Christian Ullrich
2012-Dec-30 18:02 UTC
[Samba] Core dump trying to join domain on FreeBSD
Hello all, I have been trying for a while now to join a FreeBSD machine to an existing AD domain, using Samba 3.6. What happens is this: [root at infra1 ~]# net ads join -U Administrator at MY.REALM Enter Administrator at MY.REALM's password: net: sha1 checksum failed Abort trap: 6 (Speicherabzug geschrieben) I can see the newly created computer object in AD, and it does not make a difference when I create it manually before trying the join. kinit works (but contrary to documentation, "net ads join" does not automatically use the kinit'ed user for authentication). Samba is version 3.6.9, Kerberos is heimdal 1.5.2. I have the exact same problem on both FreeBSD 8 and 9. I suspect this is actually caused by some setting on the DC, but I cannot figure out which. The last lines in the output of net -d 5 ads join -U Administrator at MY.REALM are: rpc_api_pipe: host dc2.my.domain rpc_read_send: data_to_read: 32 sitename_fetch: Returning sitename for MY.REALM: "MySiteName" name dc2.my.domain#20 found. ads_try_connect: sending CLDAP request to xxx.yyy.zzz.12 (realm: my.domain) Successfully contacted LDAP server xxx.yyy.zzz.12 Connected to LDAP server dc2.my.domain time offset is 0 seconds Found SASL mechanism GSS-SPNEGO ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2 ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2 ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3 ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10 ads_sasl_spnego_bind: got server principal name = not_defined_in_RFC4178 at please_ignore net: sha1 checksum failed I have tried getting a backtrace, but I only get garbage from both the core dump and when I run the program in gdb directly. If anyone could give me a hint how to get a meaningful backtrace, I would very much appreciate it. I have already built Samba, heimdal and the system libc with debug symbols, but the only effect was that, instead of 20 lines of backtrace with unlikely addresses, now I get only three followed by "Error accessing memory, bad address". -- Christian
On Sun, 2012-12-30 at 19:02 +0100, Christian Ullrich wrote:> Hello all, > > I have been trying for a while now to join a FreeBSD machine to an > existing AD domain, using Samba 3.6. What happens is this: > > > [root at infra1 ~]# net ads join -U Administrator at MY.REALM > Enter Administrator at MY.REALM's password: > net: sha1 checksum failed > Abort trap: 6 (Speicherabzug geschrieben) > > > I can see the newly created computer object in AD, and it does not make > a difference when I create it manually before trying the join. kinit > works (but contrary to documentation, "net ads join" does not > automatically use the kinit'ed user for authentication). > > Samba is version 3.6.9, Kerberos is heimdal 1.5.2. I have the exact same > problem on both FreeBSD 8 and 9. > > I suspect this is actually caused by some setting on the DC, but I > cannot figure out which. The last lines in the output of > > net -d 5 ads join -U Administrator at MY.REALM > > are: > > rpc_api_pipe: host dc2.my.domain > rpc_read_send: data_to_read: 32 > sitename_fetch: Returning sitename for MY.REALM: "MySiteName" > name dc2.my.domain#20 found. > ads_try_connect: sending CLDAP request to xxx.yyy.zzz.12 (realm: my.domain) > Successfully contacted LDAP server xxx.yyy.zzz.12 > Connected to LDAP server dc2.my.domain > time offset is 0 seconds > Found SASL mechanism GSS-SPNEGO > ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2 > ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2 > ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3 > ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10 > ads_sasl_spnego_bind: got server principal name = > not_defined_in_RFC4178 at please_ignore > net: sha1 checksum failed > > > I have tried getting a backtrace, but I only get garbage from both the > core dump and when I run the program in gdb directly. If anyone could > give me a hint how to get a meaningful backtrace, I would very much > appreciate it. I have already built Samba, heimdal and the system libc > with debug symbols, but the only effect was that, instead of 20 lines of > backtrace with unlikely addresses, now I get only three followed by > "Error accessing memory, bad address".The error certainly does seem to be coming from Heimdal - that error string only exists in Heimdal, not in Samba. If you can run it under valgrind, we might get more of a hint as to why there is invalid memory (I can't think of any other reason why this might fail - a checksum doesn't really fail like this even in 'failure' modes). Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org