[Samba] SIGSEGV with pam_winbind kerberos authentication
Rowland Penny
rowlandpenny at googlemail.com
Sun Apr 27 12:41:32 MDT 2014
On 27/04/14 18:58, Prunk Dump wrote:
> 2014-04-27 15:05 GMT+02:00 Rowland Penny <rowlandpenny at googlemail.com>:
>> I think that we are going to need a bit more info: your smb.conf on the
>> server, how have you set up kerberos authentication, etc
>>
>> Rowland
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
> ###############
> Bug description :
> ###############
> When I enable Kerberos authentication with host keytabs using
> pam_winbind I can't log on as a domain user through gdm or ssh.
>
> (/var/log/syslog)
> ---------------------------------
> Starting GENSEC mechanism gse_krb5
> ../source3/librpc/crypto/gse_krb5.c:279: no prev machine password
> name_to_fqdn: lookup for SALLEPROFS01
> ->SALLEPROFS01.lyc-guillaume-fichet.ac-grenoble.fr.
> ../source3/librpc/crypto/gse_krb5.c:416: krb5_kt_start_seq_get failed
> (Permission denied)
> ...
> ...
> ===================================
> INTERNAL ERROR: Signal 11 in pid 3475 (4.1.7)
> Please read the Trouble-Shooting section of the Samba HOWTO
> ===================================
> PANIC (pid 3475): internal error
> BACKTRACE: 35 stack frames:
> #0 /usr/local/samba/lib/libsmbconf.so.0(log_stack_trace+0x1f) [0x7f781b359766]
> #1 /usr/local/samba/lib/libsmbconf.so.0(smb_panic_s3+0x6c) [0x7f781b3595df]
> #2 /usr/local/samba/lib/libsamba-util.so.0(smb_panic+0x28) [0x7f781e8b32cb]
> #3 /usr/local/samba/lib/libsamba-util.so.0(+0x1dfd3) [0x7f781e8b2fd3]
> #4 /usr/local/samba/lib/libsamba-util.so.0(+0x1dfe8) [0x7f781e8b2fe8]
> #5 /lib/x86_64-linux-gnu/libpthread.so.0(+0xf030) [0x7f781ff7d030]
> #6 /usr/local/samba/lib/private/libkrb5-samba4.so.26(krb5_storage_free+0x10)
> ...
> ---------------------------------
>
>
> (/var/log/auth.log)
> ---------------------------------
> pam_winbind(sshd:auth): getting password (0x00000190)
> pam_winbind(sshd:auth): pam_get_item returned a password
> pam_winbind(sshd:auth): request wbcLogonUser failed:
> WBC_ERR_AUTH_ERROR, PAM error: PAM_SYSTEM_ERR (4), NTSTATUS:
> NT_STATUS_CONNECTION_DISCONNECTED, Error message was:
> NT_STATUS_CONNECTION_DISCONNECTED
> pam_winbind(sshd:auth): internal module error (retval
> =PAM_SYSTEM_ERR(4), user = 'pellegrb')
> ---------------------------------
>
>
>
> ###########
> Server config
> ###########
> The server is a Debian Wheezy with samba-4.1.4 compiled from source.
> Keytabs are listed below with the information about the tested user.
>
> (smb.conf)
> ---------------------------------
> # Global parameters
> [global]
> workgroup = FICHNET
> realm = LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
> netbios name = FICHDC
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbind, ntp_signd, kcc, dnsupdate
> unix extensions = yes
> ...
> ---------------------------------
>
>
> (/etc/krb5.conf)
> ---------------------------------
> [libdefaults]
> default_realm = LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
> dns_lookup_realm = false
> dns_lookup_kdc = true
> ---------------------------------
>
>
> ($ klist -e -k /etc/krb5.keytab )
> ---------------------------------
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> 1 nfs/fichdc.lyc-guillaume-fichet.ac-grenoble.fr at LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
> (des-cbc-crc)
> 1 nfs/fichdc.lyc-guillaume-fichet.ac-grenoble.fr at LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
> (des-cbc-md5)
> 1 nfs/fichdc.lyc-guillaume-fichet.ac-grenoble.fr at LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
> (arcfour-hmac)
> 1 fichdc$@LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-crc)
> 1 fichdc$@LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-md5)
> 1 fichdc$@LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (arcfour-hmac)
> ---------------------------------
>
>
> ($ wbinfo -i pellegrb && id pellegrb )
> ---------------------------------
> FICHNET\pellegrb:*:3000137:3000038::/home/FICHNET/pellegrb:/bin/false
> uid=3000137(FICHNET\pellegrb) gid=3000038(FICHNET\teachers)
> groupes=3000038(FICHNET\teachers),3000037(FICHNET\fichusers),100(users)
> ---------------------------------
>
>
>
> ###########
> Client config
> ###########
> The client is a Debian Wheezy with samba-4.1.7 compiled from source.
> Keytabs are generated with 'net ads join -U administrator'.
>
> (smb.conf)
> ---------------------------------
> [global]
>
> workgroup = FICHNET
> security = ADS
> realm = LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
> encrypt passwords = yes
>
> kerberos method = secrets and keytab
>
> idmap config *:backend = tdb
> idmap config *:range = 5000000-6000000
> idmap config FICHNET:backend = ad
> idmap config FICHNET:schema_mode = rfc2307
> idmap config FICHNET:range = 100-4000000
>
> winbind nss info = rfc2307
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
> ---------------------------------
>
>
> (pam_winbind.conf)
> ---------------------------------
> [global]
> debug
> debug_state
> krb5_auth = yes
> krb5_ccache_type = FILE
> ---------------------------------
>
>
> (/etc/krb5.conf)
> ---------------------------------
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
> dns_lookup_realm = true
> dns_lookup_kdc = true
> ticket_lifetime = 24h
> forwardable = yes
>
> [appdefaults]
> pam = {
> debug = false
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = false
> }
> ---------------------------------
>
>
>
> ($ klist -e -k /etc/krb5.keytab)
> ---------------------------------
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> 22 host/salleprofs01.lyc-guillaume-fichet.ac-grenoble.fr at LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
> (des-cbc-crc)
> 22 host/salleprofs01.lyc-guillaume-fichet.ac-grenoble.fr at LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
> (des-cbc-md5)
> 22 host/salleprofs01.lyc-guillaume-fichet.ac-grenoble.fr at LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
> (aes128-cts-hmac-sha1-96)
> 22 host/salleprofs01.lyc-guillaume-fichet.ac-grenoble.fr at LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
> (aes256-cts-hmac-sha1-96)
> 22 host/salleprofs01.lyc-guillaume-fichet.ac-grenoble.fr at LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
> (arcfour-hmac)
> 22 host/salleprofs01 at LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-crc)
> 22 host/salleprofs01 at LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-md5)
> 22 host/salleprofs01 at LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
> (aes128-cts-hmac-sha1-96)
> 22 host/salleprofs01 at LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
> (aes256-cts-hmac-sha1-96)
> 22 host/salleprofs01 at LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (arcfour-hmac)
> 22 SALLEPROFS01$@LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-crc)
> 22 SALLEPROFS01$@LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (des-cbc-md5)
> 22 SALLEPROFS01$@LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (aes128-cts-hmac-sha1-96)
> 22 SALLEPROFS01$@LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (aes256-cts-hmac-sha1-96)
> 22 SALLEPROFS01$@LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR (arcfour-hmac)
> ---------------------------------
>
>
> ($ wbinfo -i pellegrb && id pellegrb )
> ---------------------------------
> pellegrb:*:3000137:3000038::/home/teachers/pellegrb:/bin/bash
> uid=3000137(pellegrb) gid=3000038(teachers)
> groupes=3000038(teachers),100(users),3000037(fichusers),5000001(BUILTIN\users)
> ---------------------------------
>
>
> (kerberos test)
> ---------------------------------
> $ kinit pellegrb at LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR
> Password for pellegrb at LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR:
> Warning: Your password will expire in 205 days on Wed Nov 19 12:18:13 2014
>
> $ wbinfo -K FICHNET\\pellegrb
> Enter FICHNET\pellegrb's password:
> plaintext kerberos password authentication for [FICHNET\pellegrb]
> succeeded (requesting cctype: FILE)
> credentials were put in: FILE:/tmp/krb5cc_0
>
>
>
> #######################
> FULL pam_winbind error log
> #######################
>
> (/var/log/auth.log)
> ---------------------------------
> pam_winbind(sshd:auth): getting password (0x00000190)
> pam_winbind(sshd:auth): pam_get_item returned a password
> pam_winbind(sshd:auth): request wbcLogonUser failed:
> WBC_ERR_AUTH_ERROR, PAM error: PAM_SYSTEM_ERR (4), NTSTATUS:
> NT_STATUS_CONNECTION_DISCONNECTED, Error message was:
> NT_STATUS_CONNECTION_DISCONNECTED
> pam_winbind(sshd:auth): internal module error (retval =
> PAM_SYSTEM_ERR(4), user = 'pellegrb')
> pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
> tty=ssh ruser= rhost=fichdc.lyc-guillaume-fichet.ac-grenoble.fr
> user=pellegrb
> Failed password for pellegrb from 172.16.200.20 port 53210 ssh2
> Connection closed by 172.16.200.20 [preauth]
> ---------------------------------
>
>
> (/var/log/syslog)
> ---------------------------------
> process_request: Handling async request 3570:PAM_AUTH
> [ 3570]: pam auth pellegrb
> child daemon request 13
> child_process_request: request fn PAM_AUTH
> [ 3440]: dual pam auth FICHNET\pellegrb
> winbindd_dual_pam_auth: domain: FICHNET last was online
> winbindd_dual_pam_auth_kerberos
> is_myname("FICHNET") returns 0
> using ccache: FILE:/tmp/krb5cc_3000137
> winbindd_raw_kerberos_login: uid is 3000137
> kerberos_kinit_password: as
> pellegrb at LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR using
> [FILE:/tmp/krb5cc_3000137] as ccache and config
> [/usr/local/samba/var/lock/smb_krb5/krb5.conf.FICHNET]
> got TGT for pellegrb at LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR in
> FILE:/tmp/krb5cc_3000137
> valid until: dim., 27 avril 2014 23:49:13 CEST (1398635353)
> renewable till: dim., 04 mai 2014 13:49:14 CEST (1399204154)
> ads_cleanup_expired_creds: Ticket in ccache[FILE:/tmp/krb5cc_3000137]
> expiration dim., 27 avril 2014 23:49:13 CEST
> ads_krb5_mk_req: Ticket
> (SALLEPROFS01$@LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR) in ccache
> (FILE:/tmp/krb5cc_3000137) is valid until: (dim., 27 avril 2014
> 23:49:13 CEST - 1398635353)
> Got KRB5 session key of length 16
> Starting GENSEC mechanism gse_krb5
> ../source3/librpc/crypto/gse_krb5.c:279: no prev machine password
> name_to_fqdn: lookup for SALLEPROFS01 ->
> SALLEPROFS01.lyc-guillaume-fichet.ac-grenoble.fr.
> ../source3/librpc/crypto/gse_krb5.c:416: krb5_kt_start_seq_get failed
> (Permission non accordée)
> ===============================================================
> INTERNAL ERROR: Signal 11 in pid 3475 (4.1.7)
> Please read the Trouble-Shooting section of the Samba HOWTO
> ===============================================================
> PANIC (pid 3475): internal error
> BACKTRACE: 35 stack frames:
> #0 /usr/local/samba/lib/libsmbconf.so.0(log_stack_trace+0x1f) [0x7f781b359766]
> #1 /usr/local/samba/lib/libsmbconf.so.0(smb_panic_s3+0x6c) [0x7f781b3595df]
> #2 /usr/local/samba/lib/libsamba-util.so.0(smb_panic+0x28) [0x7f781e8b32cb]
> #3 /usr/local/samba/lib/libsamba-util.so.0(+0x1dfd3) [0x7f781e8b2fd3]
> #4 /usr/local/samba/lib/libsamba-util.so.0(+0x1dfe8) [0x7f781e8b2fe8]
> #5 /lib/x86_64-linux-gnu/libpthread.so.0(+0xf030) [0x7f781ff7d030]
> #6 /usr/local/samba/lib/private/libkrb5-samba4.so.26(krb5_storage_free+0x10)
> [0x7f781d1d0fb5]
> #7 /usr/local/samba/lib/private/libkrb5-samba4.so.26(+0x499e1) [0x7f781d1b69e1]
> #8 /usr/local/samba/lib/private/libkrb5-samba4.so.26(krb5_kt_end_seq_get+0x68)
> [0x7f781d1b4f59]
> #9 /usr/local/samba/lib/private/libgse.so(+0xb0ae) [0x7f781a4820ae]
> #10 /usr/local/samba/lib/private/libgse.so(gse_krb5_get_server_keytab+0x187)
> [0x7f781a48263b]
> #11 /usr/local/samba/lib/private/libgse.so(+0xc11e) [0x7f781a48311e]
> #12 /usr/local/samba/lib/private/libgse.so(+0xd17b) [0x7f781a48417b]
> #13 /usr/local/samba/lib/libgensec.so.0(gensec_start_mech+0x19e)
> [0x7f781a8ddccb]
> #14 /usr/local/samba/lib/libgensec.so.0(gensec_start_mech_by_oid+0x111)
> [0x7f781a8de085]
> #15 /usr/local/samba/sbin/winbindd(kerberos_return_pac+0x87f) [0x7f78203dadb6]
> #16 /usr/local/samba/sbin/winbindd(+0x46f12) [0x7f78203f2f12]
> #17 /usr/local/samba/sbin/winbindd(+0x487f7) [0x7f78203f47f7]
> #18 /usr/local/samba/sbin/winbindd(winbindd_dual_pam_auth+0x385)
> [0x7f78203f5de4]
> #19 /usr/local/samba/sbin/winbindd(+0x64189) [0x7f7820410189]
> #20 /usr/local/samba/sbin/winbindd(+0x66bf1) [0x7f7820412bf1]
> #21 /usr/local/samba/lib/private/libtevent.so.0(+0xcc2d) [0x7f781e043c2d]
> #22 /usr/local/samba/lib/private/libtevent.so.0(+0xd23b) [0x7f781e04423b]
> #23 /usr/local/samba/lib/private/libtevent.so.0(+0x9fbb) [0x7f781e040fbb]
> #24 /usr/local/samba/lib/private/libtevent.so.0(_tevent_loop_once+0xf4)
> [0x7f781e03b492]
> #25 /usr/local/samba/sbin/winbindd(+0x67851) [0x7f7820413851]
> #26 /usr/local/samba/sbin/winbindd(+0x631f8) [0x7f782040f1f8]
> #27 /usr/local/samba/lib/private/libtevent.so.0(+0x56c6) [0x7f781e03c6c6]
> #28 /usr/local/samba/lib/private/libtevent.so.0(tevent_common_loop_immediate+0x1f5)
> [0x7f781e03c358]
> #29 /usr/local/samba/lib/private/libtevent.so.0(+0xd18b) [0x7f781e04418b]
> #30 /usr/local/samba/lib/private/libtevent.so.0(+0x9fbb) [0x7f781e040fbb]
> #31 /usr/local/samba/lib/private/libtevent.so.0(_tevent_loop_once+0xf4)
> [0x7f781e03b492]
> #32 /usr/local/samba/sbin/winbindd(main+0xd15) [0x7f78203dec51]
> #33 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xfd) [0x7f78188ddead]
> #34 /usr/local/samba/sbin/winbindd(+0x25229) [0x7f78203d1229]
> unable to change to /usr/local/samba/var/cores/winbindd
> refusing to dump core
> wb_request_done[3570:PAM_AUTH]: NT_STATUS_CONNECTION_DISCONNECTED
> Already reaped child 3475 died
> winbind_client_response_written[3570:PAM_AUTH]: delivered response to client
> process_request: Handling async request 3570:GETPWNAM
> getpwnam pellegrb
> wbint_LookupName: struct wbint_LookupName
> in: struct wbint_LookupName
> domain : *
> domain : 'FICHNET'
> name : *
> name : 'PELLEGRB'
> flags : 0x00000008 (8)
> wbint_LookupName: struct wbint_LookupName
> out: struct wbint_LookupName
> type : *
> type : SID_NAME_USER (1)
> sid : *
> sid :
> S-1-5-21-1691533938-518786298-626738373-1217
> result : NT_STATUS_OK
> wbint_QueryUser: struct wbint_QueryUser
> in: struct wbint_QueryUser
> sid : *
> sid :
> S-1-5-21-1691533938-518786298-626738373-1217
> wbint_QueryUser: struct wbint_QueryUser
> out: struct wbint_QueryUser
> info : *
> info: struct wbint_userinfo
> acct_name : *
> acct_name : 'pellegrb'
> full_name : NULL
> homedir : *
> homedir : '/home/teachers/pellegrb'
> shell : *
> shell : '/bin/bash'
> primary_gid : 0x00000000002dc6e6 (3000038)
> user_sid :
> S-1-5-21-1691533938-518786298-626738373-1217
> group_sid :
> S-1-5-21-1691533938-518786298-626738373-1118
> result : NT_STATUS_OK
> SID 0: S-1-5-21-1691533938-518786298-626738373-1217
> Parsing value for key
> [IDMAP/SID2XID/S-1-5-21-1691533938-518786298-626738373-1217]:
> value=[3000137:U]
> Parsing value for key
> [IDMAP/SID2XID/S-1-5-21-1691533938-518786298-626738373-1217]:
> id=[3000137], endptr=[:U]
> find_lookup_domain_from_sid(S-1-5-21-1691533938-518786298-626738373-1118)
> calling find_our_domain
> wbint_LookupSid: struct wbint_LookupSid
> in: struct wbint_LookupSid
> sid : *
> sid :
> S-1-5-21-1691533938-518786298-626738373-1118
> wbint_LookupSid: struct wbint_LookupSid
> out: struct wbint_LookupSid
> type : *
> type : SID_NAME_DOM_GRP (2)
> domain : *
> domain : *
> domain : 'FICHNET'
> name : *
> name : *
> name : 'teachers'
> result : NT_STATUS_OK
> SID 0: S-1-5-21-1691533938-518786298-626738373-1118
> Parsing value for key
> [IDMAP/SID2XID/S-1-5-21-1691533938-518786298-626738373-1118]:
> value=[3000038:G]
> Parsing value for key
> [IDMAP/SID2XID/S-1-5-21-1691533938-518786298-626738373-1118]:
> id=[3000038], endptr=[:G]
> wb_request_done[3570:GETPWNAM]: NT_STATUS_OK
> winbind_client_response_written[3570:GETPWNAM]: delivered response to client
> closing socket 24, client exited
> ---------------------------------
>
>
> Thanks !
OK, I use Ubuntu 14.04 for the servers and also for a fileserver, and I
can ssh into them without a password, this is my setup:
Samba 4 AD DC with [home] set up as per samba wiki and users info in AD
RFC2307 attributes
Add this to /etc/ssh/sshd_config
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
GSSAPIKeyExchange yes
# Only for renamed hosts
GSSAPIStrictAcceptorCheck no
restart sshd
Export keytab
samba-tool domain exportkeytab /etc/krb5.keytab -U Administrator
Now on your client:
You need a kerberos ticket for your user:
kinit username
You should now be able to ssh into the ssh server:
ssh -K username at server
Only problem is you need to get a new kerberos ticket at the start of
every new login session, or use something that gets a ticket for you
when you log into the client.
Rowland
More information about the samba
mailing list