[Samba] SIGSEGV with pam_winbind kerberos authentication
Prunk Dump
prunkdump at gmail.com
Sun Apr 27 11:58:30 MDT 2014
2014-04-27 15:05 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com>:
>
> I think that we are going to need a bit more info: your smb.conf on the
> server, how have you set up kerberos authentication, etc
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
###############
Bug description :
###############
When I enable Kerberos authentication with host keytabs using
pam_winbind I can't log on as a domain user through gdm or ssh.
(/var/log/syslog)
---------------------------------
Starting GENSEC mechanism gse_krb5
../source3/librpc/crypto/gse_krb5.c:279: no prev machine password
name_to_fqdn: lookup for SALLEPROFS01
->SALLEPROFS01.lyc-guillaume-fichet.ac-grenoble.fr.
../source3/librpc/crypto/gse_krb5.c:416: krb5_kt_start_seq_get failed
(Permission denied)
...
...
===================================
INTERNAL ERROR: Signal 11 in pid 3475 (4.1.7)
Please read the Trouble-Shooting section of the Samba HOWTO
===================================
PANIC (pid 3475): internal error
BACKTRACE: 35 stack frames:
#0 /usr/local/samba/lib/libsmbconf.so.0(log_stack_trace+0x1f) [0x7f781b359766]
#1 /usr/local/samba/lib/libsmbconf.so.0(smb_panic_s3+0x6c) [0x7f781b3595df]
#2 /usr/local/samba/lib/libsamba-util.so.0(smb_panic+0x28) [0x7f781e8b32cb]
#3 /usr/local/samba/lib/libsamba-util.so.0(+0x1dfd3) [0x7f781e8b2fd3]
#4 /usr/local/samba/lib/libsamba-util.so.0(+0x1dfe8) [0x7f781e8b2fe8]
#5 /lib/x86_64-linux-gnu/libpthread.so.0(+0xf030) [0x7f781ff7d030]
#6 /usr/local/samba/lib/private/libkrb5-samba4.so.26(krb5_storage_free+0x10)
...
---------------------------------
(/var/log/auth.log)
---------------------------------
pam_winbind(sshd:auth): getting password (0x00000190)
pam_winbind(sshd:auth): pam_get_item returned a password
pam_winbind(sshd:auth): request wbcLogonUser failed:
WBC_ERR_AUTH_ERROR, PAM error: PAM_SYSTEM_ERR (4), NTSTATUS:
NT_STATUS_CONNECTION_DISCONNECTED, Error message was:
NT_STATUS_CONNECTION_DISCONNECTED
pam_winbind(sshd:auth): internal module error (retval
=PAM_SYSTEM_ERR(4), user = 'pellegrb')
---------------------------------
###########
Server config
###########
The server is a Debian Wheezy with samba-4.1.4 compiled from source.
Keytabs are listed below with the information about the tested user.
(smb.conf)
---------------------------------
# Global parameters
[global]
workgroup = FICHNET
realm = LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
netbios name = FICHDC
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbind, ntp_signd, kcc, dnsupdate
unix extensions = yes
...
---------------------------------
(/etc/krb5.conf)
---------------------------------
[libdefaults]
default_realm = LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
dns_lookup_realm = false
dns_lookup_kdc = true
---------------------------------
($ klist -e -k /etc/krb5.keytab )
---------------------------------
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
1 nfs/fichdc.lyc-guillaume-fichet.ac-grenoble.fr at LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
(des-cbc-crc)
1 nfs/fichdc.lyc-guillaume-fichet.ac-grenoble.fr at LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
(des-cbc-md5)
1 nfs/fichdc.lyc-guillaume-fichet.ac-grenoble.fr at LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
(arcfour-hmac)
1 fichdc$@LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-crc)
1 fichdc$@LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-md5)
1 fichdc$@LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (arcfour-hmac)
---------------------------------
($ wbinfo -i pellegrb && id pellegrb )
---------------------------------
FICHNET\pellegrb:*:3000137:3000038::/home/FICHNET/pellegrb:/bin/false
uid=3000137(FICHNET\pellegrb) gid=3000038(FICHNET\teachers)
groupes=3000038(FICHNET\teachers),3000037(FICHNET\fichusers),100(users)
---------------------------------
###########
Client config
###########
The client is a Debian Wheezy with samba-4.1.7 compiled from source.
Keytabs are generated with 'net ads join -U administrator'.
(smb.conf)
---------------------------------
[global]
workgroup = FICHNET
security = ADS
realm = LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
encrypt passwords = yes
kerberos method = secrets and keytab
idmap config *:backend = tdb
idmap config *:range = 5000000-6000000
idmap config FICHNET:backend = ad
idmap config FICHNET:schema_mode = rfc2307
idmap config FICHNET:range = 100-4000000
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
---------------------------------
(pam_winbind.conf)
---------------------------------
[global]
debug
debug_state
krb5_auth = yes
krb5_ccache_type = FILE
---------------------------------
(/etc/krb5.conf)
---------------------------------
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
---------------------------------
($ klist -e -k /etc/krb5.keytab)
---------------------------------
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
22 host/salleprofs01.lyc-guillaume-fichet.ac-grenoble.fr at LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
(des-cbc-crc)
22 host/salleprofs01.lyc-guillaume-fichet.ac-grenoble.fr at LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
(des-cbc-md5)
22 host/salleprofs01.lyc-guillaume-fichet.ac-grenoble.fr at LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
(aes128-cts-hmac-sha1-96)
22 host/salleprofs01.lyc-guillaume-fichet.ac-grenoble.fr at LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
(aes256-cts-hmac-sha1-96)
22 host/salleprofs01.lyc-guillaume-fichet.ac-grenoble.fr at LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
(arcfour-hmac)
22 host/salleprofs01 at LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-crc)
22 host/salleprofs01 at LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-md5)
22 host/salleprofs01 at LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
(aes128-cts-hmac-sha1-96)
22 host/salleprofs01 at LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
(aes256-cts-hmac-sha1-96)
22 host/salleprofs01 at LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (arcfour-hmac)
22 SALLEPROFS01$@LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-crc)
22 SALLEPROFS01$@LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-md5)
22 SALLEPROFS01$@LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (aes128-cts-hmac-sha1-96)
22 SALLEPROFS01$@LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (aes256-cts-hmac-sha1-96)
22 SALLEPROFS01$@LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (arcfour-hmac)
---------------------------------
($ wbinfo -i pellegrb && id pellegrb )
---------------------------------
pellegrb:*:3000137:3000038::/home/teachers/pellegrb:/bin/bash
uid=3000137(pellegrb) gid=3000038(teachers)
groupes=3000038(teachers),100(users),3000037(fichusers),5000001(BUILTIN\users)
---------------------------------
(kerberos test)
---------------------------------
$ kinit pellegrb at LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
Password for pellegrb at LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR:
Warning: Your password will expire in 205 days on Wed Nov 19 12:18:13 2014
$ wbinfo -K FICHNET\\pellegrb
Enter FICHNET\pellegrb's password:
plaintext kerberos password authentication for [FICHNET\pellegrb]
succeeded (requesting cctype: FILE)
credentials were put in: FILE:/tmp/krb5cc_0
#######################
FULL pam_winbind error log
#######################
(/var/log/auth.log)
---------------------------------
pam_winbind(sshd:auth): getting password (0x00000190)
pam_winbind(sshd:auth): pam_get_item returned a password
pam_winbind(sshd:auth): request wbcLogonUser failed:
WBC_ERR_AUTH_ERROR, PAM error: PAM_SYSTEM_ERR (4), NTSTATUS:
NT_STATUS_CONNECTION_DISCONNECTED, Error message was:
NT_STATUS_CONNECTION_DISCONNECTED
pam_winbind(sshd:auth): internal module error (retval =
PAM_SYSTEM_ERR(4), user = 'pellegrb')
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=fichdc.lyc-guillaume-fichet.ac-grenoble.fr
user=pellegrb
Failed password for pellegrb from 172.16.200.20 port 53210 ssh2
Connection closed by 172.16.200.20 [preauth]
---------------------------------
(/var/log/syslog)
---------------------------------
process_request: Handling async request 3570:PAM_AUTH
[ 3570]: pam auth pellegrb
child daemon request 13
child_process_request: request fn PAM_AUTH
[ 3440]: dual pam auth FICHNET\pellegrb
winbindd_dual_pam_auth: domain: FICHNET last was online
winbindd_dual_pam_auth_kerberos
is_myname("FICHNET") returns 0
using ccache: FILE:/tmp/krb5cc_3000137
winbindd_raw_kerberos_login: uid is 3000137
kerberos_kinit_password: as
pellegrb at LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR using
[FILE:/tmp/krb5cc_3000137] as ccache and config
[/usr/local/samba/var/lock/smb_krb5/krb5.conf.FICHNET]
got TGT for pellegrb at LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR in
FILE:/tmp/krb5cc_3000137
valid until: dim., 27 avril 2014 23:49:13 CEST (1398635353)
renewable till: dim., 04 mai 2014 13:49:14 CEST (1399204154)
ads_cleanup_expired_creds: Ticket in ccache[FILE:/tmp/krb5cc_3000137]
expiration dim., 27 avril 2014 23:49:13 CEST
ads_krb5_mk_req: Ticket
(SALLEPROFS01$@LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR) in ccache
(FILE:/tmp/krb5cc_3000137) is valid until: (dim., 27 avril 2014
23:49:13 CEST - 1398635353)
Got KRB5 session key of length 16
Starting GENSEC mechanism gse_krb5
../source3/librpc/crypto/gse_krb5.c:279: no prev machine password
name_to_fqdn: lookup for SALLEPROFS01 ->
SALLEPROFS01.lyc-guillaume-fichet.ac-grenoble.fr.
../source3/librpc/crypto/gse_krb5.c:416: krb5_kt_start_seq_get failed
(Permission non accordée)
===============================================================
INTERNAL ERROR: Signal 11 in pid 3475 (4.1.7)
Please read the Trouble-Shooting section of the Samba HOWTO
===============================================================
PANIC (pid 3475): internal error
BACKTRACE: 35 stack frames:
#0 /usr/local/samba/lib/libsmbconf.so.0(log_stack_trace+0x1f) [0x7f781b359766]
#1 /usr/local/samba/lib/libsmbconf.so.0(smb_panic_s3+0x6c) [0x7f781b3595df]
#2 /usr/local/samba/lib/libsamba-util.so.0(smb_panic+0x28) [0x7f781e8b32cb]
#3 /usr/local/samba/lib/libsamba-util.so.0(+0x1dfd3) [0x7f781e8b2fd3]
#4 /usr/local/samba/lib/libsamba-util.so.0(+0x1dfe8) [0x7f781e8b2fe8]
#5 /lib/x86_64-linux-gnu/libpthread.so.0(+0xf030) [0x7f781ff7d030]
#6 /usr/local/samba/lib/private/libkrb5-samba4.so.26(krb5_storage_free+0x10)
[0x7f781d1d0fb5]
#7 /usr/local/samba/lib/private/libkrb5-samba4.so.26(+0x499e1) [0x7f781d1b69e1]
#8 /usr/local/samba/lib/private/libkrb5-samba4.so.26(krb5_kt_end_seq_get+0x68)
[0x7f781d1b4f59]
#9 /usr/local/samba/lib/private/libgse.so(+0xb0ae) [0x7f781a4820ae]
#10 /usr/local/samba/lib/private/libgse.so(gse_krb5_get_server_keytab+0x187)
[0x7f781a48263b]
#11 /usr/local/samba/lib/private/libgse.so(+0xc11e) [0x7f781a48311e]
#12 /usr/local/samba/lib/private/libgse.so(+0xd17b) [0x7f781a48417b]
#13 /usr/local/samba/lib/libgensec.so.0(gensec_start_mech+0x19e)
[0x7f781a8ddccb]
#14 /usr/local/samba/lib/libgensec.so.0(gensec_start_mech_by_oid+0x111)
[0x7f781a8de085]
#15 /usr/local/samba/sbin/winbindd(kerberos_return_pac+0x87f) [0x7f78203dadb6]
#16 /usr/local/samba/sbin/winbindd(+0x46f12) [0x7f78203f2f12]
#17 /usr/local/samba/sbin/winbindd(+0x487f7) [0x7f78203f47f7]
#18 /usr/local/samba/sbin/winbindd(winbindd_dual_pam_auth+0x385)
[0x7f78203f5de4]
#19 /usr/local/samba/sbin/winbindd(+0x64189) [0x7f7820410189]
#20 /usr/local/samba/sbin/winbindd(+0x66bf1) [0x7f7820412bf1]
#21 /usr/local/samba/lib/private/libtevent.so.0(+0xcc2d) [0x7f781e043c2d]
#22 /usr/local/samba/lib/private/libtevent.so.0(+0xd23b) [0x7f781e04423b]
#23 /usr/local/samba/lib/private/libtevent.so.0(+0x9fbb) [0x7f781e040fbb]
#24 /usr/local/samba/lib/private/libtevent.so.0(_tevent_loop_once+0xf4)
[0x7f781e03b492]
#25 /usr/local/samba/sbin/winbindd(+0x67851) [0x7f7820413851]
#26 /usr/local/samba/sbin/winbindd(+0x631f8) [0x7f782040f1f8]
#27 /usr/local/samba/lib/private/libtevent.so.0(+0x56c6) [0x7f781e03c6c6]
#28 /usr/local/samba/lib/private/libtevent.so.0(tevent_common_loop_immediate+0x1f5)
[0x7f781e03c358]
#29 /usr/local/samba/lib/private/libtevent.so.0(+0xd18b) [0x7f781e04418b]
#30 /usr/local/samba/lib/private/libtevent.so.0(+0x9fbb) [0x7f781e040fbb]
#31 /usr/local/samba/lib/private/libtevent.so.0(_tevent_loop_once+0xf4)
[0x7f781e03b492]
#32 /usr/local/samba/sbin/winbindd(main+0xd15) [0x7f78203dec51]
#33 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xfd) [0x7f78188ddead]
#34 /usr/local/samba/sbin/winbindd(+0x25229) [0x7f78203d1229]
unable to change to /usr/local/samba/var/cores/winbindd
refusing to dump core
wb_request_done[3570:PAM_AUTH]: NT_STATUS_CONNECTION_DISCONNECTED
Already reaped child 3475 died
winbind_client_response_written[3570:PAM_AUTH]: delivered response to client
process_request: Handling async request 3570:GETPWNAM
getpwnam pellegrb
wbint_LookupName: struct wbint_LookupName
in: struct wbint_LookupName
domain : *
domain : 'FICHNET'
name : *
name : 'PELLEGRB'
flags : 0x00000008 (8)
wbint_LookupName: struct wbint_LookupName
out: struct wbint_LookupName
type : *
type : SID_NAME_USER (1)
sid : *
sid :
S-1-5-21-1691533938-518786298-626738373-1217
result : NT_STATUS_OK
wbint_QueryUser: struct wbint_QueryUser
in: struct wbint_QueryUser
sid : *
sid :
S-1-5-21-1691533938-518786298-626738373-1217
wbint_QueryUser: struct wbint_QueryUser
out: struct wbint_QueryUser
info : *
info: struct wbint_userinfo
acct_name : *
acct_name : 'pellegrb'
full_name : NULL
homedir : *
homedir : '/home/teachers/pellegrb'
shell : *
shell : '/bin/bash'
primary_gid : 0x00000000002dc6e6 (3000038)
user_sid :
S-1-5-21-1691533938-518786298-626738373-1217
group_sid :
S-1-5-21-1691533938-518786298-626738373-1118
result : NT_STATUS_OK
SID 0: S-1-5-21-1691533938-518786298-626738373-1217
Parsing value for key
[IDMAP/SID2XID/S-1-5-21-1691533938-518786298-626738373-1217]:
value=[3000137:U]
Parsing value for key
[IDMAP/SID2XID/S-1-5-21-1691533938-518786298-626738373-1217]:
id=[3000137], endptr=[:U]
find_lookup_domain_from_sid(S-1-5-21-1691533938-518786298-626738373-1118)
calling find_our_domain
wbint_LookupSid: struct wbint_LookupSid
in: struct wbint_LookupSid
sid : *
sid :
S-1-5-21-1691533938-518786298-626738373-1118
wbint_LookupSid: struct wbint_LookupSid
out: struct wbint_LookupSid
type : *
type : SID_NAME_DOM_GRP (2)
domain : *
domain : *
domain : 'FICHNET'
name : *
name : *
name : 'teachers'
result : NT_STATUS_OK
SID 0: S-1-5-21-1691533938-518786298-626738373-1118
Parsing value for key
[IDMAP/SID2XID/S-1-5-21-1691533938-518786298-626738373-1118]:
value=[3000038:G]
Parsing value for key
[IDMAP/SID2XID/S-1-5-21-1691533938-518786298-626738373-1118]:
id=[3000038], endptr=[:G]
wb_request_done[3570:GETPWNAM]: NT_STATUS_OK
winbind_client_response_written[3570:GETPWNAM]: delivered response to client
closing socket 24, client exited
---------------------------------
Thanks !
More information about the samba
mailing list