I'm using a focal container for this test, with kdc and samba on localhost, but using fqdn's for the access.
krb5-kdc 1.17-6ubuntu4
samba 2:4.11.6+dfsg-0ubuntu1.4
With the default ccache_type of FILE in ubuntu/debian:
$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: <email address hidden>
...
smbclient //focal-smbclient-kerberos.lxd/storage -k (after kinit)
smbclient -L focal-smbclient-kerberos.lxd -k (after kinit)
smbclient -L focal-smbclient-kerberos.lxd -N (with or without kinit)
work.
The moment I set this in /etc/krb5.conf:
default_ccache_name = KEYRING:persistent:%{uid}
(is that the setting you have?)
Then some things change, but I don't get a core dump.
This works with or without kinit:
smbclient -L focal-smbclient-kerberos -N
These don't work after kinit:
$ smbclient -L focal-smbclient-kerberos -k
gensec_spnego_client_negTokenInit_step: Could not find a suitable mechtype in NEG_TOKEN_INIT
session setup failed: NT_STATUS_INVALID_PARAMETER
$ smbclient //focal-smbclient-kerberos.lxd/storage -k
gensec_spnego_client_negTokenInit_step: Could not find a suitable mechtype in NEG_TOKEN_INIT
session setup failed: NT_STATUS_INVALID_PARAMETER
$ klist
Ticket cache: KEYRING:persistent:1000:1000
Default principal: <email address hidden>
Valid starting Expires Service principal
08/31/20 14:49:10 09/01/20 00:49:10 <email address hidden>
renew until 09/01/20 14:49:09
I will have to investigate further to see how samba was built and confirm our heimdal libraries in ubuntu have this support available. And if this is the problem we are seeing here.
I'll check your core dump file now.
From your side, if you switch the ccache type to FILE (or just remove the KEYRING overriding config), does the core dump go away?
I'm using a focal container for this test, with kdc and samba on localhost, but using fqdn's for the access. 6+dfsg- 0ubuntu1. 4
krb5-kdc 1.17-6ubuntu4
samba 2:4.11.
With the default ccache_type of FILE in ubuntu/debian: krb5cc_ 1000
$ klist
Ticket cache: FILE:/tmp/
Default principal: <email address hidden>
...
smbclient //focal- smbclient- kerberos. lxd/storage -k (after kinit) -kerberos. lxd -k (after kinit) -kerberos. lxd -N (with or without kinit)
smbclient -L focal-smbclient
smbclient -L focal-smbclient
work.
The moment I set this in /etc/krb5.conf:
default_ccache_name = KEYRING: persistent: %{uid}
(is that the setting you have?)
Then some things change, but I don't get a core dump.
This works with or without kinit: -kerberos -N
smbclient -L focal-smbclient
These don't work after kinit:
$ smbclient -L focal-smbclient -kerberos -k spnego_ client_ negTokenInit_ step: Could not find a suitable mechtype in NEG_TOKEN_INIT INVALID_ PARAMETER
gensec_
session setup failed: NT_STATUS_
$ smbclient //focal- smbclient- kerberos. lxd/storage -k spnego_ client_ negTokenInit_ step: Could not find a suitable mechtype in NEG_TOKEN_INIT INVALID_ PARAMETER persistent: 1000:1000
gensec_
session setup failed: NT_STATUS_
$ klist
Ticket cache: KEYRING:
Default principal: <email address hidden>
Valid starting Expires Service principal
08/31/20 14:49:10 09/01/20 00:49:10 <email address hidden>
renew until 09/01/20 14:49:09
I did find an upstream heimdal bug about adding support for KEYRING, and it's closed now with a fix committed: /github. com/heimdal/ heimdal/ issues/ 166
https:/
I will have to investigate further to see how samba was built and confirm our heimdal libraries in ubuntu have this support available. And if this is the problem we are seeing here.
I'll check your core dump file now.
From your side, if you switch the ccache type to FILE (or just remove the KEYRING overriding config), does the core dump go away?