mod_auth_ntlm_winbind: ntlm_auth tries to open the secrets.tdb,
but fails
Yoshinori Sano
yoshinori.sano at gmail.com
Mon Nov 19 12:12:34 GMT 2007
Hi all,
I've tried to work mod_auth_ntlm_winbind(rev #713) for a week, but it
doesn't work.
http://viewcvs.samba.org/cgi-bin/viewcvs.cgi/trunk/mod_auth_ntlm_winbind/mod_auth_ntlm_winbind.c?root=lorikeet&rev=713&view=markup
When I use samba-3.0.27, a segmentation error occurs at
ads_verify_ticket() line 335.
This is because ads_verify_ticket initializes the pac_data variable,
whose address is NULL, to NULL:
303 NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx,
304 const char *realm,
305 time_t time_offset,
306 const DATA_BLOB *ticket,
307 char **principal,
308 PAC_DATA **pac_data,
309 DATA_BLOB *ap_rep,
310 DATA_BLOB *session_key)
311 {
[...]
335 *pac_data = NULL;
So, I made the patch below so that it can be avoided:
(samba-3.0.27/source/util/ntlm_auth.c)
% diff -u ntlm_auth.c.orig ntlm_auth.c
--- ntlm_auth.c.orig 2007-11-17 20:16:32.435854200 +0900
+++ ntlm_auth.c 2007-11-17 20:19:47.501319432 +0900
@@ -1154,6 +1154,7 @@
char *principal;
DATA_BLOB ap_rep;
DATA_BLOB session_key;
+ DATA_BLOB auth_data;
if ( request.negTokenInit.mechToken.data == NULL ) {
DEBUG(1, ("Client did not provide
Kerberos data\n"));
@@ -1168,7 +1169,7 @@
status = ads_verify_ticket(mem_ctx, lp_realm(), 0,
&request.negTokenInit.mechToken,
- &principal, NULL, &ap_rep,
+ &principal,
&auth_data, &ap_rep,
&session_key);
talloc_destroy(mem_ctx);
@@ -1192,6 +1193,7 @@
user = SMB_STRDUP(principal);
data_blob_free(&ap_rep);
+ data_blob_free(&auth_data);
SAFE_FREE(principal);
}
But, I've faced some other problem.
The ntlm_auth process tries to open the secrets.tdb, however, it fails.
As the ntlm_auth process is spawn from httpd which runs as nobody privilege,
so the ntlm_auth process doesn't have access privilege against the secrets.tdb.
Here is the backtrace:
(gdb) bt
#0 tdb_open_ex (name=0xbffc5d90
"/usr/local/samba3.0.27/private/secrets.tdb", hash_size=0,
tdb_flags=0,
open_flags=66, mode=384, log_ctx=0xbffc5d40, hash_fn=0) at
tdb/common/open.c:153
#1 0x00dbe0cb in tdb_open_log (name=0xbffc5d90
"/usr/local/samba3.0.27/private/secrets.tdb",
hash_size=0, tdb_flags=0, open_flags=66, mode=384) at lib/util_tdb.c:683
#2 0x00d13f58 in secrets_init () at passdb/secrets.c:64
#3 0x00d164b4 in secrets_named_mutex (name=0x85b81b8 "replay cache
mutex", timeout=10)
at passdb/secrets.c:925
#4 0x00d1800c in grab_server_mutex (name=0xdcd854 "replay cache
mutex") at lib/server_mutex.c:41
#5 0x00d13754 in ads_verify_ticket (mem_ctx=0x85b7a18,
realm=0x85b7ac8 "ADTEST.WIN2K301.DEV", time_offset=0, ticket=0xbffc677c,
principal=0xbffc62e8, pac_data=0xbffc62b0, ap_rep=0xbffc62d0,
session_key=0xbffc62c0)
at libads/kerberos_verify.c:383
#6 0x00cfe04e in manage_gss_spnego_request (stdio_helper_mode=GSS_SPNEGO,
buf=0xbffc67f0 "YR
YIIE9QYGKwYBBQUCoIIE6TCCBOWgJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBLsEggS3YIIEswYJKoZIhvcSAQICAQBuggSiMIIEnqADAgEFoQMCAQ6iBwMFACAAAACjggO+YYIDujCCA7agAwIBBaEiGyBBRFRFU1QuV0lOMkszMDEuR"...,
length=1703) at utils/ntlm_auth.c:1170
#7 0x00d01177 in manage_squid_request (helper_mode=GSS_SPNEGO,
fn=0xcfd89d <manage_gss_spnego_request>)
at utils/ntlm_auth.c:2091
#8 0x00d011ca in squid_stream (stdio_mode=GSS_SPNEGO, fn=0xcfd89d
<manage_gss_spnego_request>)
at utils/ntlm_auth.c:2100
#9 0x00d01851 in main (argc=2, argv=0xbffc73a4) at utils/ntlm_auth.c:2321
Why ntlm_auth need to access the secrets.tdb?
I really want to know how to solve this problem.
Any help would be highly appreciated.
Thanks in advance,
--
Yoshinori Sano <yoshinori.sano at gmail.com>
More information about the samba-technical
mailing list