Strategies to debug cpython modules during provision
william at blackhats.net.au
Tue Apr 10 01:36:09 UTC 2018
> > Inspecting the code, I see this is from password_hash.c's call to
> > smb_krb5_init_context, and reading that code in
> > source4/auth/kerberos/krb5_init_context.c between
> > smb_krb5_init_context
> > and smb_krb5_init_context_basic I can see some areas that *could*
> > be
> > the cause of the issue with regard to the system krb5.conf from MIT
> > vs
> > embedded heimdal.
> Yep, the includedir statement. A better error message would be good,
> as would be backporting the patch for includedir from modern Heimdal.
Well, first the issue is we see "ldb operations error". A good error
message should communicate more to the admin so that they have an
understanding of what to do next. Something like "unable to parse
krb5.conf" would be much better than just "operations error".
Sadly, looking at it, when we get ret = 22, which I assume here is
KRB5_CONFIG_BADFORMAT, we just wrap that into the ldb_operr(ldb) macro,
so we lose all the context that could help communicate the error to
So the first issue is how can we communicate what went wrong, why it
went wrong, and how to resolve it.
After that, then we can think about "modern heimdal" to prevent the
error at all.
Given how unfamiliar I am with the codebase though, I'd like some
advice on where to start here and how to communicate better. I'm
assuming this requires a call to ldb_error instead of ldb_operr()
macro. Does that sound like a reasonable start to resolve this?
> > However to be 100% sure, I would like to attach a debugger into
> > this
> > process so that I can observe the error.
> > As I haven't debugging the samba-tool domain provision process
> > before,
> > I would like to know if there is any advice on how to go about
> > doing
> > this that could make my life a bit easier. Additionally, it would
> > be
> > great to know how to "clean up" after a failed installation like
> > this.
> gdb --args python ....
> No need to clean up, it wipes every time. (Somehow nobody has said
> they have lost data re-running provision, I don't know why).
Done. Worked out the root cause now. Thank you!
> Andrew Bartlett
More information about the samba-technical