[Samba] [Solved] A working CUPS authentication now fails without change anything...

Daniel Carrasco Marín danielmadrid19 at gmail.com
Wed May 13 02:36:31 MDT 2015 

2015-05-13 1:06 GMT+02:00 Andrey Repin <anrdaemon at yandex.ru>:

> Greetings, Daniel Carrasco Marín!
>
> >> > Cups calls pam authentication, and pam use winbind then I need to give
> >> > permissions to winbind daemon but i don't know what account is using
> that
> >> > daemon. How i can see it?, because ps aux shows the most as root.
> >>
> >> winbind normally have access to Kerberos keytab by default.
> >> I see no reason why it would not.
> >>
>
> > I don't know why, but winbind was failing (access denied) until i''ve
> > changed the permissions to 644. I've tried a lot of things and the file
> was
> > created by samba but was failing until i've changed the permissions.
>
> I would start from a level 10 log of winbind calls with "debug uid = yes"
>
>
>
I think that maybe Winbind is trying to read the keytab file as the default
user group of the user is trying to login, because 10039 is the uid of my
"Domain Users" group:

###############################################################################################################################
[2015/05/13 10:24:03.687077, 10, pid=3978, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd_pam.c:1669(winbindd_dual_pam_auth)
  winbindd_dual_pam_auth: domain: ND last was online
[2015/05/13 10:24:03.687337, 10, pid=3978, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd_pam.c:1113(winbindd_dual_pam_auth_kerberos)
  winbindd_dual_pam_auth_kerberos
[2015/05/13 10:24:03.687628, 10, pid=3978, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_pam.c:531(generate_krb5_ccache)
  using ccache: FILE:/tmp/krb5cc_10039
[2015/05/13 10:24:03.688128, 10, pid=3978, effective(10039, 0), real(10039,
0), class=winbind]
../source3/winbindd/winbindd_pam.c:642(winbindd_raw_kerberos_login)
  winbindd_raw_kerberos_login: uid is 10039
[2015/05/13 10:24:03.770189,  1]
../source3/librpc/crypto/gse_krb5.c:416(fill_mem_keytab_from_system_keytab)
  ../source3/librpc/crypto/gse_krb5.c:416: krb5_kt_start_seq_get failed
(Permission denied)
[2015/05/13 10:24:03.770340,  0] ../lib/util/fault.c:72(fault_report)
  ===============================================================
[2015/05/13 10:24:03.770421,  0] ../lib/util/fault.c:73(fault_report)
  INTERNAL ERROR: Signal 11 in pid 3978 (4.1.17-Debian)
  Please read the Trouble-Shooting section of the Samba HOWTO
[2015/05/13 10:24:03.770545,  0] ../lib/util/fault.c:75(fault_report)
  ===============================================================
[2015/05/13 10:24:03.770637,  0] ../source3/lib/util.c:785(smb_panic_s3)
  PANIC (pid 3978): internal error
[2015/05/13 10:24:03.771655,  0] ../source3/lib/util.c:896(log_stack_trace)
  BACKTRACE: 27 stack frames:
   #0 /usr/lib/x86_64-linux-gnu/libsmbconf.so.0(log_stack_trace+0x1a)
[0x7f9d51064e1a]
   #1 /usr/lib/x86_64-linux-gnu/libsmbconf.so.0(smb_panic_s3+0x20)
[0x7f9d51064ef0]
   #2 /usr/lib/x86_64-linux-gnu/libsamba-util.so.0(smb_panic+0x2f)
[0x7f9d5539b70f]
   #3 /usr/lib/x86_64-linux-gnu/libsamba-util.so.0(+0x1e906)
[0x7f9d5539b906]
   #4 /lib/x86_64-linux-gnu/libpthread.so.0(+0xf0a0) [0x7f9d557c80a0]
   #5 /usr/lib/x86_64-linux-gnu/libkrb5.so.26(krb5_storage_free+0x1)
[0x7f9d4fba59e1]
   #6 /usr/lib/x86_64-linux-gnu/libkrb5.so.26(+0x482ad) [0x7f9d4fb8b2ad]
   #7 /usr/lib/x86_64-linux-gnu/samba/libgse.so.0(+0x97bf) [0x7f9d51c007bf]
   #8
/usr/lib/x86_64-linux-gnu/samba/libgse.so.0(gse_krb5_get_server_keytab+0x18b)
[0x7f9d51c00d8b]
   #9 /usr/lib/x86_64-linux-gnu/samba/libgse.so.0(+0xbb48) [0x7f9d51c02b48]
   #10 /usr/lib/x86_64-linux-gnu/libgensec.so.0(gensec_start_mech+0x42)
[0x7f9d520937e2]
   #11
/usr/lib/x86_64-linux-gnu/libgensec.so.0(gensec_start_mech_by_oid+0x2e)
[0x7f9d52093b3e]
   #12 /usr/sbin/winbindd(kerberos_return_pac+0x491) [0x7f9d55c1fd61]
   #13 /usr/sbin/winbindd(winbindd_dual_pam_auth+0xab8) [0x7f9d55c47558]
   #14 /usr/sbin/winbindd(+0x663bc) [0x7f9d55c5d3bc]
   #15 /usr/lib/x86_64-linux-gnu/libtevent.so.0(+0x986b) [0x7f9d4f0c786b]
   #16 /usr/lib/x86_64-linux-gnu/libtevent.so.0(+0x7d56) [0x7f9d4f0c5d56]
   #17 /usr/lib/x86_64-linux-gnu/libtevent.so.0(_tevent_loop_once+0x9d)
[0x7f9d4f0c23ed]
   #18 /usr/sbin/winbindd(+0x688c0) [0x7f9d55c5f8c0]
   #19 /usr/sbin/winbindd(+0x68fd5) [0x7f9d55c5ffd5]
   #20
/usr/lib/x86_64-linux-gnu/libtevent.so.0(tevent_common_loop_immediate+0xe2)
[0x7f9d4f0c2ca2]
   #21 /usr/lib/x86_64-linux-gnu/libtevent.so.0(+0x9601) [0x7f9d4f0c7601]
   #22 /usr/lib/x86_64-linux-gnu/libtevent.so.0(+0x7d56) [0x7f9d4f0c5d56]
   #23 /usr/lib/x86_64-linux-gnu/libtevent.so.0(_tevent_loop_once+0x9d)
[0x7f9d4f0c23ed]
   #24 /usr/sbin/winbindd(main+0xaeb) [0x7f9d55c1f04b]
   #25 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xfd)
[0x7f9d4ed51ead]
   #26 /usr/sbin/winbindd(+0x286bd) [0x7f9d55c1f6bd]
[2015/05/13 10:24:03.773033,  0] ../source3/lib/util.c:797(smb_panic_s3)
  smb_panic(): calling panic action [/usr/share/samba/panic-action 3978]
[2015/05/13 10:24:03.780741,  0] ../source3/lib/util.c:805(smb_panic_s3)
  smb_panic(): action returned status 0
[2015/05/13 10:24:03.781004,  0] ../source3/lib/dumpcore.c:312(dump_core)
  unable to change to /var/log/samba/cores/winbindd
  refusing to dump core
###############################################################################################################################

Now i've changed the permissions to 640 and i've added one of the user
group with "setfacl" and is working fine.

chmod 640 /etc/krb5.keytab
setfacl -m g:DomainGroup:r /etc/krb5.keytab

At least with two groups (3 users) with permissions to read that file
instead everyone is safest ;)

Greetings!!



> --
> With best regards,
> Andrey Repin
> Wednesday, May 13, 2015 02:05:02
>
> Sorry for my terrible english...
>

More information about the samba mailing list