Bug 161557 - samba uses dns domain and not kerberos domain for kerberos.
samba uses dns domain and not kerberos domain for kerberos.
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: samba (Show other bugs)
6
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Guenther Deschner
David Lawrence
bzcl34nup
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-06-24 06:19 EDT by Mimmus
Modified: 2008-05-06 11:29 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-05-06 11:29:51 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Mimmus 2005-06-24 06:19:49 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050524 Fedora/1.0.4-4 Firefox/1.0.4

Description of problem:
I configured Gnome authentication to "Kerberos" and I'm able to log-in correctly.
Then, I configured Samba with "security = ADS" and joined my domain.
Browsing network by network:/// works well.
Double-clicking on a PC icon, I get a user/domain/password request instead of PC shares list.



Version-Release number of selected component (if applicable):
nautilus-2.10.0-4

How reproducible:
Always

Steps to Reproduce:
1. Configure Kerberos authentication in Gnome
2. Configure Samba to join ADS domain
3. Browse domain network and try to access shares list for some PCs
  

Actual Results:  I get a user/domain/password request

Expected Results:  Getting a shares list, without other authentications

Additional info:

Peraphs does Nautilus not support Kerberos authentication?
Comment 1 Klaasjan Brand 2006-01-17 06:14:23 EST
I'm experiencing the same problem. An ethereal trace shows it's not using
kerberos in any way. Looks like a bug in gnome-vfs2-smb to me, since the code to
do kerberos auth is certainly there.
Comment 2 Klaasjan Brand 2006-11-02 09:27:37 EST
Same problem on Fedora core 6.
Comment 3 Klaasjan Brand 2006-11-20 03:48:10 EST
Found out a network misconfiguration (vfs2-smb uses the dns domain, if it
differs from the wins domain kerberos won't work). Fixing the DNS so the domains
are the same made it work.
Comment 4 Alexander Larsson 2006-11-20 10:38:28 EST
I don't know much about kerberos, but is this something gnome-vfs should do
differently?
Comment 5 Klaasjan Brand 2006-11-20 10:45:24 EST
I'm not sure it's gnome-vfs, but our windows clients "just worked" with the
difference in dns and wins domain. It seems somewhere the default kerberos
domain is taken from the default dns domain (as configured in /etc/resolv.conf)
while it should be using the kerberos domain.
Comment 6 Alexander Larsson 2006-11-20 11:50:55 EST
Do you have something like:

[domain_realm]
 .example.com = EXAMPLE.COM

for your domain in /etc/krb5.conf
Comment 7 Klaasjan Brand 2006-11-27 07:42:13 EST
Yes, I've got two entries. The default and our company network domain as entered
in the authentication configuration tool.

[domain_realm]
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM

 topicus.local = TOPICUS.LOCAL
 .topicus.local = TOPICUS.LOCAL
Comment 8 Alexander Larsson 2006-11-28 05:23:22 EST
I really don't know kerberos well enough to know the problem, or if there is a
problem (apart from setup)
Comment 9 Klaasjan Brand 2006-11-28 08:15:49 EST
I guess this problem is unrelated to this original report, but it's really very
simple:
A system can have a DNS domain and a Kerberos domain. Normally (in a windows AD
configuration) these two are the same. 
When plugging in my laptop on another location I get a different DNS domain, but
stay on the same Kerberos domain. Browsing a share on a server in the Kerberos
domain fails; a packet trace shows the DNS domain is used to authenticate to the
Kerberos server. I support this is done by gnome-vfs and/or samba (or whatever
package makes browsing network shares over kerberos possible).
It can be fixed by making it use the kerberos domain instead of the DNS domain.

Comment 10 Alexander Larsson 2006-11-28 09:28:14 EST
gnome-vfs just turns on SMB_CTX_FLAG_USE_KERBEROS, so this seems to be a samba
issue.
Comment 11 Christian Iseli 2007-01-19 19:06:29 EST
This report targets the FC3 or FC4 products, which have now been EOL'd.

Could you please check that it still applies to a current Fedora release, and
either update the target product or close it ?

Thanks.
Comment 12 Klaasjan Brand 2007-01-21 05:37:37 EST
I'm not authorized to change the product version, but my comments from november
last year were based on testing with FC6.
Comment 13 Guenther Deschner 2007-05-24 09:17:24 EDT
Ok, we need far more details on this.

Can you please provide a network trace containing the traffic from your nautilus
client up to the user/pwd prompt ?

Also, Klaasjan, you have an AD forest infrastructure, it seems. Can you give us
the output of "net ads lookup -S yourkdcname-as-in-etc-krb5.conf". That would
help us to determine your correct dns domain name and forest dns name for
further debuging.

Also, the SMB_CTX_FLAG_USE_KERBEROS flag was not honored in all use-cases of
libsmbclient until very recently
(http://websvn.samba.org/cgi-bin/viewcvs.cgi?rev=21132&view=rev). Browsing a
server for the list of available shares should not be affected by this, though.
Comment 14 Bug Zapper 2008-04-03 21:58:06 EDT
Fedora apologizes that these issues have not been resolved yet. We're
sorry it's taken so long for your bug to be properly triaged and acted
on. We appreciate the time you took to report this issue and want to
make sure no important bugs slip through the cracks.

If you're currently running a version of Fedora Core between 1 and 6,
please note that Fedora no longer maintains these releases. We strongly
encourage you to upgrade to a current Fedora release. In order to
refocus our efforts as a project we are flagging all of the open bugs
for releases which are no longer maintained and closing them.
http://fedoraproject.org/wiki/LifeCycle/EOL

If this bug is still open against Fedora Core 1 through 6, thirty days
from now, it will be closed 'WONTFIX'. If you can reporduce this bug in
the latest Fedora version, please change to the respective version. If
you are unable to do this, please add a comment to this bug requesting
the change.

Thanks for your help, and we apologize again that we haven't handled
these issues to this point.

The process we are following is outlined here:
http://fedoraproject.org/wiki/BugZappers/F9CleanUp

We will be following the process here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping to ensure this
doesn't happen again.

And if you'd like to join the bug triage team to help make things
better, check out http://fedoraproject.org/wiki/BugZappers
Comment 15 Bug Zapper 2008-05-06 11:29:50 EDT
This bug is open for a Fedora version that is no longer maintained and
will not be fixed by Fedora. Therefore we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen thus bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.