https://bugzilla.novell.com/show_bug.cgi?id=864654 https://bugzilla.novell.com/show_bug.cgi?id=864654#c0 Summary: smbtorture needs extra/unecessary '--realm' flag to run tests Classification: openSUSE Product: openSUSE 13.1 Version: Final Platform: Other OS/Version: Other Status: NEW Severity: Minor Priority: P5 - None Component: Samba AssignedTo: samba-maintainers@SuSE.de ReportedBy: nopower@suse.com QAContact: samba-maintainers@SuSE.de Found By: --- Blocker: --- when attempting to run smbtorture ( specifying any test ) against a local share e.g. smbtorture -UDOMAIN\\User%Password //SERVER/SHARE base.lock in the test setup the linux machine is a member of a windows domain, ssh (single sign on) has been enabled e.g. ┌Membership──────────────────────────────────────────────────────────┐ │Domain or Workgroup │ │MYDOMAIN.COM │ │[x] Use SMB Information for Linux Authentication │ │ [x] Create Home Directory on Login │ │ [ ] Offline Authentication │ │ [x] Single Sign-on for SSH │ └────────────────────────────────────────────────────────────────────┘ the test fails always fails, smbtorture fails to connect with the following error (expanded with some extra debuglevel) Starting GENSEC mechanism spnego Starting GENSEC submechanism gssapi_krb5 Failed to get kerberos credentials: kinit for domain2test@MY failed (Cannot find KDC for requested realm) Aquiring initiator credentials failed: kinit for domain2test@MY failed (Cannot find KDC for requested realm) SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_UNSUCCESSFUL Failed initial gensec_update with mechanism spnego: NT_STATUS_UNSUCCESSFUL Failed to open connection - NT_STATUS_UNSUCCESSFUL time: 2014-02-18 15:17:47.686705 failure: LOCK1 [ problem seems to stem from use of system mit kerberos debugging a working smbtorture ( built from upstream sources with developer configuration ) and system smbtorture I can trace the point of failure to source4/auth/kerberos/kerberos_util.c:253 ret = kerberos_kinit_password_cc( smb_krb5_context->krb5_context, ccache, princ, password, target_service, krb_options, NULL, &kdc_time); which is called in function 'kinit_to_ccache the return value returned from 'kerberos_kinit_password_cc' with system kerberos is MIT KRB5_REALM_UNKNOWN & with builtin heimdal is KRB5_KDC_UNREACH that return value is handled in gensec_krb5_common_client_creds ( source4/auth/gensec/gensec_krb5.c ) which in case of MIT results in NT_STATUS_UNSUCCESSFUL being passed back, in the heimdal case the error returned is NT_STATUS_INVALID_PARAMETER which seems to force some ntlm fallback when then is able to continue. possibly krb5_get_init_creds_opt_set_default_flags which is called in the heimdal case (from source4/auth/kerberos/kerberos_util.c:200 ) might have a bearing on this... not sure though -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.