gss_krb5_import_cred fails for Samba

Andrew Bartlett abartlet at
Fri Jul 22 20:14:44 EDT 2011

On Fri, 2011-07-22 at 12:41 -0400, Greg Hudson wrote:
> On Tue, 2011-07-19 at 21:08 -0400, Andrew Bartlett wrote:
> > I'll try and rebuild the krb5 rpm on my system today or tomorrow, with
> > that patch (it certainly looks like the right kind of fix).
> I assume this fell off your stack, which is okay.  I am confident enough
> in the change that I will check it in and mark it for pullup to 1.9.


> I added some automated tests for gss_krb5_import_cred.  They all pass on
> trunk (despite not having the change I tested) because of a post-1.9
> change to how inquire_cred works in the case at hand.

That should fix the issue in Samba3.  I'm wondering if it also fixes the
second case, which matches that slightly different pattern I've used in
Samba4, where it is hoped we may be able to use MIT Kerberos in future.

This case is where the principal is specified, and the incoming GSSAPI
request has the same key and knvo, but a different server name?  We need
this because AD has an almost infinite number of name aliases, but we
would like to bind our authentication of those names tightly to the one
principal we maintain in the keytab.


Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 

More information about the krbdev mailing list