[Samba] [PATCH] Re: S4-Winbind dumping core on password

smk_va smk_va at yahoo.com
Tue Aug 5 19:42:18 MDT 2014 

I applied the patch against sernet-samba-4.1.10 and the symptoms still appear to be the same (please see below output from running "valgrind --trace-children=yes winbindd".  However, I took your point about kerberos method configuration and ran some tests with samba 3.6 and 4.1.  Following are our findings, and the issue seems to boil down to plaintext authentication not working with kerberos method = system keytab.  I would appreciate feedback on our findings below, particularly whether failing password logins with kerberos method = system keytab are a bug or a feature (seems a bug, but my understanding of Kerberos internals is, err, limited).

1.)  With kerberos method = secrets (the default), logging in with a domain account using ssh works fine for passwordless logins (gssapi-with-mic) as well as for password-based authentication.  Winbind log shows:

winbindd/winbindd_pam.c:1806(winbindd_dual_pam_auth)
  Plain-text authentication for user MYDOMAIN\myusername returned NT_STATUS_OK (PAM: 0)
      
2.)  With kerberos method = system keytab, passwordless logins with domain accounts (ssh/gssapi) work fine.  Password-based logins fail under samba 3.6 with:


winbindd/winbindd_pam.c:1621(winbindd_dual_pam_auth)
  winbindd_dual_pam_auth_kerberos failed: NT_STATUS_LOGON_FAILURE
winbindd/winbindd_pam.c:1806(winbindd_dual_pam_auth)
  Plain-text authentication for user MYDOMAIN\myusername returned NT_STATUS_LOGON_FAILURE (PAM: 7)


However, with samba 4.1, and kerberos method = system keytab, password-based login fails and winbind issues a PANIC and stack-trace.
      
3.)  Finally, with kerberos method = secrets and keytab, winbind authentication seems to have changed between 3.6 and 4.1 (and likely, 4.0).  Whereas samba-3.6 winbind successfully authenticates plain-text passwords just as when kerberos method = secrets only; samba-4.1 winbind fails just as when kerberos method = system keytab is configured.
  
My issue arose because of the change in behavior between samba-3.6 and samba-4 in (3.) above.  Configuring kerberos method = secrets only (the default) seems to take care of my issue as far as I can tell (we do not need special accounts/SPNs for running samba/cifs).  However, it would be nice to have a cleaner setup (no samba PANICs), and to understand the plaintext authentication issue when kerberos method = system keytab.
  
Thanks for the help,
    Murthy


==27847==
==27847== HEAP SUMMARY:
==27847==     in use at exit: 24,713 bytes in 197 blocks
==27847==   total heap usage: 20,941 allocs, 20,744 frees, 4,264,250 bytes allocated
==27847==
==27847== LEAK SUMMARY:
==27847==    definitely lost: 26 bytes in 2 blocks
==27847==    indirectly lost: 0 bytes in 0 blocks
==27847==      possibly lost: 21,339 bytes in 128 blocks
==27847==    still reachable: 3,348 bytes in 67 blocks
==27847==         suppressed: 0 bytes in 0 blocks
==27847== Rerun with --leak-check=full to see details of leaked memory
==27847==
==27847== For counts of detected and suppressed errors, rerun with: -v
==27847== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 6 from 6)
==27848==
==27848== HEAP SUMMARY:
==27848==     in use at exit: 51,366 bytes in 305 blocks
==27848==   total heap usage: 4,261 allocs, 3,956 frees, 2,631,685 bytes allocated
==27848==
==27848== LEAK SUMMARY:
==27848==    definitely lost: 26 bytes in 2 blocks
==27848==    indirectly lost: 0 bytes in 0 blocks
==27848==      possibly lost: 46,744 bytes in 219 blocks
==27848==    still reachable: 4,596 bytes in 84 blocks
==27848==         suppressed: 0 bytes in 0 blocks
==27848== Rerun with --leak-check=full to see details of leaked memory
==27848==
==27848== For counts of detected and suppressed errors, rerun with: -v
==27848== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 6 from 6)
==27896== Invalid read of size 8
==27896==    at 0x778DAAE: krb5_storage_free (store.c:273)
==27896==    by 0x777934C: fkt_end_seq_get (keytab_file.c:520)
==27896==    by 0x777805D: krb5_kt_end_seq_get (keytab.c:795)
==27896==    by 0x942AF89: fill_mem_keytab_from_system_keytab (gse_krb5.c:478)
==27896==    by 0x942B097: gse_krb5_get_server_keytab (gse_krb5.c:589)
==27896==    by 0x942CC63: gensec_gse_server_start (gse.c:345)
==27896==    by 0x83FF414: gensec_start_mech (gensec_start.c:663)
==27896==    by 0x8400823: gensec_start_mech_by_oid (gensec_start.c:761)
==27896==    by 0x1325D2: kerberos_return_pac (authdata.c:255)
==27896==    by 0x145D3B: winbindd_dual_pam_auth (winbindd_pam.c:645)
==27896==    by 0x15ABD9: child_handler (winbindd_dual.c:459)
==27896==    by 0x58BBA7B: epoll_event_loop_once (tevent_epoll.c:736)
==27896==  Address 0x28 is not stack'd, malloc'd or (recently) free'd
==27896==
==27896==
==27896== HEAP SUMMARY:
==27896==     in use at exit: 100,438 bytes in 582 blocks
==27896==   total heap usage: 107,032 allocs, 106,450 frees, 38,620,131 bytes allocated
==27896==
==27896== LEAK SUMMARY:
==27896==    definitely lost: 2,495 bytes in 3 blocks
==27896==    indirectly lost: 0 bytes in 0 blocks
==27896==      possibly lost: 62,241 bytes in 290 blocks
==27896==    still reachable: 35,702 bytes in 289 blocks
==27896==         suppressed: 0 bytes in 0 blocks
==27896== Rerun with --leak-check=full to see details of leaked memory
==27896==
==27896== For counts of detected and suppressed errors, rerun with: -v
==27896== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 48 from 9)




On Friday, August 1, 2014 11:12 AM, smk_va <smk_va at yahoo.com> wrote:
Andrew, thanks, I'll try the patch and get back to you shortly.

I'll note that, yes, smb.conf has:
kerberos method = secrets and keytab

However, I think I have a working system keytab in /etc/krb5.keytab, as I get a valid ticket with:

kinit -k `hostname -s | tr a-z A-Z`$ 

(used for mounting cifs shares with the machine account's credentials).  


So I'm wondering if this really is the issue, but let's see what we learn from a patched samba4.

Thanks,
   Murthy









On Friday, August 1, 2014 12:12 AM, Andrew Bartlett <abartlet at samba.org> wrote:

On Tue, 2014-07-29 at 12:04 -0700, smk_va wrote:
> I'm still having the issue that password authentication to a domain account appears to cause sernet-samba-winbind to dump core.  I've attached output from reproducing the error with "valgrind --trace-children=yes winbindd", but this time with the debuginfo package installed (which appears to give more informtaion).  Help getting samba-4.1 working in our AD environment would be much appreciated.

Try this patch.

I suspect this is happening because you are using 'kerberos method = system' or
similar but have no system keytab. 

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba







-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list