2014-04-26 10:57 GMT+02:00 Prunk Dump <prunkdump at
gmail.com>:> Hello,
>
> I can't get Kerberos authentication works with my Linux clients.
>
> Server : samba 4.1.4 (compiled from source)
> Client : Debian Wheezy with sernet-samba 4.0.17-8
>
> Without Kerberos authentication, everything works :
>
> -> the domain users can log with pam_winbind (with ssh, gdm ....).
> -> "kinit myuser at MYREALM" works fine.
> -> "wbinfo -K MYDOM\\myuser" works.
> -> all the others winbind related commands works (wbinfo, id, getent
....).
> -> If I do a standard pam_winbind login followed by the kinit command,
> the user can access to all the kerberized services.
>
> But with krb5_auth. If I log as a domain user through SSH or GDM, the
> kerberos ticket is created in /tmp/ but I get the following error :
>
> (/var/log/syslog)
> [2014/04/26 10:07:16.362838, 0] ../lib/util/fault.c:72(fault_report)
> ==============================================================>
[2014/04/26 10:07:16.362981, 0] ../lib/util/fault.c:73(fault_report)
> INTERNAL ERROR: Signal 11 in pid 3354 (4.0.17-SerNet-Debian-8.wheezy)
> Please read the Trouble-Shooting section of the Samba HOWTO
> [2014/04/26 10:07:16.363061, 0] ../lib/util/fault.c:75(fault_report)
> ==============================================================>
[2014/04/26 10:07:16.363113, 0] ../source3/lib/util.c:810(smb_panic_s3)
> PANIC (pid 3354): internal error
> [2014/04/26 10:07:16.363588, 0] ../source3/lib/util.c:921(log_stack_trace)
> BACKTRACE: 25 stack frames:
> #0 /usr/lib/x86_64-linux-gnu/samba/libsmbconf.so.0(log_stack_trace+0x2d)
> [0x7f4b0d47667b]
> #1 /usr/lib/x86_64-linux-gnu/samba/libsmbconf.so.0(smb_panic_s3+0x69)
> [0x7f4b0d4767a5]
> #2 /usr/lib/x86_64-linux-gnu/samba/libsamba-util.so.0(smb_panic+0x2d)
> [0x7f4b1266c451]
> #3 /usr/lib/x86_64-linux-gnu/samba/libsamba-util.so.0(+0x1b77e)
[0x7f4b1266c77e]
> #4 /lib/x86_64-linux-gnu/libpthread.so.0(+0xf030) [0x7f4b12a9e030]
> #5
/usr/lib/x86_64-linux-gnu/samba/libkrb5-samba4.so.26(krb5_storage_free+0x18)
> [0x7f4b0ff3043b]
> #6 /usr/lib/x86_64-linux-gnu/samba/libkrb5-samba4.so.26(+0x41ccd)
> [0x7f4b0ff18ccd]
> #7
/usr/lib/x86_64-linux-gnu/samba/libkrb5-samba4.so.26(krb5_kt_end_seq_get+0x3a)
> [0x7f4b0ff1817e]
> #8 /usr/lib/x86_64-linux-gnu/samba/libgse.so(+0x9b04) [0x7f4b0e224b04]
> #9
/usr/lib/x86_64-linux-gnu/samba/libgse.so(gse_krb5_get_server_keytab+0x3e8)
> [0x7f4b0e224f3d]
> #10 /usr/lib/x86_64-linux-gnu/samba/libgse.so(+0xba82) [0x7f4b0e226a82]
> #11 /usr/lib/x86_64-linux-gnu/samba/libgensec.so.0(gensec_start_mech+0x11e)
> [0x7f4b0f27b3f8]
> #12
/usr/lib/x86_64-linux-gnu/samba/libgensec.so.0(gensec_start_mech_by_oid+0xe1)
> [0x7f4b0f27b79e]
> #13 /usr/sbin/winbindd(kerberos_return_pac+0x62d) [0x7f4b12efb98d]
> #14 /usr/sbin/winbindd(winbindd_dual_pam_auth+0x70b) [0x7f4b12f0f7e7]
> #15 /usr/sbin/winbindd(+0x5b370) [0x7f4b12f28370]
> #16 /usr/sbin/winbindd(+0x5b60d) [0x7f4b12f2860d]
> #17 /usr/lib/x86_64-linux-gnu/samba/libtevent.so.0(+0x4f3b)
[0x7f4b11e07f3b]
> #18
/usr/lib/x86_64-linux-gnu/samba/libtevent.so.0(tevent_common_loop_immediate+0x133)
> [0x7f4b11e07dca]
> #19 /usr/lib/x86_64-linux-gnu/samba/libsmbconf.so.0(run_events_poll+0x52)
> [0x7f4b0d497e6b]
> #20 /usr/lib/x86_64-linux-gnu/samba/libsmbconf.so.0(+0x4a1e9)
[0x7f4b0d4981e9]
> #21 /usr/lib/x86_64-linux-gnu/samba/libtevent.so.0(_tevent_loop_once+0x91)
> [0x7f4b11e0723b]
> #22 /usr/sbin/winbindd(main+0xd11) [0x7f4b12efed36]
> #23 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xfd)
[0x7f4b0bd45ead]
> #24 /usr/sbin/winbindd(+0x251d9) [0x7f4b12ef21d9]
> [2014/04/26 10:07:16.364233, 0] ../source3/lib/dumpcore.c:312(dump_core)
> unable to change to /var/log/samba/cores/winbindd
> refusing to dump core
>
>
> (/var/log/auth.log)
> pam_winbind(sshd:auth): getting password (0x00000190)
> pam_winbind(sshd:auth): pam_get_item returned a password
> pam_winbind(sshd:auth): request wbcLogonUser failed:
> WBC_ERR_AUTH_ERROR, PAM error: PAM_SYSTEM_ERR (4), NTSTATUS:
> NT_STATUS_CONNECTION_DISCONNECTED, Error message was:
> NT_STATUS_CONNECTION_DISCONNECTED
> pam_winbind(sshd:auth): internal module error (retval >
PAM_SYSTEM_ERR(4), user = 'myuser')
>
>
>
> Any idea how can I fix this problem ?
>
> Baptiste.
I have tested with sernet-samba-4.1.7 and samba-4.1.7 compiled from
source. I have got exactly the same error.
Winbindd does not want to save the core so I can't give extra
debugging information. But with "winbindd -i -d=10" the following
error appear :
-----------------------------
Starting GENSEC mechanism gse_krb5
../source3/librpc/crypto/gse_krb5.c:279: no prev machine password
name_to_fqdn: lookup for SALLEPROFS01 ->
SALLEPROFS01.lyc-guillaume-fichet.ac-grenoble.fr.
../source3/librpc/crypto/gse_krb5.c:416: krb5_kt_start_seq_get failed
(Permission denied)
-----------------------------
Here the full log (ssh pellegrb at salleprofs01) :
-----------------------------
process_request: Handling async request 3570:PAM_AUTH
[ 3570]: pam auth pellegrb
child daemon request 13
child_process_request: request fn PAM_AUTH
[ 3440]: dual pam auth FICHNET\pellegrb
winbindd_dual_pam_auth: domain: FICHNET last was online
winbindd_dual_pam_auth_kerberos
is_myname("FICHNET") returns 0
using ccache: FILE:/tmp/krb5cc_3000137
winbindd_raw_kerberos_login: uid is 3000137
kerberos_kinit_password: as
pellegrb at LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR using
[FILE:/tmp/krb5cc_3000137] as ccache and config
[/usr/local/samba/var/lock/smb_krb5/krb5.conf.FICHNET]
got TGT for pellegrb at LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR in
FILE:/tmp/krb5cc_3000137
valid until: dim., 27 avril 2014 23:49:13 CEST (1398635353)
renewable till: dim., 04 mai 2014 13:49:14 CEST (1399204154)
ads_cleanup_expired_creds: Ticket in ccache[FILE:/tmp/krb5cc_3000137]
expiration dim., 27 avril 2014 23:49:13 CEST
ads_krb5_mk_req: Ticket
(SALLEPROFS01$@LYC-GUILLAUME-FICHET.AC-GRENOBLE.FR) in ccache
(FILE:/tmp/krb5cc_3000137) is valid until: (dim., 27 avril 2014
23:49:13 CEST - 1398635353)
Got KRB5 session key of length 16
Starting GENSEC mechanism gse_krb5
../source3/librpc/crypto/gse_krb5.c:279: no prev machine password
name_to_fqdn: lookup for SALLEPROFS01 ->
SALLEPROFS01.lyc-guillaume-fichet.ac-grenoble.fr.
../source3/librpc/crypto/gse_krb5.c:416: krb5_kt_start_seq_get failed
(Permission non accord?e)
==============================================================INTERNAL ERROR:
Signal 11 in pid 3475 (4.1.7)
Please read the Trouble-Shooting section of the Samba HOWTO
==============================================================PANIC (pid 3475):
internal error
BACKTRACE: 35 stack frames:
#0 /usr/local/samba/lib/libsmbconf.so.0(log_stack_trace+0x1f) [0x7f781b359766]
#1 /usr/local/samba/lib/libsmbconf.so.0(smb_panic_s3+0x6c) [0x7f781b3595df]
#2 /usr/local/samba/lib/libsamba-util.so.0(smb_panic+0x28) [0x7f781e8b32cb]
#3 /usr/local/samba/lib/libsamba-util.so.0(+0x1dfd3) [0x7f781e8b2fd3]
#4 /usr/local/samba/lib/libsamba-util.so.0(+0x1dfe8) [0x7f781e8b2fe8]
#5 /lib/x86_64-linux-gnu/libpthread.so.0(+0xf030) [0x7f781ff7d030]
#6 /usr/local/samba/lib/private/libkrb5-samba4.so.26(krb5_storage_free+0x10)
[0x7f781d1d0fb5]
#7 /usr/local/samba/lib/private/libkrb5-samba4.so.26(+0x499e1) [0x7f781d1b69e1]
#8 /usr/local/samba/lib/private/libkrb5-samba4.so.26(krb5_kt_end_seq_get+0x68)
[0x7f781d1b4f59]
#9 /usr/local/samba/lib/private/libgse.so(+0xb0ae) [0x7f781a4820ae]
#10 /usr/local/samba/lib/private/libgse.so(gse_krb5_get_server_keytab+0x187)
[0x7f781a48263b]
#11 /usr/local/samba/lib/private/libgse.so(+0xc11e) [0x7f781a48311e]
#12 /usr/local/samba/lib/private/libgse.so(+0xd17b) [0x7f781a48417b]
#13 /usr/local/samba/lib/libgensec.so.0(gensec_start_mech+0x19e)
[0x7f781a8ddccb]
#14 /usr/local/samba/lib/libgensec.so.0(gensec_start_mech_by_oid+0x111)
[0x7f781a8de085]
#15 /usr/local/samba/sbin/winbindd(kerberos_return_pac+0x87f) [0x7f78203dadb6]
#16 /usr/local/samba/sbin/winbindd(+0x46f12) [0x7f78203f2f12]
#17 /usr/local/samba/sbin/winbindd(+0x487f7) [0x7f78203f47f7]
#18 /usr/local/samba/sbin/winbindd(winbindd_dual_pam_auth+0x385)
[0x7f78203f5de4]
#19 /usr/local/samba/sbin/winbindd(+0x64189) [0x7f7820410189]
#20 /usr/local/samba/sbin/winbindd(+0x66bf1) [0x7f7820412bf1]
#21 /usr/local/samba/lib/private/libtevent.so.0(+0xcc2d) [0x7f781e043c2d]
#22 /usr/local/samba/lib/private/libtevent.so.0(+0xd23b) [0x7f781e04423b]
#23 /usr/local/samba/lib/private/libtevent.so.0(+0x9fbb) [0x7f781e040fbb]
#24 /usr/local/samba/lib/private/libtevent.so.0(_tevent_loop_once+0xf4)
[0x7f781e03b492]
#25 /usr/local/samba/sbin/winbindd(+0x67851) [0x7f7820413851]
#26 /usr/local/samba/sbin/winbindd(+0x631f8) [0x7f782040f1f8]
#27 /usr/local/samba/lib/private/libtevent.so.0(+0x56c6) [0x7f781e03c6c6]
#28
/usr/local/samba/lib/private/libtevent.so.0(tevent_common_loop_immediate+0x1f5)
[0x7f781e03c358]
#29 /usr/local/samba/lib/private/libtevent.so.0(+0xd18b) [0x7f781e04418b]
#30 /usr/local/samba/lib/private/libtevent.so.0(+0x9fbb) [0x7f781e040fbb]
#31 /usr/local/samba/lib/private/libtevent.so.0(_tevent_loop_once+0xf4)
[0x7f781e03b492]
#32 /usr/local/samba/sbin/winbindd(main+0xd15) [0x7f78203dec51]
#33 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xfd) [0x7f78188ddead]
#34 /usr/local/samba/sbin/winbindd(+0x25229) [0x7f78203d1229]
unable to change to /usr/local/samba/var/cores/winbindd
refusing to dump core
wb_request_done[3570:PAM_AUTH]: NT_STATUS_CONNECTION_DISCONNECTED
Already reaped child 3475 died
winbind_client_response_written[3570:PAM_AUTH]: delivered response to client
process_request: Handling async request 3570:GETPWNAM
getpwnam pellegrb
wbint_LookupName: struct wbint_LookupName
in: struct wbint_LookupName
domain : *
domain : 'FICHNET'
name : *
name : 'PELLEGRB'
flags : 0x00000008 (8)
wbint_LookupName: struct wbint_LookupName
out: struct wbint_LookupName
type : *
type : SID_NAME_USER (1)
sid : *
sid :
S-1-5-21-1691533938-518786298-626738373-1217
result : NT_STATUS_OK
wbint_QueryUser: struct wbint_QueryUser
in: struct wbint_QueryUser
sid : *
sid :
S-1-5-21-1691533938-518786298-626738373-1217
wbint_QueryUser: struct wbint_QueryUser
out: struct wbint_QueryUser
info : *
info: struct wbint_userinfo
acct_name : *
acct_name : 'pellegrb'
full_name : NULL
homedir : *
homedir :
'/home/teachers/pellegrb'
shell : *
shell : '/bin/bash'
primary_gid : 0x00000000002dc6e6 (3000038)
user_sid :
S-1-5-21-1691533938-518786298-626738373-1217
group_sid :
S-1-5-21-1691533938-518786298-626738373-1118
result : NT_STATUS_OK
SID 0: S-1-5-21-1691533938-518786298-626738373-1217
Parsing value for key
[IDMAP/SID2XID/S-1-5-21-1691533938-518786298-626738373-1217]:
value=[3000137:U]
Parsing value for key
[IDMAP/SID2XID/S-1-5-21-1691533938-518786298-626738373-1217]:
id=[3000137], endptr=[:U]
find_lookup_domain_from_sid(S-1-5-21-1691533938-518786298-626738373-1118)
calling find_our_domain
wbint_LookupSid: struct wbint_LookupSid
in: struct wbint_LookupSid
sid : *
sid :
S-1-5-21-1691533938-518786298-626738373-1118
wbint_LookupSid: struct wbint_LookupSid
out: struct wbint_LookupSid
type : *
type : SID_NAME_DOM_GRP (2)
domain : *
domain : *
domain : 'FICHNET'
name : *
name : *
name : 'teachers'
result : NT_STATUS_OK
SID 0: S-1-5-21-1691533938-518786298-626738373-1118
Parsing value for key
[IDMAP/SID2XID/S-1-5-21-1691533938-518786298-626738373-1118]:
value=[3000038:G]
Parsing value for key
[IDMAP/SID2XID/S-1-5-21-1691533938-518786298-626738373-1118]:
id=[3000038], endptr=[:G]
wb_request_done[3570:GETPWNAM]: NT_STATUS_OK
winbind_client_response_written[3570:GETPWNAM]: delivered response to client
closing socket 24, client exited
-----------------------------
Please help !
Thanks.