOKEN_INIT
session setup failed: NT_STATUS_INVALID_PARAMETER

$ smbclient //focal-smbclient-kerberos.lxd/storage -k
gensec_spnego_client_negTokenInit_step: Could not find a suitable mechtype in 
NEG_TOKEN_INIT
session setup failed: NT_STATUS_INVALID_PARAMETER
$ klist
Ticket cache: KEYRING:persistent:1000:1000
Default principal: ubu...@example.com

Valid starting     Expires            Service principal
08/31/20 14:49:10  09/01/20 00:49:10  krbtgt/example....@example.com
        renew until 09/01/20 14:49:09

I did find an upstream heimdal bug about adding support for KEYRING, and it's 
closed now with a fix committed:
https://github.com/heimdal/heimdal/issues/166

I will have to investigate further to see how samba was built and
confirm our heimdal libraries in ubuntu have this support available. And
if this is the problem we are seeing here.

I'll check your core dump file now.

>From your side, if you switch the ccache type to FILE (or just remove
the KEYRING overriding config), does the core dump go away?

** Bug watch added: github.com/heimdal/heimdal/issues #166
   https://github.com/heimdal/heimdal/issues/166

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1892145

Title:
  smbclient cannot connect anonymously in Kerberos context (freeipa)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1892145/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to