We have a Debian file server, configured to serve up samba shares, using winbind and kerberos. This is configured to authenticate against a Windows2003 DC.
All worked fine until recently when I did a maintenance update on all packages. Since then, all attempts to connect to any of the shares (and also to just log into the box) fail. The logs contain this message, which seems to be at the root of the evil:
[2009/09/14 12:04:29, 10] libsmb/clikrb5.c:get_krb5_smb_session_key(685) Got KRB5 session key of length 16 [2009/09/14 12:04:29, 10] libsmb/clikrb5.c:unwrap_pac(280) authorization data is not a Windows PAC (type: 141) [2009/09/14 12:04:29, 3] libads/kerberos_verify.c:ads_verify_ticket(430) ads_verify_ticket: did not retrieve auth data. continuing without PAC
From there on it fails to find the user account on the DC, subsequently remaps the user to user nobody and then (rightly) refuses to grant access to the share.
However, the following works just fine:
wbinfo -a user%password
I was wondering whether anybody has had this problem and could provide some insight. I would be happy to provide neutralised config files.
Can't quite remember how I made this work, but it certainly is working now. As far as I remember this had to do with the fact that in kerberos the realm and the domain are actually not the same and had in fact been set to different values in our domain.