Summary
The Samba Kerberos SSO CI check has been failing on every master merge since 2026-05-30. The failure is not caused by any code change — no DAV, authentication, or SSO-related files changed in the window where it broke.
Failure
Checking that we can authenticate using kerberos: ✔️
Getting test file: ❌
<?xml version="1.0" encoding="utf-8"?>
<d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns">
<s:exception>Sabre\DAV\Exception\NotAuthenticated</s:exception>
<s:message>No 'Authorization: Basic' header found. Either the client didn't send one, or the server is misconfigured.
No 'Authorization: Bearer' header found. Either the client didn't send one, or the server is misconfigured.</s:message>
</d:error>
Kerberos ticket acquisition succeeds, but the subsequent WebDAV request fails — the server is not accepting the Negotiate authorization header.
Root cause
The workflow pulls all three test images by floating tag with no digest pin:
docker pull ghcr.io/icewind1991/samba-krb-test-dc
docker pull ghcr.io/icewind1991/samba-krb-test-apache-gssapi:8.4
docker pull ghcr.io/icewind1991/samba-krb-test-client
One of these (most likely samba-krb-test-apache-gssapi:8.4 given the GSSAPI/WebDAV auth failure) was updated around 2026-05-29/30 and broke the test environment.
Last passing run: commit 04668560 (2026-05-29 03:21 UTC)
First failing run: commit b064def8 (2026-05-30 03:18 UTC)
No relevant code changes merged between those two commits.
Fix
Pin the images by digest in .github/workflows/files-external-smb-kerberos.yml, the same way other workflows pin their images (e.g. localstack/localstack@sha256:...).
cc @icewind1991 — these are your images, could you check if samba-krb-test-apache-gssapi:8.4 (or one of the others) was updated recently in a way that would break GSSAPI auth against Nextcloud's WebDAV endpoint?
Summary
The
Samba Kerberos SSOCI check has been failing on every master merge since 2026-05-30. The failure is not caused by any code change — no DAV, authentication, or SSO-related files changed in the window where it broke.Failure
Kerberos ticket acquisition succeeds, but the subsequent WebDAV request fails — the server is not accepting the
Negotiateauthorization header.Root cause
The workflow pulls all three test images by floating tag with no digest pin:
One of these (most likely
samba-krb-test-apache-gssapi:8.4given the GSSAPI/WebDAV auth failure) was updated around 2026-05-29/30 and broke the test environment.Last passing run: commit
04668560(2026-05-29 03:21 UTC)First failing run: commit
b064def8(2026-05-30 03:18 UTC)No relevant code changes merged between those two commits.
Fix
Pin the images by digest in
.github/workflows/files-external-smb-kerberos.yml, the same way other workflows pin their images (e.g.localstack/localstack@sha256:...).cc @icewind1991 — these are your images, could you check if
samba-krb-test-apache-gssapi:8.4(or one of the others) was updated recently in a way that would break GSSAPI auth against Nextcloud's WebDAV endpoint?