S4U2Self with MIT KDC build

Isaac Boukris iboukris at gmail.com
Mon Aug 13 21:37:35 UTC 2018


I wanted to check the status of S4U2Self with MIT KDC build (current
git, both samba and krb5) and got the below crash.
Not sure if the bug is the library for sending 'kdcreq->client' as
NULL, any idea?
But anyway we should probably add a check for it in
kdb_samba_db_check_policy_as() so we don't crash.

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff5bffab7 in ks_is_kadmin (context=0x647620, princ=0x0) at
76              return krb5_princ_size(context, princ) >= 1 &&
(gdb) bt
#0  0x00007ffff5bffab7 in ks_is_kadmin (context=0x647620, princ=0x0)
at ../source4/kdc/mit-kdb/kdb_samba_common.c:76
#1  0x00007ffff5c00179 in kdb_samba_db_check_policy_as
(context=0x647620, kdcreq=0x137d020, client=0x7fffffffdc30,
    kdc_time=1534188443, status=0x7fffffffde88,
e_data_out=0x7fffffffdd10) at
#2  0x000000000040d005 in validate_as_request
(kdc_active_realm=kdc_active_realm at entry=0x646d70,
request=request at entry=0x137d020, client=..., server=...,
    kdc_time=kdc_time at entry=1534188443,
status=status at entry=0x7fffffffde88,
e_data=e_data at entry=0x7fffffffdd10) at kdc_util.c:747
#3  0x000000000040e674 in kdc_process_s4u2self_req
(kdc_active_realm=kdc_active_realm at entry=0x646d70, request=0x137d020,
    server=<optimized out>, tgs_subkey=<optimized out>,
tgs_session=<optimized out>, kdc_time=1534188443,
    princ_ptr=0x7fffffffde90, status=0x7fffffffde88) at kdc_util.c:1567
#4  0x0000000000409c08 in process_tgs_req (request=<optimized out>,
pkt=pkt at entry=0x16ace90, from=from at entry=0xdfef40,
    response=response at entry=0x7fffffffe148) at do_tgs_req.c:269
#5  0x0000000000407396 in dispatch (cb=0x620a30 <shandle>,
local_addr=local_addr at entry=0x16ace78,
remote_addr=remote_addr at entry=0xdfef40,
    pkt=pkt at entry=0x16ace90, is_tcp=is_tcp at entry=1,
vctx=vctx at entry=0x69e4f0, respond=0x417440 <process_tcp_response>,
arg=0x16acde0) at dispatch.c:196
#6  0x0000000000419151 in process_tcp_connection_read (ctx=0x69e4f0,
ev=0xcdec90) at net-server.c:1349
#7  0x00007ffff6409a68 in verto_fire () from /lib64/libverto.so.1
#8  0x00007fffdc14e293 in ev_invoke_pending () from /lib64/libev.so.4
#9  0x00007fffdc151859 in ev_run () from /lib64/libev.so.4
#10 0x000000000040634b in main (argc=2, argv=0x7fffffffe498) at main.c:1050

More information about the samba-technical mailing list