FS#52621 - [samba] Winbindd crashes when configured to use system keytab

Attached to Project: Arch Linux
Opened by André (lianse) - Wednesday, 18 January 2017, 18:07 GMT
Last edited by Tobias Powalowski (tpowa) - Friday, 01 April 2022, 10:26 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Tobias Powalowski (tpowa)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:
When the system is member of an Microsoft Active Directory Domain and samba is configured to use the system keytab for verification, winbind crashes with SIGSEV on every authentification attemp. This makes it impossible to authenticate domain users win pam_winbind.


Additional info:
* Samba 4.5.3-1

Steps to reproduce:
- have a current Micosoft compatible AD at hand
- set "kerberos method = secrets and keytab" in [global] section in /etc/samba/smb.conf
- join the system into an AD domain with samba `net ads join`
- check /etc/krb5.keytab has been created and has the right permissions (600)
- from a non-root user try to authenticate with winbindd by Kerberos (wbinfo -K <domainuser>)

observations from various test runs:
- on ubuntu 16.04.1 LTS (with Samba 4.3.11) winbind doesn't segfault
- when /etc/krb5.keytab is a world readable 0-Byte file winbind segfaults another way
- when changing file mode of /etc/krb5.keytab to 640 winbind doesn't segfault and succeeds with authentication, so this is a good workaroud to get it working (i.e. not trigger the free() BUG)


From my point of view this looks like a BUG in the error handling/cleanup part of the fill_mem_keytab_from_secrets function in gse_krb5.c

Here is the relevant part of my /var/log/samba/log.wb-DOMAIN (more on request)
[2017/01/18 18:51:36.291439, 1, pid=563, effective(31104, 0), real(31104, 0)] ../source3/librpc/crypto/gse_krb5.c:449(fill_mem_keytab_from_system_keytab)
../source3/librpc/crypto/gse_krb5.c:449: krb5_kt_start_seq_get failed (Permission denied)
[2017/01/18 18:51:36.291471, 0, pid=563, effective(31104, 0), real(31104, 0)] ../lib/util/fault.c:78(fault_report)
===============================================================
[2017/01/18 18:51:36.291500, 0, pid=563, effective(31104, 0), real(31104, 0)] ../lib/util/fault.c:79(fault_report)
INTERNAL ERROR: Signal 11 in pid 563 (4.5.3)
Please read the Trouble-Shooting section of the Samba HOWTO
[2017/01/18 18:51:36.291525, 0, pid=563, effective(31104, 0), real(31104, 0)] ../lib/util/fault.c:81(fault_report)
===============================================================
[2017/01/18 18:51:36.291542, 0, pid=563, effective(31104, 0), real(31104, 0)] ../source3/lib/util.c:791(smb_panic_s3)
PANIC (pid 563): internal error
[2017/01/18 18:51:36.291929, 0, pid=563, effective(31104, 0), real(31104, 0)] ../source3/lib/util.c:902(log_stack_trace)
BACKTRACE: 27 stack frames:
#0 /usr/lib/libsmbconf.so.0(log_stack_trace+0x1c) [0x7f92b0b226ec]
#1 /usr/lib/libsmbconf.so.0(smb_panic_s3+0x20) [0x7f92b0b227c0]
#2 /usr/lib/libsamba-util.so.0(smb_panic+0x2f) [0x7f92b3e7186f]
#3 /usr/lib/libsamba-util.so.0(+0x1ba86) [0x7f92b3e71a86]
#4 /usr/lib/libpthread.so.0(+0x11080) [0x7f92b58e0080]
#5 /usr/lib/samba/libkrb5-samba4.so.26(krb5_storage_free+0x1) [0x7f92b28ef1e1]
#6 /usr/lib/samba/libkrb5-samba4.so.26(+0x3a845) [0x7f92b28db845]
#7 /usr/lib/samba/libgse-samba4.so(+0x9626) [0x7f92af46f626]
#8 /usr/lib/samba/libgse-samba4.so(gse_krb5_get_server_keytab+0x14b) [0x7f92af46fbab]
#9 /usr/lib/samba/libgse-samba4.so(+0xb65b) [0x7f92af47165b]
#10 /usr/lib/samba/libgensec-samba4.so(gensec_start_mech+0xb1) [0x7f92af253661]
#11 /usr/lib/samba/libgensec-samba4.so(gensec_start_mech_by_oid+0x26) [0x7f92af253996]
#12 /usr/bin/winbindd(kerberos_return_pac+0x39f) [0x55e0edc4a32f]
#13 /usr/bin/winbindd(winbindd_dual_pam_auth+0x1261) [0x55e0edc69b31]
#14 /usr/bin/winbindd(+0x5b704) [0x55e0edc80704]
#15 /usr/lib/libtevent.so.0(+0xb0d3) [0x7f92ad9310d3]
#16 /usr/lib/libtevent.so.0(+0x94a7) [0x7f92ad92f4a7]
#17 /usr/lib/libtevent.so.0(_tevent_loop_once+0x9d) [0x7f92ad92b27d]
#18 /usr/bin/winbindd(+0x5dafc) [0x55e0edc82afc]
#19 /usr/bin/winbindd(+0x5e205) [0x55e0edc83205]
#20 /usr/lib/libtevent.so.0(tevent_common_loop_immediate+0xd4) [0x7f92ad92bc44]
#21 /usr/lib/libtevent.so.0(+0xaebd) [0x7f92ad930ebd]
#22 /usr/lib/libtevent.so.0(+0x94a7) [0x7f92ad92f4a7]
#23 /usr/lib/libtevent.so.0(_tevent_loop_once+0x9d) [0x7f92ad92b27d]
#24 /usr/bin/winbindd(main+0xbc8) [0x55e0edc49698]
#25 /usr/lib/libc.so.6(__libc_start_main+0xf1) [0x7f92ad5a8291]
#26 /usr/bin/winbindd(_start+0x2a) [0x55e0edc49d2a]
This task depends upon

Closed by  Tobias Powalowski (tpowa)
Friday, 01 April 2022, 10:26 GMT
Reason for closing:  No response
Comment by Tobias Powalowski (tpowa) - Monday, 28 March 2022, 08:03 GMT
Still an issue?

Loading...