gss_krb5_import_cred fails for Samba

Andrew Bartlett abartlet at
Tue Jul 19 21:08:47 EDT 2011

On Tue, 2011-07-19 at 12:19 -0400, Greg Hudson wrote:
> On Mon, 2011-07-18 at 10:30 -0400, Andrew Bartlett wrote:
> > This is because alloc_union_cred() calls [...]
> Judging by the code in g_acquire_cred.c, the call to
> mech->gss_display_name should be conditional on mech_name !=
> If you're in a position to test the attached patch and it let it know if
> it resolves the case where the principal is unspecified, that would be
> helpful.
> > If the principal is specified (matching the keytab value of host$@REALM)
> > then the login fails with 'Wrong principal in request'.
> I'd be interested in knowing more about why this is; I wouldn't expect
> it to happen as long as the specified principal exists in the keytab.
> > Given this function seems to have been added for Samba, is there a test
> > case that could be expanded to ensure that Samba's needs for this
> > function can be met?
> I will try to add some automated tests for these scenarios.

I'll try and rebuild the krb5 rpm on my system today or tomorrow, with
that patch (it certainly looks like the right kind of fix).

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 

More information about the krbdev mailing list