[Samba] Winbindd segfaults with bind9-dlz trying to login via libwinbind-pam
Achim Gottinger
achim at ag-web.biz
Sun Jul 17 18:54:18 UTC 2016
Hello,
I just found and odd behaviour here on my test environment (debian
jessie with samba 4.4.5 backported from sid).
I create and ad-dc as usual, adjust nsswitch.conf and enable
pam-auth-winbind (ruuning pam-auth-update). I also define /bin/bash as
template shell.
Now after i create an samba-user and the users home directory
(/home/DOMAIN/achim).
I can login with that account on the console.
Then I switch to bind9 dlz backend now (samba_upgradedns
--dns-backend=BIND9_DLZ), adjust bind and samba settings and verify
/var/lib/samba/private/dns.keytab read access for bind group.
Name resolutions works and windows clients are able to enter there dns
records.
But if i try to login as previously working samb a user achim i get:
root at dc1:~# login achim
Password:
Login incorrect
dc1 login:
/var/log/auth.log
Jul 17 20:23:28 dc1 login[1724]: pam_unix(login:auth): authentication
failure; logname=root uid=0 euid=0 tty=/dev/pts/0 ruser= rhost= user=achim
Jul 17 20:23:28 dc1 login[1724]: pam_winbind(login:auth): getting
password (0x00000388)
Jul 17 20:23:28 dc1 login[1724]: pam_winbind(login:auth): pam_get_item
returned a password
Jul 17 20:23:28 dc1 login[1724]: pam_winbind(login:auth): request
wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_SYSTEM_ERR (4),
NTSTATUS: NT_STATUS_CONNECTION_DISCONNECTED, Error message was: The
transport connection is now disconnected.
Jul 17 20:23:28 dc1 login[1724]: pam_winbind(login:auth): internal
module error (retval = PAM_SYSTEM_ERR(4), user = 'achim')
Jul 17 20:23:30 dc1 login[1724]: FAILED LOGIN (1) on '/dev/pts/0' FOR
'achim', Authentication failure
/var/log/syslog shows winbindd segfaults but is not able to write an
core dump file. (Folder /var/log/samba/cores/winbindd exists with mode 1700)
Jul 17 20:23:28 dc1 winbindd[1620]: [2016/07/17 20:23:28.659642, 0]
../lib/util/fault.c:78(fault_report)
Jul 17 20:23:28 dc1 winbindd[1620]:
===============================================================
Jul 17 20:23:28 dc1 winbindd[1620]: [2016/07/17 20:23:28.659714, 0]
../lib/util/fault.c:79(fault_report)
Jul 17 20:23:28 dc1 winbindd[1620]: INTERNAL ERROR: Signal 11 in pid
1620 (4.4.5-Debian)
Jul 17 20:23:28 dc1 winbindd[1620]: Please read the Trouble-Shooting
section of the Samba HOWTO
Jul 17 20:23:28 dc1 winbindd[1620]: [2016/07/17 20:23:28.659759, 0]
../lib/util/fault.c:81(fault_report)
Jul 17 20:23:28 dc1 winbindd[1620]:
===============================================================
Jul 17 20:23:28 dc1 winbindd[1620]: [2016/07/17 20:23:28.659789, 0]
../source3/lib/util.c:791(smb_panic_s3)
Jul 17 20:23:28 dc1 winbindd[1620]: PANIC (pid 1620): internal error
Jul 17 20:23:28 dc1 winbindd[1620]: [2016/07/17 20:23:28.701122, 0]
../source3/lib/util.c:902(log_stack_trace)
Jul 17 20:23:28 dc1 winbindd[1620]: BACKTRACE: 27 stack frames:
Jul 17 20:23:28 dc1 winbindd[1620]: #0
/usr/lib/x86_64-linux-gnu/libsmbconf.so.0(log_stack_trace+0x1a)
[0x7f177df19cba]
Jul 17 20:23:28 dc1 winbindd[1620]: #1
/usr/lib/x86_64-linux-gnu/libsmbconf.so.0(smb_panic_s3+0x20)
[0x7f177df19da0]
Jul 17 20:23:28 dc1 winbindd[1620]: #2
/usr/lib/x86_64-linux-gnu/libsamba-util.so.0(smb_panic+0x2f)
[0x7f17814cb96f]
Jul 17 20:23:28 dc1 winbindd[1620]: #3
/usr/lib/x86_64-linux-gnu/libsamba-util.so.0(+0x1bb8f) [0x7f17814cbb8f]
Jul 17 20:23:28 dc1 winbindd[1620]: #4
/lib/x86_64-linux-gnu/libpthread.so.0(+0xf8d0) [0x7f1782f978d0]
Jul 17 20:23:28 dc1 winbindd[1620]: #5
/usr/lib/x86_64-linux-gnu/samba/libkrb5-samba4.so.26(krb5_storage_free+0x1)
[0x7f177ff2c061]
Jul 17 20:23:28 dc1 winbindd[1620]: #6
/usr/lib/x86_64-linux-gnu/samba/libkrb5-samba4.so.26(+0x382f5)
[0x7f177ff182f5]
Jul 17 20:23:28 dc1 winbindd[1620]: #7
/usr/lib/x86_64-linux-gnu/samba/libgse.so.0(+0x90d6) [0x7f177c8290d6]
Jul 17 20:23:28 dc1 winbindd[1620]: #8
/usr/lib/x86_64-linux-gnu/samba/libgse.so.0(gse_krb5_get_server_keytab+0x11d)
[0x7f177c82962d]
Jul 17 20:23:28 dc1 winbindd[1620]: #9
/usr/lib/x86_64-linux-gnu/samba/libgse.so.0(+0xb15a) [0x7f177c82b15a]
Jul 17 20:23:28 dc1 winbindd[1620]: #10
/usr/lib/x86_64-linux-gnu/samba/libgensec.so.0(gensec_start_mech+0xb1)
[0x7f177c605e91]
Jul 17 20:23:28 dc1 winbindd[1620]: #11
/usr/lib/x86_64-linux-gnu/samba/libgensec.so.0(gensec_start_mech_by_oid+0x26)
[0x7f177c6061d6]
Jul 17 20:23:28 dc1 winbindd[1620]: #12
/usr/sbin/winbindd(kerberos_return_pac+0x419) [0x7f17833f6a69]
Jul 17 20:23:28 dc1 winbindd[1620]: #13
/usr/sbin/winbindd(winbindd_dual_pam_auth+0x1248) [0x7f1783416008]
Jul 17 20:23:28 dc1 winbindd[1620]: #14 /usr/sbin/winbindd(+0x5c8d4)
[0x7f178342c8d4]
Jul 17 20:23:28 dc1 winbindd[1620]: #15
/usr/lib/x86_64-linux-gnu/libtevent.so.0(+0x9d23) [0x7f177af11d23]
Jul 17 20:23:28 dc1 winbindd[1620]: #16
/usr/lib/x86_64-linux-gnu/libtevent.so.0(+0x8217) [0x7f177af10217]
Jul 17 20:23:28 dc1 winbindd[1620]: #17
/usr/lib/x86_64-linux-gnu/libtevent.so.0(_tevent_loop_once+0x8d)
[0x7f177af0c43d]
Jul 17 20:23:28 dc1 winbindd[1620]: #18 /usr/sbin/winbindd(+0x5ec48)
[0x7f178342ec48]
Jul 17 20:23:28 dc1 winbindd[1620]: #19 /usr/sbin/winbindd(+0x5f345)
[0x7f178342f345]
Jul 17 20:23:28 dc1 winbindd[1620]: #20
/usr/lib/x86_64-linux-gnu/libtevent.so.0(tevent_common_loop_immediate+0xd4)
[0x7f177af0cc74]
Jul 17 20:23:28 dc1 winbindd[1620]: #21
/usr/lib/x86_64-linux-gnu/libtevent.so.0(+0x9aee) [0x7f177af11aee]
Jul 17 20:23:28 dc1 winbindd[1620]: #22
/usr/lib/x86_64-linux-gnu/libtevent.so.0(+0x8217) [0x7f177af10217]
Jul 17 20:23:28 dc1 winbindd[1620]: #23
/usr/lib/x86_64-linux-gnu/libtevent.so.0(_tevent_loop_once+0x8d)
[0x7f177af0c43d]
Jul 17 20:23:28 dc1 winbindd[1620]: #24
/usr/sbin/winbindd(main+0xbc4) [0x7f17833f5d64]
Jul 17 20:23:28 dc1 winbindd[1620]: #25
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5) [0x7f177a921b45]
Jul 17 20:23:28 dc1 winbindd[1620]: #26 /usr/sbin/winbindd(+0x263f0)
[0x7f17833f63f0]
Jul 17 20:23:28 dc1 winbindd[1620]: [2016/07/17 20:23:28.711374, 0]
../source3/lib/dumpcore.c:298(dump_core)
Jul 17 20:23:28 dc1 winbindd[1620]: unable to change to
/var/log/samba/cores/winbindd
Jul 17 20:23:28 dc1 winbindd[1620]: refusing to dump core
/var/log/samba/log.samba (loglevel 5) shows preauth succeded
[2016/07/17 20:31:16.430264, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: AS-REQ achim at DOMAIN.LOCAL from ipv4:192.192.12.101:54231
for krbtgt/DOMAIN.LOCAL at DOMAIN.LOCAL
[2016/07/17 20:31:16.434801, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Client sent patypes: 128
[2016/07/17 20:31:16.434879, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for PKINIT pa-data -- achim at DOMAIN.LOCAL
[2016/07/17 20:31:16.434932, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for ENC-TS pa-data -- achim at DOMAIN.LOCAL
[2016/07/17 20:31:16.435008, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: No preauth found, returning PREAUTH-REQUIRED --
achim at DOMAIN.LOCAL
[2016/07/17 20:31:16.463167, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: AS-REQ achim at DOMAIN.LOCAL from ipv4:192.192.12.101:56933
for krbtgt/DOMAIN.LOCAL at DOMAIN.LOCAL
[2016/07/17 20:31:16.464866, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Client sent patypes: encrypted-timestamp, 128
[2016/07/17 20:31:16.464900, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for PKINIT pa-data -- achim at DOMAIN.LOCAL
[2016/07/17 20:31:16.464922, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for ENC-TS pa-data -- achim at DOMAIN.LOCAL
[2016/07/17 20:31:16.464991, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: ENC-TS Pre-authentication succeeded -- achim at DOMAIN.LOCAL
using aes256-cts-hmac-sha1-96
[2016/07/17 20:31:16.465019, 4]
../source4/auth/sam.c:182(authsam_account_ok)
authsam_account_ok: Checking SMB password for user achim at DOMAIN.LOCAL
[2016/07/17 20:31:16.465119, 5] ../source4/auth/sam.c:116(logon_hours_ok)
logon_hours_ok: No hours restrictions for user achim at DOMAIN.LOCAL
[2016/07/17 20:31:16.465149, 5]
../source4/auth/sam.c:820(authsam_logon_success_accounting)
lastLogonTimestamp is 131127322764566420
[2016/07/17 20:31:16.465263, 5]
../source4/auth/sam.c:744(authsam_update_lastlogon_timestamp)
sync interval is 14
[2016/07/17 20:31:16.465299, 5]
../source4/auth/sam.c:761(authsam_update_lastlogon_timestamp)
randomised sync interval is 12 (-2)
[2016/07/17 20:31:16.465320, 5]
../source4/auth/sam.c:770(authsam_update_lastlogon_timestamp)
old timestamp is 131127322764566420, threshold 131122170764651720,
diff 5151999914700
[2016/07/17 20:31:16.475116, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: AS-REQ authtime: 2016-07-17T20:31:16 starttime: unset
endtime: 2016-07-18T06:31:10 renew till: 2016-07-24T20:31:16
[2016/07/17 20:31:16.475259, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
aes128-cts-hmac-sha1-96, des3-cbc-sha1, des3-cbc-md5, arcfour-hmac-md5,
using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
[2016/07/17 20:31:16.475321, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Requested flags: renewable, forwardable
[2016/07/17 20:31:19.510167, 4]
../source4/dsdb/repl/drepl_notify.c:463(dreplsrv_notify_schedule)
dreplsrv_notify_schedule(5) scheduled for: Sun Jul 17 20:31:25 2016 CEST
[2016/07/17 20:31:22.509068, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: TGS-REQ achim at DOMAIN.LOCAL from ipv4:192.192.12.101:37962
for DC1$@DOMAIN.LOCAL
[2016/07/17 20:31:22.514670, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: TGS-REQ authtime: 2016-07-17T20:31:16 starttime:
2016-07-17T20:31:22 endtime: 2016-07-18T06:31:10 renew till: unset
[2016/07/17 20:31:24.519075, 4]
../source4/dsdb/repl/drepl_notify.c:463(dreplsrv_notify_schedule)
dreplsrv_notify_schedule(5) scheduled for: Sun Jul 17 20:31:30 2016 CEST
[2016/07/17 20:31:26.196142, 3]
../source4/smbd/service_stream.c:66(stream_terminate_connection)
Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
[2016/07/17 20:31:26.196220, 3]
../source4/smbd/process_single.c:114(single_terminate)
single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED]
[2016/07/17 20:31:26.206726, 3]
../source4/smbd/service_stream.c:66(stream_terminate_connection)
Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
[2016/07/17 20:31:26.206796, 3]
../source4/smbd/process_single.c:114(single_terminate)
Going back to Internal dns fixes the issue.
Using an wrong password does not segfault winbindd so the error must
happen at some place after password verification (also the samba log
looks like authetification has succeeded).
Here are the config files (no avahi running on my servers so .local
causes no problems, also no nscd or unscd is running :-) )
/etc/krb5.conf
[libdefaults]
default_realm = DOMAIN.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
/etc/samba/smb.conf
[global]
netbios name = DC1
realm = DOMAIN.LOCAL
workgroup = DOMAIN
dns forwarder = 192.168.100.102
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
kccsrv:samba_kcc=true
template shell = /bin/bash
log level = 5
max log size = 2000000
wins support = Yes
ea support = yes
store dos attributes = yes
map readonly = no
map archive = no
map system = no
map hidden = no
strict allocate = yes
acl allow execute always = yes
aio read size = 16384
aio write size = 16384
write cache size = 262144
csc policy = disable
deadtime = 1
socket options = TCP_NODELAY SO_KEEPALIVE TCP_KEEPIDLE=60
TCP_KEEPINTVL=10 TCP_KEEPCNT=5
idmap config * : range = 3000000-4000000
smb2 leases = yes
kerberos method = system keytab
client ldap sasl wrapping = sign
allow dns updates = nonsecure and secure
nsupdate command = /usr/bin/nsupdate -g
server services = -dns
spoolss: architecture = Windows x64
tls cafile=/etc/samba/tls/ca.crt
tls certfile=/etc/samba/tls/dc1.domain.local.crt
tls keyfile=/etc/samba/tls/dc1.domain.local.key
[netlogon]
path = /var/lib/samba/sysvol/domain.local/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[printers]
comment = All Printers
path = /var/spool/samba
browseable = Yes
read only = No
printable = Yes
[print$]
comment = Point and Print Printer Drivers
path = /var/lib/samba/printers
read only = No
/etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat winbind
group: compat winbind
shadow: compat
gshadow: files
hosts: files dns wins
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
sudoers: files
More information about the samba
mailing list