Hello dear list!
I'm about to setup a winbind to authenticate my proxy users through Active
Directory.
Unfortunately the daemon winbindd crash while requesting some wbinfo,
Here is a transcript of the problem:
IDCSRV922:~ # cat /etc/krb5.conf
[libdefaults]
default_realm = MY.DOMAIN.COM
[realms]
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
IDCSRV922:~ #
IDCSRV922:/var/log # kinit tlabgouverneur@EU.INFLAB.COM
Password for tlabgouverneur@EU.INFLAB.COM:
IDCSRV922:/var/log # kdestroy
IDCSRV922:/var/log # cat /etc/samba/smb.conf
# smb.conf is the main Samba configuration file. You find a full commented
# version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the
# samba-doc package is installed.
# Date: 2006-06-16
[global]
realm = EU.INFLAB.COM
workgroup = EU
socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
netbios name = IDCSRV922
password server = eu.inflab.com
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind separator = +
encrypt passwords = yes
log level = 3 passdb:5 auth:10 winbind:5
winbind uid = 10000-20000
winbind gid = 10000-20000
os level = 20
server string = IDCSRV922
password server = *
prefered master = no
load printers = no
acl compatibility = auto
nt acl support = yes
inherit acls = yes
client schannel = no
idmap uid = 10000-20000
idmap gid = 10000-20000
security = ADS
map to guest = Bad User
IDCSRV922:~ # rcsmb start
Starting Samba SMB daemon - Warning: /var/run/samba/smbd.pid exists. done
IDCSRV922:~ # rcnmb start
Starting Samba NMB daemon done
IDCSRV922:~ # rcwinbind start
Starting Samba WINBIND daemon done
IDCSRV922:~ # wbinfo -t
checking the trust secret via RPC calls succeeded
IDCSRV922:~ # wbinfo -a EU+tlabgouverneur%testpassword
plaintext password authentication succeeded
challenge/response password authentication succeeded
IDCSRV922:~ # wbinfo -m
INFLAB
EU
NA
RES
IDCSRV922:~ # wbinfo -g
Error looking up domain groups
IDCSRV922:~ # ps aux|grep winbind
IDCSRV922:~ #
>From here, winbind has crashed and here is what I could find in the logs of
winbind:
===============================================================================
[2007/01/31 17:15:03, 3] nsswitch/winbindd_group.c:winbindd_list_groups(810)
[ 0]: list groups
[2007/01/31 17:15:03, 4]
passdb/secrets.c:secrets_fetch_trust_account_password(282)
Using cleartext machine password
[2007/01/31 17:15:03, 3] lib/util.c:fcntl_lock(1831)
fcntl_lock: fcntl lock gave errno 11 (Resource temporarily unavailable)
[2007/01/31 17:15:03, 3] lib/util.c:fcntl_lock(1850)
fcntl_lock: lock failed at offset 0 count 1 op 13 type 0 (Resource
temporarily unavailable)
[2007/01/31 17:15:03, 5] nsswitch/winbindd_cm.c:receive_getdc_response(526)
Received packet for \MAILSLOT\NET\GETDC23F8640A
[2007/01/31 17:15:03, 3] nsswitch/winbindd_cm.c:cm_get_ipc_userpass(91)
cm_get_ipc_userpass: Retrieved auth-user from secrets.tdb
[EU\tlabgouverneur]
[2007/01/31 17:15:03, 5] nsswitch/winbindd_cm.c:cm_prepare_connection(272)
connecting to IDCSRV914 from IDCSRV922 with kerberos principal
[IDCSRV922$@EU.INFLAB.COM]
[2007/01/31 17:15:03, 3] libsmb/cliconnect.c:cli_session_setup_spnego(710)
Doing spnego session setup (blob length=112)
[2007/01/31 17:15:03, 3] libsmb/cliconnect.c:cli_session_setup_spnego(735)
got OID=1 2 840 48018 1 2 2
[2007/01/31 17:15:03, 3] libsmb/cliconnect.c:cli_session_setup_spnego(735)
got OID=1 2 840 113554 1 2 2
[2007/01/31 17:15:03, 3] libsmb/cliconnect.c:cli_session_setup_spnego(735)
got OID=1 2 840 113554 1 2 2 3
[2007/01/31 17:15:03, 3] libsmb/cliconnect.c:cli_session_setup_spnego(735)
got OID=1 3 6 1 4 1 311 2 2 10
[2007/01/31 17:15:03, 3] libsmb/cliconnect.c:cli_session_setup_spnego(744)
got principal=idcsrv914$@EU.INFLAB.COM
[2007/01/31 17:15:03, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(533)
Doing kerberos session setup
[2007/01/31 17:15:03, 3] libsmb/clikrb5.c:ads_cleanup_expired_creds(416)
ads_cleanup_expired_creds: Ticket in ccache[MEMORY:cliconnect] expiration
Thu, 01 Feb 2007 03:15:01 CET
[2007/01/31 17:15:03, 4]
passdb/secrets.c:secrets_fetch_trust_account_password(282)
Using cleartext machine password
[2007/01/31 17:15:03, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081)
rpc_pipe_bind: Remote machine IDCSRV914 pipe \NETLOGON fnum 0xc007 bind
request returned ok.
[2007/01/31 17:15:03, 3] lib/util.c:fcntl_lock(1831)
fcntl_lock: fcntl lock gave errno 11 (Resource temporarily unavailable)
[2007/01/31 17:15:03, 3] lib/util.c:fcntl_lock(1850)
fcntl_lock: lock failed at offset 0 count 1 op 13 type 0 (Resource
temporarily unavailable)
[2007/01/31 17:15:03, 5] nsswitch/winbindd_cm.c:receive_getdc_response(526)
Received packet for \MAILSLOT\NET\GETDC25F8640A
[2007/01/31 17:15:04, 5] nsswitch/winbindd_cm.c:receive_getdc_response(526)
Received packet for \MAILSLOT\NET\GETDC25F8640A
[2007/01/31 17:15:04, 5] nsswitch/winbindd_cm.c:receive_getdc_response(526)
Received packet for \MAILSLOT\NET\GETDC25F8640A
[2007/01/31 17:15:05, 5] nsswitch/winbindd_cm.c:receive_getdc_response(526)
Received packet for \MAILSLOT\NET\GETDC25F8640A
[2007/01/31 17:15:05, 5] nsswitch/winbindd_cm.c:receive_getdc_response(526)
Received packet for \MAILSLOT\NET\GETDC25F8640A
[2007/01/31 17:15:06, 3] nsswitch/winbindd_cm.c:cm_get_ipc_userpass(91)
cm_get_ipc_userpass: Retrieved auth-user from secrets.tdb
[EU\tlabgouverneur]
[2007/01/31 17:15:06, 5] nsswitch/winbindd_cm.c:cm_prepare_connection(272)
connecting to IDCSRV916 from IDCSRV922 with kerberos principal
[IDCSRV922$@EU.INFLAB.COM]
[2007/01/31 17:15:06, 3] libsmb/cliconnect.c:cli_session_setup_spnego(710)
Doing spnego session setup (blob length=113)
[2007/01/31 17:15:06, 3] libsmb/cliconnect.c:cli_session_setup_spnego(735)
got OID=1 2 840 48018 1 2 2
[2007/01/31 17:15:06, 3] libsmb/cliconnect.c:cli_session_setup_spnego(735)
got OID=1 2 840 113554 1 2 2
[2007/01/31 17:15:06, 3] libsmb/cliconnect.c:cli_session_setup_spnego(735)
got OID=1 2 840 113554 1 2 2 3
[2007/01/31 17:15:06, 3] libsmb/cliconnect.c:cli_session_setup_spnego(735)
got OID=1 3 6 1 4 1 311 2 2 10
[2007/01/31 17:15:06, 3] libsmb/cliconnect.c:cli_session_setup_spnego(744)
got principal=idcsrv916$@RES.INFLAB.COM
[2007/01/31 17:15:06, 2] libsmb/cliconnect.c:cli_session_setup_kerberos(533)
Doing kerberos session setup
[2007/01/31 17:15:06, 0] lib/fault.c:fault_report(36)
==============================================================
[2007/01/31 17:15:06, 0] lib/fault.c:fault_report(37)
INTERNAL ERROR: Signal 11 in pid 18293 (3.0.22-13.16-SUSE-SLES10)
Please read the Trouble-Shooting section of the Samba3-HOWTO
[2007/01/31 17:15:06, 0] lib/fault.c:fault_report(39)
From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf
[2007/01/31 17:15:06, 0] lib/fault.c:fault_report(40)
==============================================================
[2007/01/31 17:15:06, 0] lib/util.c:smb_panic2(1554)
PANIC: internal error
[2007/01/31 17:15:06, 0] lib/util.c:smb_panic2(1562)
BACKTRACE: 22 stack frames:
#0 /usr/sbin/winbindd(smb_panic2+0x8a) [0x800b79ea]
#1 /usr/sbin/winbindd(smb_panic+0x19) [0x800b7c49]
#2 /usr/sbin/winbindd [0x800a1fa2]
#3 [0xffffe420]
#4 /usr/lib/libkrb5.so.3(krb5_free_principal+0x63) [0xb7ed0e33]
#5 /usr/lib/libkrb5.so.3(krb5_free_cred_contents+0x2d) [0xb7ed215d]
#6 /usr/lib/libkrb5.so.3(krb5_free_creds+0x29) [0xb7ed2249]
#7 /usr/lib/libkrb5.so.3(krb5_free_tgt_creds+0x2e) [0xb7ed228e]
#8 /usr/lib/libkrb5.so.3(krb5_get_credentials+0x1dc) [0xb7eccc9c]
#9 /usr/sbin/winbindd(cli_krb5_get_ticket+0x4b9) [0x800df4a9]
#10 /usr/sbin/winbindd(spnego_gen_negTokenTarg+0x62) [0x800e09b2]
#11 /usr/sbin/winbindd(cli_session_setup_spnego+0x6a6) [0x800d85f6]
#12 /usr/sbin/winbindd [0x8004eb98]
#13 /usr/sbin/winbindd(set_dc_type_and_flags+0x81) [0x8004ff51]
#14 /usr/sbin/winbindd(find_domain_from_name+0x48) [0x8003c038]
#15 /usr/sbin/winbindd [0x80037293]
#16 /usr/sbin/winbindd(winbindd_list_groups+0x10e) [0x8003790e]
#17 /usr/sbin/winbindd [0x80032777]
#18 /usr/sbin/winbindd [0x80033f08]
#19 /usr/sbin/winbindd(main+0x830) [0x80033210]
#20 /lib/libc.so.6(__libc_start_main+0xdc) [0xb7d1587c]
#21 /usr/sbin/winbindd [0x80031991]
===============================================================================
IDCSRV922:/var/log/samba # winbindd -V
Version 3.0.22-13.16-SUSE-SLES10
As you may see, the Kerberos alone is working well alone (kinit/kdestroy),
but mixed with somewhat seems to
be a "bigger" request made by winbind, it just stop to get answer and
just
crash?!
I know that Kerberos use UDP for little request and then switch to TCP when
he needs bigger
Answer. But I couldn't find how to restrict TCP only on client side. (Not on
KDC.)
Anyway, the switch between UDP and TCP should IIRC be automatic and do not
need any human intervention,
Although, the TCP port of the Kerberos server (Active Directory DC.) seems
to be working well.
Please take into account that I've tried either with 3.0.22-13 version of
samba
which is included in my distro, but also from latest stable source archive
from samba.org.
The Kerberos flavour is MIT.
Any help would be widely appreciated,
Please do not hesitate to ask for more details, as this is my first post, I
do not really
Know what to provide.
TIA,
--
Thomas Gouverneur
UNIX Assistant
TI Automotive
The information contained in this transmission may contain privileged and
confidential information. It is intended only for the use of the person(s)
named above. If you are not the intended recipient, you are hereby notified that
any review, dissemination, distribution or duplication of this communication is
strictly prohibited. If you are not the intended recipient, please contact the
sender by reply email and destroy all copies of the original message.