[Samba] SIGSEGV with pam_winbind kerberos authentication
Rowland Penny
rowlandpenny at googlemail.com
Sun Apr 27 07:05:51 MDT 2014
On 27/04/14 12:55, Prunk Dump wrote:
> 2014-04-26 10:57 GMT+02:00 Prunk Dump <prunkdump at gmail.com>:
>> Hello,
>>
>> I can't get Kerberos authentication works with my Linux clients.
>>
>> Server : samba 4.1.4 (compiled from source)
>> Client : Debian Wheezy with sernet-samba 4.0.17-8
>>
>> Without Kerberos authentication, everything works :
>>
>> -> the domain users can log with pam_winbind (with ssh, gdm ....).
>> -> "kinit myuser at MYREALM" works fine.
>> -> "wbinfo -K MYDOM\\myuser" works.
>> -> all the others winbind related commands works (wbinfo, id, getent ....).
>> -> If I do a standard pam_winbind login followed by the kinit command,
>> the user can access to all the kerberized services.
>>
>> But with krb5_auth. If I log as a domain user through SSH or GDM, the
>> kerberos ticket is created in /tmp/ but I get the following error :
>>
>> (/var/log/syslog)
>> [2014/04/26 10:07:16.362838, 0] ../lib/util/fault.c:72(fault_report)
>> ===============================================================
>> [2014/04/26 10:07:16.362981, 0] ../lib/util/fault.c:73(fault_report)
>> INTERNAL ERROR: Signal 11 in pid 3354 (4.0.17-SerNet-Debian-8.wheezy)
>> Please read the Trouble-Shooting section of the Samba HOWTO
>> [2014/04/26 10:07:16.363061, 0] ../lib/util/fault.c:75(fault_report)
>> ===============================================================
>> [2014/04/26 10:07:16.363113, 0] ../source3/lib/util.c:810(smb_panic_s3)
>> PANIC (pid 3354): internal error
>> [2014/04/26 10:07:16.363588, 0] ../source3/lib/util.c:921(log_stack_trace)
>> BACKTRACE: 25 stack frames:
>> #0 /usr/lib/x86_64-linux-gnu/samba/libsmbconf.so.0(log_stack_trace+0x2d)
>> [0x7f4b0d47667b]
>> #1 /usr/lib/x86_64-linux-gnu/samba/libsmbconf.so.0(smb_panic_s3+0x69)
>> [0x7f4b0d4767a5]
>> #2 /usr/lib/x86_64-linux-gnu/samba/libsamba-util.so.0(smb_panic+0x2d)
>> [0x7f4b1266c451]
>> #3 /usr/lib/x86_64-linux-gnu/samba/libsamba-util.so.0(+0x1b77e) [0x7f4b1266c77e]
>> #4 /lib/x86_64-linux-gnu/libpthread.so.0(+0xf030) [0x7f4b12a9e030]
>> #5 /usr/lib/x86_64-linux-gnu/samba/libkrb5-samba4.so.26(krb5_storage_free+0x18)
>> [0x7f4b0ff3043b]
>> #6 /usr/lib/x86_64-linux-gnu/samba/libkrb5-samba4.so.26(+0x41ccd)
>> [0x7f4b0ff18ccd]
>> #7 /usr/lib/x86_64-linux-gnu/samba/libkrb5-samba4.so.26(krb5_kt_end_seq_get+0x3a)
>> [0x7f4b0ff1817e]
>> #8 /usr/lib/x86_64-linux-gnu/samba/libgse.so(+0x9b04) [0x7f4b0e224b04]
>> #9 /usr/lib/x86_64-linux-gnu/samba/libgse.so(gse_krb5_get_server_keytab+0x3e8)
>> [0x7f4b0e224f3d]
>> #10 /usr/lib/x86_64-linux-gnu/samba/libgse.so(+0xba82) [0x7f4b0e226a82]
>> #11 /usr/lib/x86_64-linux-gnu/samba/libgensec.so.0(gensec_start_mech+0x11e)
>> [0x7f4b0f27b3f8]
>> #12 /usr/lib/x86_64-linux-gnu/samba/libgensec.so.0(gensec_start_mech_by_oid+0xe1)
>> [0x7f4b0f27b79e]
>> #13 /usr/sbin/winbindd(kerberos_return_pac+0x62d) [0x7f4b12efb98d]
>> #14 /usr/sbin/winbindd(winbindd_dual_pam_auth+0x70b) [0x7f4b12f0f7e7]
>> #15 /usr/sbin/winbindd(+0x5b370) [0x7f4b12f28370]
>> #16 /usr/sbin/winbindd(+0x5b60d) [0x7f4b12f2860d]
>> #17 /usr/lib/x86_64-linux-gnu/samba/libtevent.so.0(+0x4f3b) [0x7f4b11e07f3b]
>> #18 /usr/lib/x86_64-linux-gnu/samba/libtevent.so.0(tevent_common_loop_immediate+0x133)
>> [0x7f4b11e07dca]
>> #19 /usr/lib/x86_64-linux-gnu/samba/libsmbconf.so.0(run_events_poll+0x52)
>> [0x7f4b0d497e6b]
>> #20 /usr/lib/x86_64-linux-gnu/samba/libsmbconf.so.0(+0x4a1e9) [0x7f4b0d4981e9]
>> #21 /usr/lib/x86_64-linux-gnu/samba/libtevent.so.0(_tevent_loop_once+0x91)
>> [0x7f4b11e0723b]
>> #22 /usr/sbin/winbindd(main+0xd11) [0x7f4b12efed36]
>> #23 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xfd) [0x7f4b0bd45ead]
>> #24 /usr/sbin/winbindd(+0x251d9) [0x7f4b12ef21d9]
>> [2014/04/26 10:07:16.364233, 0] ../source3/lib/dumpcore.c:312(dump_core)
>> unable to change to /var/log/samba/cores/winbindd
>> refusing to dump core
>>
>>
>> (/var/log/auth.log)
>> pam_winbind(sshd:auth): getting password (0x00000190)
>> pam_winbind(sshd:auth): pam_get_item returned a password
>> pam_winbind(sshd:auth): request wbcLogonUser failed:
>> WBC_ERR_AUTH_ERROR, PAM error: PAM_SYSTEM_ERR (4), NTSTATUS:
>> NT_STATUS_CONNECTION_DISCONNECTED, Error message was:
>> NT_STATUS_CONNECTION_DISCONNECTED
>> pam_winbind(sshd:auth): internal module error (retval =
>> PAM_SYSTEM_ERR(4), user = 'myuser')
>>
>>
>>
>> Any idea how can I fix this problem ?
>>
>> Baptiste.
>
> I have tested with sernet-samba-4.1.7 and samba-4.1.7 compiled from
> source. I have got exactly the same error.
>
> Winbindd does not want to save the core so I can't give extra
> debugging information. But with "winbindd -i -d=10" the following
> error appear :
>
> -----------------------------
> Starting GENSEC mechanism gse_krb5
> ../source3/librpc/crypto/gse_krb5.c:279: no prev machine password
> name_to_fqdn: lookup for SALLEPROFS01 ->
> SALLEPROFS01.lyc-guillaume-fichet.ac-grenoble.fr.
> ../source3/librpc/crypto/gse_krb5.c:416: krb5_kt_start_seq_get failed
> (Permission denied)
> -----------------------------
>
> Here the full log (ssh pellegrb at salleprofs01) :
>
> -----------------------------
> process_request: Handling async request 3570:PAM_AUTH
> [ 3570]: pam auth pellegrb
> child daemon request 13
> child_process_request: request fn PAM_AUTH
> [ 3440]: dual pam auth FICHNET\pellegrb
> winbindd_dual_pam_auth: domain: FICHNET last was online
> winbindd_dual_pam_auth_kerberos
> is_myname("FICHNET") returns 0
> using ccache: FILE:/tmp/krb5cc_3000137
> winbindd_raw_kerberos_login: uid is 3000137
> kerberos_kinit_password: as
> pellegrb at LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR using
> [FILE:/tmp/krb5cc_3000137] as ccache and config
> [/usr/local/samba/var/lock/smb_krb5/krb5.conf.FICHNET]
> got TGT for pellegrb at LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR in
> FILE:/tmp/krb5cc_3000137
> valid until: dim., 27 avril 2014 23:49:13 CEST (1398635353)
> renewable till: dim., 04 mai 2014 13:49:14 CEST (1399204154)
> ads_cleanup_expired_creds: Ticket in ccache[FILE:/tmp/krb5cc_3000137]
> expiration dim., 27 avril 2014 23:49:13 CEST
> ads_krb5_mk_req: Ticket
> (SALLEPROFS01$@LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR) in ccache
> (FILE:/tmp/krb5cc_3000137) is valid until: (dim., 27 avril 2014
> 23:49:13 CEST - 1398635353)
> Got KRB5 session key of length 16
> Starting GENSEC mechanism gse_krb5
> ../source3/librpc/crypto/gse_krb5.c:279: no prev machine password
> name_to_fqdn: lookup for SALLEPROFS01 ->
> SALLEPROFS01.lyc-guillaume-fichet.ac-grenoble.fr.
> ../source3/librpc/crypto/gse_krb5.c:416: krb5_kt_start_seq_get failed
> (Permission non accordée)
> ===============================================================
> INTERNAL ERROR: Signal 11 in pid 3475 (4.1.7)
> Please read the Trouble-Shooting section of the Samba HOWTO
> ===============================================================
> PANIC (pid 3475): internal error
> BACKTRACE: 35 stack frames:
> #0 /usr/local/samba/lib/libsmbconf.so.0(log_stack_trace+0x1f) [0x7f781b359766]
> #1 /usr/local/samba/lib/libsmbconf.so.0(smb_panic_s3+0x6c) [0x7f781b3595df]
> #2 /usr/local/samba/lib/libsamba-util.so.0(smb_panic+0x28) [0x7f781e8b32cb]
> #3 /usr/local/samba/lib/libsamba-util.so.0(+0x1dfd3) [0x7f781e8b2fd3]
> #4 /usr/local/samba/lib/libsamba-util.so.0(+0x1dfe8) [0x7f781e8b2fe8]
> #5 /lib/x86_64-linux-gnu/libpthread.so.0(+0xf030) [0x7f781ff7d030]
> #6 /usr/local/samba/lib/private/libkrb5-samba4.so.26(krb5_storage_free+0x10)
> [0x7f781d1d0fb5]
> #7 /usr/local/samba/lib/private/libkrb5-samba4.so.26(+0x499e1) [0x7f781d1b69e1]
> #8 /usr/local/samba/lib/private/libkrb5-samba4.so.26(krb5_kt_end_seq_get+0x68)
> [0x7f781d1b4f59]
> #9 /usr/local/samba/lib/private/libgse.so(+0xb0ae) [0x7f781a4820ae]
> #10 /usr/local/samba/lib/private/libgse.so(gse_krb5_get_server_keytab+0x187)
> [0x7f781a48263b]
> #11 /usr/local/samba/lib/private/libgse.so(+0xc11e) [0x7f781a48311e]
> #12 /usr/local/samba/lib/private/libgse.so(+0xd17b) [0x7f781a48417b]
> #13 /usr/local/samba/lib/libgensec.so.0(gensec_start_mech+0x19e)
> [0x7f781a8ddccb]
> #14 /usr/local/samba/lib/libgensec.so.0(gensec_start_mech_by_oid+0x111)
> [0x7f781a8de085]
> #15 /usr/local/samba/sbin/winbindd(kerberos_return_pac+0x87f) [0x7f78203dadb6]
> #16 /usr/local/samba/sbin/winbindd(+0x46f12) [0x7f78203f2f12]
> #17 /usr/local/samba/sbin/winbindd(+0x487f7) [0x7f78203f47f7]
> #18 /usr/local/samba/sbin/winbindd(winbindd_dual_pam_auth+0x385)
> [0x7f78203f5de4]
> #19 /usr/local/samba/sbin/winbindd(+0x64189) [0x7f7820410189]
> #20 /usr/local/samba/sbin/winbindd(+0x66bf1) [0x7f7820412bf1]
> #21 /usr/local/samba/lib/private/libtevent.so.0(+0xcc2d) [0x7f781e043c2d]
> #22 /usr/local/samba/lib/private/libtevent.so.0(+0xd23b) [0x7f781e04423b]
> #23 /usr/local/samba/lib/private/libtevent.so.0(+0x9fbb) [0x7f781e040fbb]
> #24 /usr/local/samba/lib/private/libtevent.so.0(_tevent_loop_once+0xf4)
> [0x7f781e03b492]
> #25 /usr/local/samba/sbin/winbindd(+0x67851) [0x7f7820413851]
> #26 /usr/local/samba/sbin/winbindd(+0x631f8) [0x7f782040f1f8]
> #27 /usr/local/samba/lib/private/libtevent.so.0(+0x56c6) [0x7f781e03c6c6]
> #28 /usr/local/samba/lib/private/libtevent.so.0(tevent_common_loop_immediate+0x1f5)
> [0x7f781e03c358]
> #29 /usr/local/samba/lib/private/libtevent.so.0(+0xd18b) [0x7f781e04418b]
> #30 /usr/local/samba/lib/private/libtevent.so.0(+0x9fbb) [0x7f781e040fbb]
> #31 /usr/local/samba/lib/private/libtevent.so.0(_tevent_loop_once+0xf4)
> [0x7f781e03b492]
> #32 /usr/local/samba/sbin/winbindd(main+0xd15) [0x7f78203dec51]
> #33 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xfd) [0x7f78188ddead]
> #34 /usr/local/samba/sbin/winbindd(+0x25229) [0x7f78203d1229]
> unable to change to /usr/local/samba/var/cores/winbindd
> refusing to dump core
> wb_request_done[3570:PAM_AUTH]: NT_STATUS_CONNECTION_DISCONNECTED
> Already reaped child 3475 died
> winbind_client_response_written[3570:PAM_AUTH]: delivered response to client
> process_request: Handling async request 3570:GETPWNAM
> getpwnam pellegrb
> wbint_LookupName: struct wbint_LookupName
> in: struct wbint_LookupName
> domain : *
> domain : 'FICHNET'
> name : *
> name : 'PELLEGRB'
> flags : 0x00000008 (8)
> wbint_LookupName: struct wbint_LookupName
> out: struct wbint_LookupName
> type : *
> type : SID_NAME_USER (1)
> sid : *
> sid :
> S-1-5-21-1691533938-518786298-626738373-1217
> result : NT_STATUS_OK
> wbint_QueryUser: struct wbint_QueryUser
> in: struct wbint_QueryUser
> sid : *
> sid :
> S-1-5-21-1691533938-518786298-626738373-1217
> wbint_QueryUser: struct wbint_QueryUser
> out: struct wbint_QueryUser
> info : *
> info: struct wbint_userinfo
> acct_name : *
> acct_name : 'pellegrb'
> full_name : NULL
> homedir : *
> homedir : '/home/teachers/pellegrb'
> shell : *
> shell : '/bin/bash'
> primary_gid : 0x00000000002dc6e6 (3000038)
> user_sid :
> S-1-5-21-1691533938-518786298-626738373-1217
> group_sid :
> S-1-5-21-1691533938-518786298-626738373-1118
> result : NT_STATUS_OK
> SID 0: S-1-5-21-1691533938-518786298-626738373-1217
> Parsing value for key
> [IDMAP/SID2XID/S-1-5-21-1691533938-518786298-626738373-1217]:
> value=[3000137:U]
> Parsing value for key
> [IDMAP/SID2XID/S-1-5-21-1691533938-518786298-626738373-1217]:
> id=[3000137], endptr=[:U]
> find_lookup_domain_from_sid(S-1-5-21-1691533938-518786298-626738373-1118)
> calling find_our_domain
> wbint_LookupSid: struct wbint_LookupSid
> in: struct wbint_LookupSid
> sid : *
> sid :
> S-1-5-21-1691533938-518786298-626738373-1118
> wbint_LookupSid: struct wbint_LookupSid
> out: struct wbint_LookupSid
> type : *
> type : SID_NAME_DOM_GRP (2)
> domain : *
> domain : *
> domain : 'FICHNET'
> name : *
> name : *
> name : 'teachers'
> result : NT_STATUS_OK
> SID 0: S-1-5-21-1691533938-518786298-626738373-1118
> Parsing value for key
> [IDMAP/SID2XID/S-1-5-21-1691533938-518786298-626738373-1118]:
> value=[3000038:G]
> Parsing value for key
> [IDMAP/SID2XID/S-1-5-21-1691533938-518786298-626738373-1118]:
> id=[3000038], endptr=[:G]
> wb_request_done[3570:GETPWNAM]: NT_STATUS_OK
> winbind_client_response_written[3570:GETPWNAM]: delivered response to client
> closing socket 24, client exited
> -----------------------------
>
>
> Please help !
>
> Thanks.
I think that we are going to need a bit more info: your smb.conf on the
server, how have you set up kerberos authentication, etc
Rowland
More information about the samba
mailing list