FW: Questions about Samba 4

Rowland Penny rowlandpenny241155 at gmail.com
Fri Aug 28 15:00:46 UTC 2015


On 28/08/15 15:38, Stefan Metzmacher wrote:
> Hi Rowland,
>
>> Hi Volker, it seems pretty easy to reproduce, just throw up a test DC in
>> a VM, create a user and set the password to need to be changed at next
>> login. Now create a member server in another VM and join this to the DC.
>> now open three terminals, ssh into the member server as root from one
>> and start 'top' , ssh into the member server as root from another and
>> finally attempt to ssh into the member server as the user you created
>> from the last one.
>> Now watch the 'top' running in the other terminal, it should show
>> winbind using 100% CPU (or very close to it) at this point go to the
>> open root terminal and run gdb.
>>
>> I can easily reproduce it on an X86_64 machine running Samba Version
>> 4.2.3-SerNet-Debian-7.wheezy
> As you can easily reproduce this, can you please file a bug report
> and upload network captures. For the following cases:
>
> 1. the original problem
> 2. with Volkers patch
> 3. with your changed sshd config
>
> It would be perfect if you could also provide a keytab in order to
> decrypt the krb5 traffic.
>
> Looking at captures will likely help in order to judge if Volker's fix
> is correct/complete related to security.
>
> Thanks!
> metze
>

OK, I will go back to what I was doing before Volker's  fix popped up 
and sent me off on a tangent, I was creating a new DC and a client in VM's

What I will say is that I didn't use Volkers fix, my reasoning was that 
'what if winbind is spinning because it is waiting for the password to 
be changed and could it actually be a ssh problem'.
I found a google result: 
https://support.software.dell.com/authentication-services/kb/82402
This led to getting prompted for a new password (twice) but still didn't 
log me in, I examined sshd_config again and found this: 
#PasswordAuthentication yes
I uncommented it, restarted ssh and I could then login

I may be some time :-)

Rowland




More information about the samba-technical mailing list