[Samba] 'net ads join' Segmentation fault for one ADS tree but not another?!

Chris COOPER c.cooper at ecu.edu.au
Tue Apr 12 02:56:39 GMT 2005 

The cmd 'net ads join -U username' dies with 'Segmentation fault' for
our PROD ADS environment, however works fine in our DEV ADS environment!

The only [Linux] configuration change between the two environments is
update SAMBA and Kerberos config to read 'ADS' vs 'ADSDEV' and change
the domain controller FQDN.

The /var/kerberos/krb5kdc directory, samba/secrets.tdb and kerberos
database are nuked/recreated between DEV->PROD environments to clear
cached info (have I missed clearing anything?)

Kerberos config seems OK for both environments, kinit username/password
works.

Here's the end of 'net ads join -U username -d 10' resulting in the
sengmentation fault, plus closest matching portion of our DEV
environment for comparison.

-- PROD ---
[2005/04/11 17:02:36, 3] libads/sasl.c:ads_sasl_spnego_bind(211)^M
  ads_sasl_spnego_bind: got server principal name
=ads-prod-dc$@ADS.ECU.EDU.AU^M
[2005/04/11 17:02:36, 3] libsmb/clikrb5.c:ads_krb5_mk_req(382)^M
  ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache
found)^M
[2005/04/11 17:02:36, 3]
libsmb/clikrb5.c:ads_cleanup_expired_creds(319)^M
  Ticket in ccache[MEMORY:net_ads] expiration Tue, 12 Apr 2005 03:02:36
GMT^M
[2005/04/11 17:02:36, 10] libsmb/clikrb5.c:ads_krb5_mk_req(409)^M
  ads_krb5_mk_req: Ticket (ads-prod-dc$@ADS.ECU.EDU.AU) in ccache
(MEMORY:net_ads) is valid until: (Tue, 12 Apr 2005 03:02:36 GMT -
1113246156)^M
[2005/04/11 17:02:36, 10]
libsmb/clikrb5.c:get_krb5_smb_session_key(510)^M
  Got KRB5 session key of length 16^M
[2005/04/11 17:02:36, 10] lib/util.c:name_to_fqdn(2626)^M
  name_to_fqdn: lookup for banana -> banana.ads.ecu.edu.au.^M
[2005/04/11 17:02:36, 0] libads/ldap.c:ads_add_machine_acct(1368)^M
  ads_add_machine_acct: Host account for banana already exists -
modifying old account^M
[2005/04/11 17:02:36, 5] libads/ldap_utils.c:ads_do_search_retry(56)^M
  Search for (objectclass=*) gave 1 replies^M
[2005/04/11 17:02:41, 10] intl/lang_tdb.c:lang_tdb_init(135)^M
  lang_tdb_init: /usr/lib/samba/en_AU.UTF-8.msg: No such file or
directory^M
Using short domain name -- ADS^M
[2005/04/11 17:02:41, 0] libads/kerberos.c:get_service_ticket(335)^M
  get_service_ticket: kerberos_kinit_password
BANANA$@ADS.ECU.EDU.AU at ADS.ECU.EDU.AU failed: Preauthentication failed^M
Segmentation fault^M

--- DEV ---
[2005/04/11 16:41:30, 3] libads/ldap.c:ads_workgroup_name(2531)^M
  Found alternate name 'ADSDEV' for realm 'ADSDEV.ECU.EDU.AU'^M
[2005/04/11 16:41:30, 10] intl/lang_tdb.c:lang_tdb_init(135)^M
  lang_tdb_init: /usr/lib/samba/en_AU.UTF-8.msg: No such file or
directory^M
Using short domain name -- ADSDEV^M
[2005/04/11 16:41:30, 5] libads/kerberos.c:get_service_ticket(366)^M
  get_service_ticket: krb5_get_credentials for BANANA$@ADSDEV.ECU.EDU.AU
enctype 16 failed: KDC has no support for encryption type^M
[2005/04/11 16:41:30, 3]
libads/kerberos.c:kerberos_derive_salting_principal_for_enctype(551)^M
  verify_service_password: get_service_ticket failed: KDC has no support
for encryption type^M
<<< ... repeats, snip ... >>>
[2005/04/11 16:41:31, 3]
libads/kerberos.c:kerberos_derive_salting_principal_for_enctype(551)^M
  verify_service_password: get_service_ticket failed: Server not found
in Kerberos database^M
[2005/04/11 16:41:31, 5] libads/kerberos.c:get_service_ticket(366)^M
  get_service_ticket: krb5_get_credentials for
host/banana.ads.ecu.edu.au at ADSDEV.ECU.EDU.AU enctype 2 failed: Server
not found in Kerberos database^M
[2005/04/11 16:41:31, 3]
libads/kerberos.c:kerberos_derive_salting_principal_for_enctype(551)^M
  verify_service_password: get_service_ticket failed: Server not found
in Kerberos database^M Joined 'BANANA' to realm 'ADSDEV.ECU.EDU.AU'^M
[2005/04/11 16:41:31, 2] utils/net.c:main(859)^M
  return code = 0^M

After which point host 'BANANA' appears in ADSDEV tree and behaves as
expected for ADSDEV authenticated users.

I'm at a loss to explain why 'net ads join' for PROD segment faults yet
DEV works with practically identical config.

We have some 50,000+ users, 6,000+ computer objects, multiple campuses,
numerous domain controllers etc in PROD so difficult to see what the
relevant difference is between PROD and DEV :-(

Any suggestions on what could cause/resolve the
'BANANA$@ADS.ECU.EDU.AU at ADS.ECU.EDU.AU' reference and segmentation fault
would be appreciated.

Re,
Chr!s

PS: Running RHAS 3 with samba-3.0.9-1.3E.2 delivered via 'up2date' and
kernel 2.4.21-27.0.2 (latest certified by EMC SAN matrix):

More information about the samba mailing list