[Samba] Winbindd segfaults with bind9-dlz trying to login via libwinbind-pam
Achim Gottinger
achim at ag-web.biz
Sun Jul 17 19:14:16 UTC 2016
Am 17.07.2016 um 20:54 schrieb Achim Gottinger:
> Hello,
>
> I just found and odd behaviour here on my test environment (debian
> jessie with samba 4.4.5 backported from sid).
>
> I create and ad-dc as usual, adjust nsswitch.conf and enable
> pam-auth-winbind (ruuning pam-auth-update). I also define /bin/bash as
> template shell.
> Now after i create an samba-user and the users home directory
> (/home/DOMAIN/achim).
> I can login with that account on the console.
>
> Then I switch to bind9 dlz backend now (samba_upgradedns
> --dns-backend=BIND9_DLZ), adjust bind and samba settings and verify
> /var/lib/samba/private/dns.keytab read access for bind group.
> Name resolutions works and windows clients are able to enter there dns
> records.
>
> But if i try to login as previously working samb a user achim i get:
>
> root at dc1:~# login achim
> Password:
>
> Login incorrect
> dc1 login:
>
> /var/log/auth.log
> Jul 17 20:23:28 dc1 login[1724]: pam_unix(login:auth): authentication
> failure; logname=root uid=0 euid=0 tty=/dev/pts/0 ruser= rhost=
> user=achim
> Jul 17 20:23:28 dc1 login[1724]: pam_winbind(login:auth): getting
> password (0x00000388)
> Jul 17 20:23:28 dc1 login[1724]: pam_winbind(login:auth): pam_get_item
> returned a password
> Jul 17 20:23:28 dc1 login[1724]: pam_winbind(login:auth): request
> wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_SYSTEM_ERR
> (4), NTSTATUS: NT_STATUS_CONNECTION_DISCONNECTED, Error message was:
> The transport connection is now disconnected.
> Jul 17 20:23:28 dc1 login[1724]: pam_winbind(login:auth): internal
> module error (retval = PAM_SYSTEM_ERR(4), user = 'achim')
> Jul 17 20:23:30 dc1 login[1724]: FAILED LOGIN (1) on '/dev/pts/0' FOR
> 'achim', Authentication failure
>
> /var/log/syslog shows winbindd segfaults but is not able to write an
> core dump file. (Folder /var/log/samba/cores/winbindd exists with mode
> 1700)
>
> Jul 17 20:23:28 dc1 winbindd[1620]: [2016/07/17 20:23:28.659642, 0]
> ../lib/util/fault.c:78(fault_report)
> Jul 17 20:23:28 dc1 winbindd[1620]:
> ===============================================================
> Jul 17 20:23:28 dc1 winbindd[1620]: [2016/07/17 20:23:28.659714, 0]
> ../lib/util/fault.c:79(fault_report)
> Jul 17 20:23:28 dc1 winbindd[1620]: INTERNAL ERROR: Signal 11 in pid
> 1620 (4.4.5-Debian)
> Jul 17 20:23:28 dc1 winbindd[1620]: Please read the Trouble-Shooting
> section of the Samba HOWTO
> Jul 17 20:23:28 dc1 winbindd[1620]: [2016/07/17 20:23:28.659759, 0]
> ../lib/util/fault.c:81(fault_report)
> Jul 17 20:23:28 dc1 winbindd[1620]:
> ===============================================================
> Jul 17 20:23:28 dc1 winbindd[1620]: [2016/07/17 20:23:28.659789, 0]
> ../source3/lib/util.c:791(smb_panic_s3)
> Jul 17 20:23:28 dc1 winbindd[1620]: PANIC (pid 1620): internal error
> Jul 17 20:23:28 dc1 winbindd[1620]: [2016/07/17 20:23:28.701122, 0]
> ../source3/lib/util.c:902(log_stack_trace)
> Jul 17 20:23:28 dc1 winbindd[1620]: BACKTRACE: 27 stack frames:
> Jul 17 20:23:28 dc1 winbindd[1620]: #0
> /usr/lib/x86_64-linux-gnu/libsmbconf.so.0(log_stack_trace+0x1a)
> [0x7f177df19cba]
> Jul 17 20:23:28 dc1 winbindd[1620]: #1
> /usr/lib/x86_64-linux-gnu/libsmbconf.so.0(smb_panic_s3+0x20)
> [0x7f177df19da0]
> Jul 17 20:23:28 dc1 winbindd[1620]: #2
> /usr/lib/x86_64-linux-gnu/libsamba-util.so.0(smb_panic+0x2f)
> [0x7f17814cb96f]
> Jul 17 20:23:28 dc1 winbindd[1620]: #3
> /usr/lib/x86_64-linux-gnu/libsamba-util.so.0(+0x1bb8f) [0x7f17814cbb8f]
> Jul 17 20:23:28 dc1 winbindd[1620]: #4
> /lib/x86_64-linux-gnu/libpthread.so.0(+0xf8d0) [0x7f1782f978d0]
> Jul 17 20:23:28 dc1 winbindd[1620]: #5
> /usr/lib/x86_64-linux-gnu/samba/libkrb5-samba4.so.26(krb5_storage_free+0x1)
> [0x7f177ff2c061]
> Jul 17 20:23:28 dc1 winbindd[1620]: #6
> /usr/lib/x86_64-linux-gnu/samba/libkrb5-samba4.so.26(+0x382f5)
> [0x7f177ff182f5]
> Jul 17 20:23:28 dc1 winbindd[1620]: #7
> /usr/lib/x86_64-linux-gnu/samba/libgse.so.0(+0x90d6) [0x7f177c8290d6]
> Jul 17 20:23:28 dc1 winbindd[1620]: #8
> /usr/lib/x86_64-linux-gnu/samba/libgse.so.0(gse_krb5_get_server_keytab+0x11d)
> [0x7f177c82962d]
> Jul 17 20:23:28 dc1 winbindd[1620]: #9
> /usr/lib/x86_64-linux-gnu/samba/libgse.so.0(+0xb15a) [0x7f177c82b15a]
> Jul 17 20:23:28 dc1 winbindd[1620]: #10
> /usr/lib/x86_64-linux-gnu/samba/libgensec.so.0(gensec_start_mech+0xb1)
> [0x7f177c605e91]
> Jul 17 20:23:28 dc1 winbindd[1620]: #11
> /usr/lib/x86_64-linux-gnu/samba/libgensec.so.0(gensec_start_mech_by_oid+0x26)
> [0x7f177c6061d6]
> Jul 17 20:23:28 dc1 winbindd[1620]: #12
> /usr/sbin/winbindd(kerberos_return_pac+0x419) [0x7f17833f6a69]
> Jul 17 20:23:28 dc1 winbindd[1620]: #13
> /usr/sbin/winbindd(winbindd_dual_pam_auth+0x1248) [0x7f1783416008]
> Jul 17 20:23:28 dc1 winbindd[1620]: #14
> /usr/sbin/winbindd(+0x5c8d4) [0x7f178342c8d4]
> Jul 17 20:23:28 dc1 winbindd[1620]: #15
> /usr/lib/x86_64-linux-gnu/libtevent.so.0(+0x9d23) [0x7f177af11d23]
> Jul 17 20:23:28 dc1 winbindd[1620]: #16
> /usr/lib/x86_64-linux-gnu/libtevent.so.0(+0x8217) [0x7f177af10217]
> Jul 17 20:23:28 dc1 winbindd[1620]: #17
> /usr/lib/x86_64-linux-gnu/libtevent.so.0(_tevent_loop_once+0x8d)
> [0x7f177af0c43d]
> Jul 17 20:23:28 dc1 winbindd[1620]: #18
> /usr/sbin/winbindd(+0x5ec48) [0x7f178342ec48]
> Jul 17 20:23:28 dc1 winbindd[1620]: #19
> /usr/sbin/winbindd(+0x5f345) [0x7f178342f345]
> Jul 17 20:23:28 dc1 winbindd[1620]: #20
> /usr/lib/x86_64-linux-gnu/libtevent.so.0(tevent_common_loop_immediate+0xd4)
> [0x7f177af0cc74]
> Jul 17 20:23:28 dc1 winbindd[1620]: #21
> /usr/lib/x86_64-linux-gnu/libtevent.so.0(+0x9aee) [0x7f177af11aee]
> Jul 17 20:23:28 dc1 winbindd[1620]: #22
> /usr/lib/x86_64-linux-gnu/libtevent.so.0(+0x8217) [0x7f177af10217]
> Jul 17 20:23:28 dc1 winbindd[1620]: #23
> /usr/lib/x86_64-linux-gnu/libtevent.so.0(_tevent_loop_once+0x8d)
> [0x7f177af0c43d]
> Jul 17 20:23:28 dc1 winbindd[1620]: #24
> /usr/sbin/winbindd(main+0xbc4) [0x7f17833f5d64]
> Jul 17 20:23:28 dc1 winbindd[1620]: #25
> /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5) [0x7f177a921b45]
> Jul 17 20:23:28 dc1 winbindd[1620]: #26
> /usr/sbin/winbindd(+0x263f0) [0x7f17833f63f0]
> Jul 17 20:23:28 dc1 winbindd[1620]: [2016/07/17 20:23:28.711374, 0]
> ../source3/lib/dumpcore.c:298(dump_core)
> Jul 17 20:23:28 dc1 winbindd[1620]: unable to change to
> /var/log/samba/cores/winbindd
> Jul 17 20:23:28 dc1 winbindd[1620]: refusing to dump core
>
> /var/log/samba/log.samba (loglevel 5) shows preauth succeded
>
> [2016/07/17 20:31:16.430264, 3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: AS-REQ achim at DOMAIN.LOCAL from ipv4:192.192.12.101:54231
> for krbtgt/DOMAIN.LOCAL at DOMAIN.LOCAL
> [2016/07/17 20:31:16.434801, 3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: Client sent patypes: 128
> [2016/07/17 20:31:16.434879, 3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: Looking for PKINIT pa-data -- achim at DOMAIN.LOCAL
> [2016/07/17 20:31:16.434932, 3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: Looking for ENC-TS pa-data -- achim at DOMAIN.LOCAL
> [2016/07/17 20:31:16.435008, 3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: No preauth found, returning PREAUTH-REQUIRED --
> achim at DOMAIN.LOCAL
> [2016/07/17 20:31:16.463167, 3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: AS-REQ achim at DOMAIN.LOCAL from ipv4:192.192.12.101:56933
> for krbtgt/DOMAIN.LOCAL at DOMAIN.LOCAL
> [2016/07/17 20:31:16.464866, 3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: Client sent patypes: encrypted-timestamp, 128
> [2016/07/17 20:31:16.464900, 3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: Looking for PKINIT pa-data -- achim at DOMAIN.LOCAL
> [2016/07/17 20:31:16.464922, 3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: Looking for ENC-TS pa-data -- achim at DOMAIN.LOCAL
> [2016/07/17 20:31:16.464991, 3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: ENC-TS Pre-authentication succeeded -- achim at DOMAIN.LOCAL
> using aes256-cts-hmac-sha1-96
> [2016/07/17 20:31:16.465019, 4]
> ../source4/auth/sam.c:182(authsam_account_ok)
> authsam_account_ok: Checking SMB password for user achim at DOMAIN.LOCAL
> [2016/07/17 20:31:16.465119, 5]
> ../source4/auth/sam.c:116(logon_hours_ok)
> logon_hours_ok: No hours restrictions for user achim at DOMAIN.LOCAL
> [2016/07/17 20:31:16.465149, 5]
> ../source4/auth/sam.c:820(authsam_logon_success_accounting)
> lastLogonTimestamp is 131127322764566420
> [2016/07/17 20:31:16.465263, 5]
> ../source4/auth/sam.c:744(authsam_update_lastlogon_timestamp)
> sync interval is 14
> [2016/07/17 20:31:16.465299, 5]
> ../source4/auth/sam.c:761(authsam_update_lastlogon_timestamp)
> randomised sync interval is 12 (-2)
> [2016/07/17 20:31:16.465320, 5]
> ../source4/auth/sam.c:770(authsam_update_lastlogon_timestamp)
> old timestamp is 131127322764566420, threshold 131122170764651720,
> diff 5151999914700
> [2016/07/17 20:31:16.475116, 3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: AS-REQ authtime: 2016-07-17T20:31:16 starttime: unset
> endtime: 2016-07-18T06:31:10 renew till: 2016-07-24T20:31:16
> [2016/07/17 20:31:16.475259, 3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
> aes128-cts-hmac-sha1-96, des3-cbc-sha1, des3-cbc-md5,
> arcfour-hmac-md5, using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
> [2016/07/17 20:31:16.475321, 3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: Requested flags: renewable, forwardable
> [2016/07/17 20:31:19.510167, 4]
> ../source4/dsdb/repl/drepl_notify.c:463(dreplsrv_notify_schedule)
> dreplsrv_notify_schedule(5) scheduled for: Sun Jul 17 20:31:25 2016
> CEST
> [2016/07/17 20:31:22.509068, 3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: TGS-REQ achim at DOMAIN.LOCAL from ipv4:192.192.12.101:37962
> for DC1$@DOMAIN.LOCAL
> [2016/07/17 20:31:22.514670, 3]
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
> Kerberos: TGS-REQ authtime: 2016-07-17T20:31:16 starttime:
> 2016-07-17T20:31:22 endtime: 2016-07-18T06:31:10 renew till: unset
> [2016/07/17 20:31:24.519075, 4]
> ../source4/dsdb/repl/drepl_notify.c:463(dreplsrv_notify_schedule)
> dreplsrv_notify_schedule(5) scheduled for: Sun Jul 17 20:31:30 2016
> CEST
> [2016/07/17 20:31:26.196142, 3]
> ../source4/smbd/service_stream.c:66(stream_terminate_connection)
> Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
> [2016/07/17 20:31:26.196220, 3]
> ../source4/smbd/process_single.c:114(single_terminate)
> single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED]
> [2016/07/17 20:31:26.206726, 3]
> ../source4/smbd/service_stream.c:66(stream_terminate_connection)
> Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
> [2016/07/17 20:31:26.206796, 3]
> ../source4/smbd/process_single.c:114(single_terminate)
>
> Going back to Internal dns fixes the issue.
> Using an wrong password does not segfault winbindd so the error must
> happen at some place after password verification (also the samba log
> looks like authetification has succeeded).
>
>
> Here are the config files (no avahi running on my servers so .local
> causes no problems, also no nscd or unscd is running :-) )
>
> /etc/krb5.conf
> [libdefaults]
> default_realm = DOMAIN.LOCAL
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> /etc/samba/smb.conf
> [global]
> netbios name = DC1
> realm = DOMAIN.LOCAL
> workgroup = DOMAIN
> dns forwarder = 192.168.100.102
> server role = active directory domain controller
> idmap_ldb:use rfc2307 = yes
> kccsrv:samba_kcc=true
> template shell = /bin/bash
> log level = 5
> max log size = 2000000
> wins support = Yes
> ea support = yes
> store dos attributes = yes
> map readonly = no
> map archive = no
> map system = no
> map hidden = no
> strict allocate = yes
> acl allow execute always = yes
> aio read size = 16384
> aio write size = 16384
> write cache size = 262144
> csc policy = disable
> deadtime = 1
> socket options = TCP_NODELAY SO_KEEPALIVE TCP_KEEPIDLE=60
> TCP_KEEPINTVL=10 TCP_KEEPCNT=5
> idmap config * : range = 3000000-4000000
> smb2 leases = yes
>
> kerberos method = system keytab
> client ldap sasl wrapping = sign
> allow dns updates = nonsecure and secure
> nsupdate command = /usr/bin/nsupdate -g
> server services = -dns
>
> spoolss: architecture = Windows x64
>
> tls cafile=/etc/samba/tls/ca.crt
> tls certfile=/etc/samba/tls/dc1.domain.local.crt
> tls keyfile=/etc/samba/tls/dc1.domain.local.key
>
> [netlogon]
> path = /var/lib/samba/sysvol/domain.local/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> [printers]
> comment = All Printers
> path = /var/spool/samba
> browseable = Yes
> read only = No
> printable = Yes
>
> [print$]
> comment = Point and Print Printer Drivers
> path = /var/lib/samba/printers
> read only = No
>
> /etc/nsswitch.conf
>
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages installed,
> try:
> # `info libc "Name Service Switch"' for information about this file.
>
> passwd: compat winbind
> group: compat winbind
> shadow: compat
> gshadow: files
>
> hosts: files dns wins
> networks: files
>
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
>
> netgroup: nis
> sudoers: files
>
With help of https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=784656 i
tracked the issue down to the line
kerberos method = system keytab
If I remove the line or change it to "kerberos method = secrets" login's
as samba users work and also bind9 still seems to work including dynamic
updates.
That line is recommended in the wiki
https://wiki.samba.org/index.php/Configure_BIND_as_backend_for_Samba_AD
but seems to be no longer needed for bind9-dlz but cause problems with
libpam-winbind.
achim~
More information about the samba
mailing list