mod_auth_ntlm_winbind: ntlm_auth tries to open the secrets.tdb, but fails

Yoshinori Sano yoshinori.sano at
Mon Nov 19 12:12:34 GMT 2007

Hi all,

I've tried to work mod_auth_ntlm_winbind(rev #713) for a week, but it
doesn't work.

When I use samba-3.0.27, a segmentation error occurs at
ads_verify_ticket() line 335.
This is because ads_verify_ticket initializes the pac_data variable,
whose address is NULL, to NULL:

 303 NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx,
 304                            const char *realm,
 305                            time_t time_offset,
 306                            const DATA_BLOB *ticket,
 307                            char **principal,
 308                            PAC_DATA **pac_data,
 309                            DATA_BLOB *ap_rep,
 310                            DATA_BLOB *session_key)
 311 {
 335         *pac_data = NULL;

So, I made the patch below so that it can be avoided:

% diff -u ntlm_auth.c.orig ntlm_auth.c
--- ntlm_auth.c.orig    2007-11-17 20:16:32.435854200 +0900
+++ ntlm_auth.c 2007-11-17 20:19:47.501319432 +0900
@@ -1154,6 +1154,7 @@
                        char *principal;
                        DATA_BLOB ap_rep;
                        DATA_BLOB session_key;
+            DATA_BLOB auth_data;

                        if ( == NULL ) {
                                DEBUG(1, ("Client did not provide
Kerberos data\n"));
@@ -1168,7 +1169,7 @@

                        status = ads_verify_ticket(mem_ctx, lp_realm(), 0,

-                                                  &principal, NULL, &ap_rep,
+                                                  &principal,
&auth_data, &ap_rep,

@@ -1192,6 +1193,7 @@
                                user = SMB_STRDUP(principal);

+                               data_blob_free(&auth_data);


But, I've faced some other problem.
The ntlm_auth process tries to open the secrets.tdb, however, it fails.
As the ntlm_auth process is spawn from httpd which runs as nobody privilege,
so the ntlm_auth process doesn't have access privilege against the secrets.tdb.

Here is the backtrace:
(gdb) bt
#0  tdb_open_ex (name=0xbffc5d90
"/usr/local/samba3.0.27/private/secrets.tdb", hash_size=0,
    open_flags=66, mode=384, log_ctx=0xbffc5d40, hash_fn=0) at
#1  0x00dbe0cb in tdb_open_log (name=0xbffc5d90
    hash_size=0, tdb_flags=0, open_flags=66, mode=384) at lib/util_tdb.c:683
#2  0x00d13f58 in secrets_init () at passdb/secrets.c:64
#3  0x00d164b4 in secrets_named_mutex (name=0x85b81b8 "replay cache
mutex", timeout=10)
    at passdb/secrets.c:925
#4  0x00d1800c in grab_server_mutex (name=0xdcd854 "replay cache
mutex") at lib/server_mutex.c:41
#5  0x00d13754 in ads_verify_ticket (mem_ctx=0x85b7a18,
    realm=0x85b7ac8 "ADTEST.WIN2K301.DEV", time_offset=0, ticket=0xbffc677c,
    principal=0xbffc62e8, pac_data=0xbffc62b0, ap_rep=0xbffc62d0,
    at libads/kerberos_verify.c:383
#6  0x00cfe04e in manage_gss_spnego_request (stdio_helper_mode=GSS_SPNEGO,
    buf=0xbffc67f0 "YR
length=1703) at utils/ntlm_auth.c:1170
#7  0x00d01177 in manage_squid_request (helper_mode=GSS_SPNEGO,
fn=0xcfd89d <manage_gss_spnego_request>)
    at utils/ntlm_auth.c:2091
#8  0x00d011ca in squid_stream (stdio_mode=GSS_SPNEGO, fn=0xcfd89d
    at utils/ntlm_auth.c:2100
#9  0x00d01851 in main (argc=2, argv=0xbffc73a4) at utils/ntlm_auth.c:2321

Why ntlm_auth need to access the secrets.tdb?

I really want to know how to solve this problem.
Any help would be highly appreciated.

Thanks in advance,

Yoshinori Sano <yoshinori.sano at>

More information about the samba-technical mailing list