[Samba] SIGSEGV with pam_winbind kerberos authentication

Prunk Dump prunkdump at gmail.com
Sun Apr 27 05:55:26 MDT 2014


2014-04-26 10:57 GMT+02:00 Prunk Dump <prunkdump at gmail.com>:
> Hello,
>
> I can't get Kerberos authentication works with my Linux clients.
>
> Server : samba 4.1.4 (compiled from source)
> Client : Debian Wheezy with sernet-samba 4.0.17-8
>
> Without Kerberos authentication, everything works :
>
> -> the domain users can log with pam_winbind (with ssh, gdm ....).
> -> "kinit myuser at MYREALM" works fine.
> -> "wbinfo -K MYDOM\\myuser" works.
> -> all the others winbind related commands works (wbinfo, id, getent ....).
> -> If I do a standard pam_winbind login followed by the kinit command,
> the user can access to all the kerberized services.
>
> But with krb5_auth. If I log as a domain user through SSH or GDM, the
> kerberos ticket is created in /tmp/ but I get the following error :
>
> (/var/log/syslog)
> [2014/04/26 10:07:16.362838,  0] ../lib/util/fault.c:72(fault_report)
> ===============================================================
> [2014/04/26 10:07:16.362981,  0] ../lib/util/fault.c:73(fault_report)
> INTERNAL ERROR: Signal 11 in pid 3354 (4.0.17-SerNet-Debian-8.wheezy)
> Please read the Trouble-Shooting section of the Samba HOWTO
> [2014/04/26 10:07:16.363061,  0] ../lib/util/fault.c:75(fault_report)
> ===============================================================
> [2014/04/26 10:07:16.363113,  0] ../source3/lib/util.c:810(smb_panic_s3)
> PANIC (pid 3354): internal error
> [2014/04/26 10:07:16.363588,  0] ../source3/lib/util.c:921(log_stack_trace)
> BACKTRACE: 25 stack frames:
> #0 /usr/lib/x86_64-linux-gnu/samba/libsmbconf.so.0(log_stack_trace+0x2d)
> [0x7f4b0d47667b]
> #1 /usr/lib/x86_64-linux-gnu/samba/libsmbconf.so.0(smb_panic_s3+0x69)
> [0x7f4b0d4767a5]
> #2 /usr/lib/x86_64-linux-gnu/samba/libsamba-util.so.0(smb_panic+0x2d)
> [0x7f4b1266c451]
> #3 /usr/lib/x86_64-linux-gnu/samba/libsamba-util.so.0(+0x1b77e) [0x7f4b1266c77e]
> #4 /lib/x86_64-linux-gnu/libpthread.so.0(+0xf030) [0x7f4b12a9e030]
> #5 /usr/lib/x86_64-linux-gnu/samba/libkrb5-samba4.so.26(krb5_storage_free+0x18)
> [0x7f4b0ff3043b]
> #6 /usr/lib/x86_64-linux-gnu/samba/libkrb5-samba4.so.26(+0x41ccd)
> [0x7f4b0ff18ccd]
> #7 /usr/lib/x86_64-linux-gnu/samba/libkrb5-samba4.so.26(krb5_kt_end_seq_get+0x3a)
> [0x7f4b0ff1817e]
> #8 /usr/lib/x86_64-linux-gnu/samba/libgse.so(+0x9b04) [0x7f4b0e224b04]
> #9 /usr/lib/x86_64-linux-gnu/samba/libgse.so(gse_krb5_get_server_keytab+0x3e8)
> [0x7f4b0e224f3d]
> #10 /usr/lib/x86_64-linux-gnu/samba/libgse.so(+0xba82) [0x7f4b0e226a82]
> #11 /usr/lib/x86_64-linux-gnu/samba/libgensec.so.0(gensec_start_mech+0x11e)
> [0x7f4b0f27b3f8]
> #12 /usr/lib/x86_64-linux-gnu/samba/libgensec.so.0(gensec_start_mech_by_oid+0xe1)
> [0x7f4b0f27b79e]
> #13 /usr/sbin/winbindd(kerberos_return_pac+0x62d) [0x7f4b12efb98d]
> #14 /usr/sbin/winbindd(winbindd_dual_pam_auth+0x70b) [0x7f4b12f0f7e7]
> #15 /usr/sbin/winbindd(+0x5b370) [0x7f4b12f28370]
> #16 /usr/sbin/winbindd(+0x5b60d) [0x7f4b12f2860d]
> #17 /usr/lib/x86_64-linux-gnu/samba/libtevent.so.0(+0x4f3b) [0x7f4b11e07f3b]
> #18 /usr/lib/x86_64-linux-gnu/samba/libtevent.so.0(tevent_common_loop_immediate+0x133)
> [0x7f4b11e07dca]
> #19 /usr/lib/x86_64-linux-gnu/samba/libsmbconf.so.0(run_events_poll+0x52)
> [0x7f4b0d497e6b]
> #20 /usr/lib/x86_64-linux-gnu/samba/libsmbconf.so.0(+0x4a1e9) [0x7f4b0d4981e9]
> #21 /usr/lib/x86_64-linux-gnu/samba/libtevent.so.0(_tevent_loop_once+0x91)
> [0x7f4b11e0723b]
> #22 /usr/sbin/winbindd(main+0xd11) [0x7f4b12efed36]
> #23 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xfd) [0x7f4b0bd45ead]
> #24 /usr/sbin/winbindd(+0x251d9) [0x7f4b12ef21d9]
> [2014/04/26 10:07:16.364233,  0] ../source3/lib/dumpcore.c:312(dump_core)
>    unable to change to /var/log/samba/cores/winbindd
>    refusing to dump core
>
>
> (/var/log/auth.log)
> pam_winbind(sshd:auth): getting password (0x00000190)
> pam_winbind(sshd:auth): pam_get_item returned a password
> pam_winbind(sshd:auth): request wbcLogonUser failed:
> WBC_ERR_AUTH_ERROR, PAM error: PAM_SYSTEM_ERR (4), NTSTATUS:
> NT_STATUS_CONNECTION_DISCONNECTED, Error message was:
> NT_STATUS_CONNECTION_DISCONNECTED
> pam_winbind(sshd:auth): internal module error (retval =
> PAM_SYSTEM_ERR(4), user = 'myuser')
>
>
>
> Any idea how can I fix this problem ?
>
> Baptiste.


I have tested with sernet-samba-4.1.7 and samba-4.1.7 compiled from
source. I have got exactly the same error.

Winbindd does not want to save the core so I can't give extra
debugging information.  But with "winbindd -i -d=10" the following
error appear :

-----------------------------
Starting GENSEC mechanism gse_krb5
../source3/librpc/crypto/gse_krb5.c:279: no prev machine password
name_to_fqdn: lookup for SALLEPROFS01 ->
SALLEPROFS01.lyc-guillaume-fichet.ac-grenoble.fr.
../source3/librpc/crypto/gse_krb5.c:416: krb5_kt_start_seq_get failed
(Permission denied)
-----------------------------

Here the full log (ssh pellegrb at salleprofs01) :

-----------------------------
process_request: Handling async request 3570:PAM_AUTH
[ 3570]: pam auth pellegrb
child daemon request 13
child_process_request: request fn PAM_AUTH
[ 3440]: dual pam auth FICHNET\pellegrb
winbindd_dual_pam_auth: domain: FICHNET last was online
winbindd_dual_pam_auth_kerberos
is_myname("FICHNET") returns 0
using ccache: FILE:/tmp/krb5cc_3000137
winbindd_raw_kerberos_login: uid is 3000137
kerberos_kinit_password: as
pellegrb at LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR using
[FILE:/tmp/krb5cc_3000137] as ccache and config
[/usr/local/samba/var/lock/smb_krb5/krb5.conf.FICHNET]
got TGT for pellegrb at LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR in
FILE:/tmp/krb5cc_3000137
    valid until: dim., 27 avril 2014 23:49:13 CEST (1398635353)
    renewable till: dim., 04 mai 2014 13:49:14 CEST (1399204154)
ads_cleanup_expired_creds: Ticket in ccache[FILE:/tmp/krb5cc_3000137]
expiration dim., 27 avril 2014 23:49:13 CEST
ads_krb5_mk_req: Ticket
(SALLEPROFS01$@LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR) in ccache
(FILE:/tmp/krb5cc_3000137) is valid until: (dim., 27 avril 2014
23:49:13 CEST - 1398635353)
Got KRB5 session key of length 16
Starting GENSEC mechanism gse_krb5
../source3/librpc/crypto/gse_krb5.c:279: no prev machine password
name_to_fqdn: lookup for SALLEPROFS01 ->
SALLEPROFS01.lyc-guillaume-fichet.ac-grenoble.fr.
../source3/librpc/crypto/gse_krb5.c:416: krb5_kt_start_seq_get failed
(Permission non accordée)
===============================================================
INTERNAL ERROR: Signal 11 in pid 3475 (4.1.7)
Please read the Trouble-Shooting section of the Samba HOWTO
===============================================================
PANIC (pid 3475): internal error
BACKTRACE: 35 stack frames:
 #0 /usr/local/samba/lib/libsmbconf.so.0(log_stack_trace+0x1f) [0x7f781b359766]
 #1 /usr/local/samba/lib/libsmbconf.so.0(smb_panic_s3+0x6c) [0x7f781b3595df]
 #2 /usr/local/samba/lib/libsamba-util.so.0(smb_panic+0x28) [0x7f781e8b32cb]
 #3 /usr/local/samba/lib/libsamba-util.so.0(+0x1dfd3) [0x7f781e8b2fd3]
 #4 /usr/local/samba/lib/libsamba-util.so.0(+0x1dfe8) [0x7f781e8b2fe8]
 #5 /lib/x86_64-linux-gnu/libpthread.so.0(+0xf030) [0x7f781ff7d030]
 #6 /usr/local/samba/lib/private/libkrb5-samba4.so.26(krb5_storage_free+0x10)
[0x7f781d1d0fb5]
 #7 /usr/local/samba/lib/private/libkrb5-samba4.so.26(+0x499e1) [0x7f781d1b69e1]
 #8 /usr/local/samba/lib/private/libkrb5-samba4.so.26(krb5_kt_end_seq_get+0x68)
[0x7f781d1b4f59]
 #9 /usr/local/samba/lib/private/libgse.so(+0xb0ae) [0x7f781a4820ae]
 #10 /usr/local/samba/lib/private/libgse.so(gse_krb5_get_server_keytab+0x187)
[0x7f781a48263b]
 #11 /usr/local/samba/lib/private/libgse.so(+0xc11e) [0x7f781a48311e]
 #12 /usr/local/samba/lib/private/libgse.so(+0xd17b) [0x7f781a48417b]
 #13 /usr/local/samba/lib/libgensec.so.0(gensec_start_mech+0x19e)
[0x7f781a8ddccb]
 #14 /usr/local/samba/lib/libgensec.so.0(gensec_start_mech_by_oid+0x111)
[0x7f781a8de085]
 #15 /usr/local/samba/sbin/winbindd(kerberos_return_pac+0x87f) [0x7f78203dadb6]
 #16 /usr/local/samba/sbin/winbindd(+0x46f12) [0x7f78203f2f12]
 #17 /usr/local/samba/sbin/winbindd(+0x487f7) [0x7f78203f47f7]
 #18 /usr/local/samba/sbin/winbindd(winbindd_dual_pam_auth+0x385)
[0x7f78203f5de4]
 #19 /usr/local/samba/sbin/winbindd(+0x64189) [0x7f7820410189]
 #20 /usr/local/samba/sbin/winbindd(+0x66bf1) [0x7f7820412bf1]
 #21 /usr/local/samba/lib/private/libtevent.so.0(+0xcc2d) [0x7f781e043c2d]
 #22 /usr/local/samba/lib/private/libtevent.so.0(+0xd23b) [0x7f781e04423b]
 #23 /usr/local/samba/lib/private/libtevent.so.0(+0x9fbb) [0x7f781e040fbb]
 #24 /usr/local/samba/lib/private/libtevent.so.0(_tevent_loop_once+0xf4)
[0x7f781e03b492]
 #25 /usr/local/samba/sbin/winbindd(+0x67851) [0x7f7820413851]
 #26 /usr/local/samba/sbin/winbindd(+0x631f8) [0x7f782040f1f8]
 #27 /usr/local/samba/lib/private/libtevent.so.0(+0x56c6) [0x7f781e03c6c6]
 #28 /usr/local/samba/lib/private/libtevent.so.0(tevent_common_loop_immediate+0x1f5)
[0x7f781e03c358]
 #29 /usr/local/samba/lib/private/libtevent.so.0(+0xd18b) [0x7f781e04418b]
 #30 /usr/local/samba/lib/private/libtevent.so.0(+0x9fbb) [0x7f781e040fbb]
 #31 /usr/local/samba/lib/private/libtevent.so.0(_tevent_loop_once+0xf4)
[0x7f781e03b492]
 #32 /usr/local/samba/sbin/winbindd(main+0xd15) [0x7f78203dec51]
 #33 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xfd) [0x7f78188ddead]
 #34 /usr/local/samba/sbin/winbindd(+0x25229) [0x7f78203d1229]
unable to change to /usr/local/samba/var/cores/winbindd
refusing to dump core
wb_request_done[3570:PAM_AUTH]: NT_STATUS_CONNECTION_DISCONNECTED
Already reaped child 3475 died
winbind_client_response_written[3570:PAM_AUTH]: delivered response to client
process_request: Handling async request 3570:GETPWNAM
getpwnam pellegrb
     wbint_LookupName: struct wbint_LookupName
        in: struct wbint_LookupName
            domain                   : *
                domain                   : 'FICHNET'
            name                     : *
                name                     : 'PELLEGRB'
            flags                    : 0x00000008 (8)
     wbint_LookupName: struct wbint_LookupName
        out: struct wbint_LookupName
            type                     : *
                type                     : SID_NAME_USER (1)
            sid                      : *
                sid                      :
S-1-5-21-1691533938-518786298-626738373-1217
            result                   : NT_STATUS_OK
     wbint_QueryUser: struct wbint_QueryUser
        in: struct wbint_QueryUser
            sid                      : *
                sid                      :
S-1-5-21-1691533938-518786298-626738373-1217
     wbint_QueryUser: struct wbint_QueryUser
        out: struct wbint_QueryUser
            info                     : *
                info: struct wbint_userinfo
                    acct_name                : *
                        acct_name                : 'pellegrb'
                    full_name                : NULL
                    homedir                  : *
                        homedir                  : '/home/teachers/pellegrb'
                    shell                    : *
                        shell                    : '/bin/bash'
                    primary_gid              : 0x00000000002dc6e6 (3000038)
                    user_sid                 :
S-1-5-21-1691533938-518786298-626738373-1217
                    group_sid                :
S-1-5-21-1691533938-518786298-626738373-1118
            result                   : NT_STATUS_OK
SID 0: S-1-5-21-1691533938-518786298-626738373-1217
Parsing value for key
[IDMAP/SID2XID/S-1-5-21-1691533938-518786298-626738373-1217]:
value=[3000137:U]
Parsing value for key
[IDMAP/SID2XID/S-1-5-21-1691533938-518786298-626738373-1217]:
id=[3000137], endptr=[:U]
find_lookup_domain_from_sid(S-1-5-21-1691533938-518786298-626738373-1118)
calling find_our_domain
     wbint_LookupSid: struct wbint_LookupSid
        in: struct wbint_LookupSid
            sid                      : *
                sid                      :
S-1-5-21-1691533938-518786298-626738373-1118
     wbint_LookupSid: struct wbint_LookupSid
        out: struct wbint_LookupSid
            type                     : *
                type                     : SID_NAME_DOM_GRP (2)
            domain                   : *
                domain                   : *
                    domain                   : 'FICHNET'
            name                     : *
                name                     : *
                    name                     : 'teachers'
            result                   : NT_STATUS_OK
SID 0: S-1-5-21-1691533938-518786298-626738373-1118
Parsing value for key
[IDMAP/SID2XID/S-1-5-21-1691533938-518786298-626738373-1118]:
value=[3000038:G]
Parsing value for key
[IDMAP/SID2XID/S-1-5-21-1691533938-518786298-626738373-1118]:
id=[3000038], endptr=[:G]
wb_request_done[3570:GETPWNAM]: NT_STATUS_OK
winbind_client_response_written[3570:GETPWNAM]: delivered response to client
closing socket 24, client exited
-----------------------------


Please help !

Thanks.


More information about the samba mailing list