[Samba] Winbindd segfaults with bind9-dlz trying to login via libwinbind-pam

Achim Gottinger achim at ag-web.biz
Sun Jul 17 18:54:18 UTC 2016


Hello,

I just found and odd behaviour here on my test environment (debian 
jessie with samba 4.4.5 backported from sid).

I create and ad-dc as usual, adjust nsswitch.conf and enable 
pam-auth-winbind (ruuning pam-auth-update). I also define /bin/bash as 
template shell.
Now after i create an samba-user and the users home directory 
(/home/DOMAIN/achim).
I can login with that account on the console.

Then I switch to bind9 dlz backend now (samba_upgradedns 
--dns-backend=BIND9_DLZ), adjust bind and samba settings and verify 
/var/lib/samba/private/dns.keytab read access for bind group.
Name resolutions works and windows clients are able to enter there dns 
records.

But if i try to login as previously working samb a user achim i get:

root at dc1:~# login achim
Password:

Login incorrect
dc1 login:

/var/log/auth.log
Jul 17 20:23:28 dc1 login[1724]: pam_unix(login:auth): authentication 
failure; logname=root uid=0 euid=0 tty=/dev/pts/0 ruser= rhost=  user=achim
Jul 17 20:23:28 dc1 login[1724]: pam_winbind(login:auth): getting 
password (0x00000388)
Jul 17 20:23:28 dc1 login[1724]: pam_winbind(login:auth): pam_get_item 
returned a password
Jul 17 20:23:28 dc1 login[1724]: pam_winbind(login:auth): request 
wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_SYSTEM_ERR (4), 
NTSTATUS: NT_STATUS_CONNECTION_DISCONNECTED, Error message was: The 
transport connection is now disconnected.
Jul 17 20:23:28 dc1 login[1724]: pam_winbind(login:auth): internal 
module error (retval = PAM_SYSTEM_ERR(4), user = 'achim')
Jul 17 20:23:30 dc1 login[1724]: FAILED LOGIN (1) on '/dev/pts/0' FOR 
'achim', Authentication failure

/var/log/syslog shows winbindd segfaults but is not able to write an 
core dump file. (Folder /var/log/samba/cores/winbindd exists with mode 1700)

Jul 17 20:23:28 dc1 winbindd[1620]: [2016/07/17 20:23:28.659642,  0] 
../lib/util/fault.c:78(fault_report)
Jul 17 20:23:28 dc1 winbindd[1620]: 
===============================================================
Jul 17 20:23:28 dc1 winbindd[1620]: [2016/07/17 20:23:28.659714,  0] 
../lib/util/fault.c:79(fault_report)
Jul 17 20:23:28 dc1 winbindd[1620]:   INTERNAL ERROR: Signal 11 in pid 
1620 (4.4.5-Debian)
Jul 17 20:23:28 dc1 winbindd[1620]:   Please read the Trouble-Shooting 
section of the Samba HOWTO
Jul 17 20:23:28 dc1 winbindd[1620]: [2016/07/17 20:23:28.659759,  0] 
../lib/util/fault.c:81(fault_report)
Jul 17 20:23:28 dc1 winbindd[1620]: 
===============================================================
Jul 17 20:23:28 dc1 winbindd[1620]: [2016/07/17 20:23:28.659789,  0] 
../source3/lib/util.c:791(smb_panic_s3)
Jul 17 20:23:28 dc1 winbindd[1620]:   PANIC (pid 1620): internal error
Jul 17 20:23:28 dc1 winbindd[1620]: [2016/07/17 20:23:28.701122,  0] 
../source3/lib/util.c:902(log_stack_trace)
Jul 17 20:23:28 dc1 winbindd[1620]:   BACKTRACE: 27 stack frames:
Jul 17 20:23:28 dc1 winbindd[1620]:    #0 
/usr/lib/x86_64-linux-gnu/libsmbconf.so.0(log_stack_trace+0x1a) 
[0x7f177df19cba]
Jul 17 20:23:28 dc1 winbindd[1620]:    #1 
/usr/lib/x86_64-linux-gnu/libsmbconf.so.0(smb_panic_s3+0x20) 
[0x7f177df19da0]
Jul 17 20:23:28 dc1 winbindd[1620]:    #2 
/usr/lib/x86_64-linux-gnu/libsamba-util.so.0(smb_panic+0x2f) 
[0x7f17814cb96f]
Jul 17 20:23:28 dc1 winbindd[1620]:    #3 
/usr/lib/x86_64-linux-gnu/libsamba-util.so.0(+0x1bb8f) [0x7f17814cbb8f]
Jul 17 20:23:28 dc1 winbindd[1620]:    #4 
/lib/x86_64-linux-gnu/libpthread.so.0(+0xf8d0) [0x7f1782f978d0]
Jul 17 20:23:28 dc1 winbindd[1620]:    #5 
/usr/lib/x86_64-linux-gnu/samba/libkrb5-samba4.so.26(krb5_storage_free+0x1) 
[0x7f177ff2c061]
Jul 17 20:23:28 dc1 winbindd[1620]:    #6 
/usr/lib/x86_64-linux-gnu/samba/libkrb5-samba4.so.26(+0x382f5) 
[0x7f177ff182f5]
Jul 17 20:23:28 dc1 winbindd[1620]:    #7 
/usr/lib/x86_64-linux-gnu/samba/libgse.so.0(+0x90d6) [0x7f177c8290d6]
Jul 17 20:23:28 dc1 winbindd[1620]:    #8 
/usr/lib/x86_64-linux-gnu/samba/libgse.so.0(gse_krb5_get_server_keytab+0x11d) 
[0x7f177c82962d]
Jul 17 20:23:28 dc1 winbindd[1620]:    #9 
/usr/lib/x86_64-linux-gnu/samba/libgse.so.0(+0xb15a) [0x7f177c82b15a]
Jul 17 20:23:28 dc1 winbindd[1620]:    #10 
/usr/lib/x86_64-linux-gnu/samba/libgensec.so.0(gensec_start_mech+0xb1) 
[0x7f177c605e91]
Jul 17 20:23:28 dc1 winbindd[1620]:    #11 
/usr/lib/x86_64-linux-gnu/samba/libgensec.so.0(gensec_start_mech_by_oid+0x26) 
[0x7f177c6061d6]
Jul 17 20:23:28 dc1 winbindd[1620]:    #12 
/usr/sbin/winbindd(kerberos_return_pac+0x419) [0x7f17833f6a69]
Jul 17 20:23:28 dc1 winbindd[1620]:    #13 
/usr/sbin/winbindd(winbindd_dual_pam_auth+0x1248) [0x7f1783416008]
Jul 17 20:23:28 dc1 winbindd[1620]:    #14 /usr/sbin/winbindd(+0x5c8d4) 
[0x7f178342c8d4]
Jul 17 20:23:28 dc1 winbindd[1620]:    #15 
/usr/lib/x86_64-linux-gnu/libtevent.so.0(+0x9d23) [0x7f177af11d23]
Jul 17 20:23:28 dc1 winbindd[1620]:    #16 
/usr/lib/x86_64-linux-gnu/libtevent.so.0(+0x8217) [0x7f177af10217]
Jul 17 20:23:28 dc1 winbindd[1620]:    #17 
/usr/lib/x86_64-linux-gnu/libtevent.so.0(_tevent_loop_once+0x8d) 
[0x7f177af0c43d]
Jul 17 20:23:28 dc1 winbindd[1620]:    #18 /usr/sbin/winbindd(+0x5ec48) 
[0x7f178342ec48]
Jul 17 20:23:28 dc1 winbindd[1620]:    #19 /usr/sbin/winbindd(+0x5f345) 
[0x7f178342f345]
Jul 17 20:23:28 dc1 winbindd[1620]:    #20 
/usr/lib/x86_64-linux-gnu/libtevent.so.0(tevent_common_loop_immediate+0xd4) 
[0x7f177af0cc74]
Jul 17 20:23:28 dc1 winbindd[1620]:    #21 
/usr/lib/x86_64-linux-gnu/libtevent.so.0(+0x9aee) [0x7f177af11aee]
Jul 17 20:23:28 dc1 winbindd[1620]:    #22 
/usr/lib/x86_64-linux-gnu/libtevent.so.0(+0x8217) [0x7f177af10217]
Jul 17 20:23:28 dc1 winbindd[1620]:    #23 
/usr/lib/x86_64-linux-gnu/libtevent.so.0(_tevent_loop_once+0x8d) 
[0x7f177af0c43d]
Jul 17 20:23:28 dc1 winbindd[1620]:    #24 
/usr/sbin/winbindd(main+0xbc4) [0x7f17833f5d64]
Jul 17 20:23:28 dc1 winbindd[1620]:    #25 
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5) [0x7f177a921b45]
Jul 17 20:23:28 dc1 winbindd[1620]:    #26 /usr/sbin/winbindd(+0x263f0) 
[0x7f17833f63f0]
Jul 17 20:23:28 dc1 winbindd[1620]: [2016/07/17 20:23:28.711374,  0] 
../source3/lib/dumpcore.c:298(dump_core)
Jul 17 20:23:28 dc1 winbindd[1620]:   unable to change to 
/var/log/samba/cores/winbindd
Jul 17 20:23:28 dc1 winbindd[1620]:   refusing to dump core

/var/log/samba/log.samba (loglevel 5) shows preauth succeded

[2016/07/17 20:31:16.430264,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: AS-REQ achim at DOMAIN.LOCAL from ipv4:192.192.12.101:54231 
for krbtgt/DOMAIN.LOCAL at DOMAIN.LOCAL
[2016/07/17 20:31:16.434801,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Client sent patypes: 128
[2016/07/17 20:31:16.434879,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Looking for PKINIT pa-data -- achim at DOMAIN.LOCAL
[2016/07/17 20:31:16.434932,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Looking for ENC-TS pa-data -- achim at DOMAIN.LOCAL
[2016/07/17 20:31:16.435008,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: No preauth found, returning PREAUTH-REQUIRED -- 
achim at DOMAIN.LOCAL
[2016/07/17 20:31:16.463167,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: AS-REQ achim at DOMAIN.LOCAL from ipv4:192.192.12.101:56933 
for krbtgt/DOMAIN.LOCAL at DOMAIN.LOCAL
[2016/07/17 20:31:16.464866,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Client sent patypes: encrypted-timestamp, 128
[2016/07/17 20:31:16.464900,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Looking for PKINIT pa-data -- achim at DOMAIN.LOCAL
[2016/07/17 20:31:16.464922,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Looking for ENC-TS pa-data -- achim at DOMAIN.LOCAL
[2016/07/17 20:31:16.464991,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: ENC-TS Pre-authentication succeeded -- achim at DOMAIN.LOCAL 
using aes256-cts-hmac-sha1-96
[2016/07/17 20:31:16.465019,  4] 
../source4/auth/sam.c:182(authsam_account_ok)
   authsam_account_ok: Checking SMB password for user achim at DOMAIN.LOCAL
[2016/07/17 20:31:16.465119,  5] ../source4/auth/sam.c:116(logon_hours_ok)
   logon_hours_ok: No hours restrictions for user achim at DOMAIN.LOCAL
[2016/07/17 20:31:16.465149,  5] 
../source4/auth/sam.c:820(authsam_logon_success_accounting)
   lastLogonTimestamp is 131127322764566420
[2016/07/17 20:31:16.465263,  5] 
../source4/auth/sam.c:744(authsam_update_lastlogon_timestamp)
   sync interval is 14
[2016/07/17 20:31:16.465299,  5] 
../source4/auth/sam.c:761(authsam_update_lastlogon_timestamp)
   randomised sync interval is 12 (-2)
[2016/07/17 20:31:16.465320,  5] 
../source4/auth/sam.c:770(authsam_update_lastlogon_timestamp)
   old timestamp is 131127322764566420, threshold 131122170764651720, 
diff 5151999914700
[2016/07/17 20:31:16.475116,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: AS-REQ authtime: 2016-07-17T20:31:16 starttime: unset 
endtime: 2016-07-18T06:31:10 renew till: 2016-07-24T20:31:16
[2016/07/17 20:31:16.475259,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, 
aes128-cts-hmac-sha1-96, des3-cbc-sha1, des3-cbc-md5, arcfour-hmac-md5, 
using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
[2016/07/17 20:31:16.475321,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Requested flags: renewable, forwardable
[2016/07/17 20:31:19.510167,  4] 
../source4/dsdb/repl/drepl_notify.c:463(dreplsrv_notify_schedule)
   dreplsrv_notify_schedule(5) scheduled for: Sun Jul 17 20:31:25 2016 CEST
[2016/07/17 20:31:22.509068,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: TGS-REQ achim at DOMAIN.LOCAL from ipv4:192.192.12.101:37962 
for DC1$@DOMAIN.LOCAL
[2016/07/17 20:31:22.514670,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: TGS-REQ authtime: 2016-07-17T20:31:16 starttime: 
2016-07-17T20:31:22 endtime: 2016-07-18T06:31:10 renew till: unset
[2016/07/17 20:31:24.519075,  4] 
../source4/dsdb/repl/drepl_notify.c:463(dreplsrv_notify_schedule)
   dreplsrv_notify_schedule(5) scheduled for: Sun Jul 17 20:31:30 2016 CEST
[2016/07/17 20:31:26.196142,  3] 
../source4/smbd/service_stream.c:66(stream_terminate_connection)
   Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
[2016/07/17 20:31:26.196220,  3] 
../source4/smbd/process_single.c:114(single_terminate)
   single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED]
[2016/07/17 20:31:26.206726,  3] 
../source4/smbd/service_stream.c:66(stream_terminate_connection)
   Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
[2016/07/17 20:31:26.206796,  3] 
../source4/smbd/process_single.c:114(single_terminate)

Going back to Internal dns fixes the issue.
Using an wrong password does not segfault winbindd so the error must 
happen at some place after password verification (also the samba log 
looks like authetification has succeeded).


Here are the config files (no avahi running on my servers so .local 
causes no problems, also no nscd or unscd is running :-) )

/etc/krb5.conf
[libdefaults]
         default_realm = DOMAIN.LOCAL
         dns_lookup_realm = false
         dns_lookup_kdc = true

/etc/samba/smb.conf
[global]
         netbios name = DC1
         realm = DOMAIN.LOCAL
         workgroup = DOMAIN
         dns forwarder = 192.168.100.102
         server role = active directory domain controller
         idmap_ldb:use rfc2307 = yes
         kccsrv:samba_kcc=true
         template shell = /bin/bash
         log level = 5
         max log size = 2000000
         wins support = Yes
         ea support = yes
         store dos attributes = yes
         map readonly = no
         map archive = no
         map system = no
         map hidden = no
         strict allocate = yes
         acl allow execute always = yes
         aio read size = 16384
         aio write size = 16384
         write cache size = 262144
         csc policy = disable
         deadtime = 1
         socket options = TCP_NODELAY SO_KEEPALIVE TCP_KEEPIDLE=60 
TCP_KEEPINTVL=10 TCP_KEEPCNT=5
         idmap config * : range = 3000000-4000000
         smb2 leases = yes

         kerberos method = system keytab
         client ldap sasl wrapping = sign
         allow dns updates = nonsecure and secure
         nsupdate command =  /usr/bin/nsupdate -g
         server services = -dns

         spoolss: architecture = Windows x64

         tls cafile=/etc/samba/tls/ca.crt
         tls certfile=/etc/samba/tls/dc1.domain.local.crt
         tls keyfile=/etc/samba/tls/dc1.domain.local.key

[netlogon]
         path = /var/lib/samba/sysvol/domain.local/scripts
         read only = No

[sysvol]
         path = /var/lib/samba/sysvol
         read only = No

[printers]
         comment = All Printers
         path = /var/spool/samba
         browseable = Yes
         read only = No
         printable = Yes

[print$]
         comment = Point and Print Printer Drivers
         path = /var/lib/samba/printers
         read only = No

/etc/nsswitch.conf

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat winbind
group:          compat winbind
shadow:         compat
gshadow:        files

hosts:          files dns wins
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis
sudoers:        files



More information about the samba mailing list