Achim Gottinger
2016-Jul-17 18:54 UTC
[Samba] Winbindd segfaults with bind9-dlz trying to login via libwinbind-pam
Hello,
I just found and odd behaviour here on my test environment (debian
jessie with samba 4.4.5 backported from sid).
I create and ad-dc as usual, adjust nsswitch.conf and enable
pam-auth-winbind (ruuning pam-auth-update). I also define /bin/bash as
template shell.
Now after i create an samba-user and the users home directory
(/home/DOMAIN/achim).
I can login with that account on the console.
Then I switch to bind9 dlz backend now (samba_upgradedns
--dns-backend=BIND9_DLZ), adjust bind and samba settings and verify
/var/lib/samba/private/dns.keytab read access for bind group.
Name resolutions works and windows clients are able to enter there dns
records.
But if i try to login as previously working samb a user achim i get:
root at dc1:~# login achim
Password:
Login incorrect
dc1 login:
/var/log/auth.log
Jul 17 20:23:28 dc1 login[1724]: pam_unix(login:auth): authentication
failure; logname=root uid=0 euid=0 tty=/dev/pts/0 ruser= rhost= user=achim
Jul 17 20:23:28 dc1 login[1724]: pam_winbind(login:auth): getting
password (0x00000388)
Jul 17 20:23:28 dc1 login[1724]: pam_winbind(login:auth): pam_get_item
returned a password
Jul 17 20:23:28 dc1 login[1724]: pam_winbind(login:auth): request
wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_SYSTEM_ERR (4),
NTSTATUS: NT_STATUS_CONNECTION_DISCONNECTED, Error message was: The
transport connection is now disconnected.
Jul 17 20:23:28 dc1 login[1724]: pam_winbind(login:auth): internal
module error (retval = PAM_SYSTEM_ERR(4), user = 'achim')
Jul 17 20:23:30 dc1 login[1724]: FAILED LOGIN (1) on '/dev/pts/0' FOR
'achim', Authentication failure
/var/log/syslog shows winbindd segfaults but is not able to write an
core dump file. (Folder /var/log/samba/cores/winbindd exists with mode 1700)
Jul 17 20:23:28 dc1 winbindd[1620]: [2016/07/17 20:23:28.659642, 0]
../lib/util/fault.c:78(fault_report)
Jul 17 20:23:28 dc1 winbindd[1620]:
==============================================================Jul 17 20:23:28
dc1 winbindd[1620]: [2016/07/17 20:23:28.659714, 0]
../lib/util/fault.c:79(fault_report)
Jul 17 20:23:28 dc1 winbindd[1620]: INTERNAL ERROR: Signal 11 in pid
1620 (4.4.5-Debian)
Jul 17 20:23:28 dc1 winbindd[1620]: Please read the Trouble-Shooting
section of the Samba HOWTO
Jul 17 20:23:28 dc1 winbindd[1620]: [2016/07/17 20:23:28.659759, 0]
../lib/util/fault.c:81(fault_report)
Jul 17 20:23:28 dc1 winbindd[1620]:
==============================================================Jul 17 20:23:28
dc1 winbindd[1620]: [2016/07/17 20:23:28.659789, 0]
../source3/lib/util.c:791(smb_panic_s3)
Jul 17 20:23:28 dc1 winbindd[1620]: PANIC (pid 1620): internal error
Jul 17 20:23:28 dc1 winbindd[1620]: [2016/07/17 20:23:28.701122, 0]
../source3/lib/util.c:902(log_stack_trace)
Jul 17 20:23:28 dc1 winbindd[1620]: BACKTRACE: 27 stack frames:
Jul 17 20:23:28 dc1 winbindd[1620]: #0
/usr/lib/x86_64-linux-gnu/libsmbconf.so.0(log_stack_trace+0x1a)
[0x7f177df19cba]
Jul 17 20:23:28 dc1 winbindd[1620]: #1
/usr/lib/x86_64-linux-gnu/libsmbconf.so.0(smb_panic_s3+0x20)
[0x7f177df19da0]
Jul 17 20:23:28 dc1 winbindd[1620]: #2
/usr/lib/x86_64-linux-gnu/libsamba-util.so.0(smb_panic+0x2f)
[0x7f17814cb96f]
Jul 17 20:23:28 dc1 winbindd[1620]: #3
/usr/lib/x86_64-linux-gnu/libsamba-util.so.0(+0x1bb8f) [0x7f17814cbb8f]
Jul 17 20:23:28 dc1 winbindd[1620]: #4
/lib/x86_64-linux-gnu/libpthread.so.0(+0xf8d0) [0x7f1782f978d0]
Jul 17 20:23:28 dc1 winbindd[1620]: #5
/usr/lib/x86_64-linux-gnu/samba/libkrb5-samba4.so.26(krb5_storage_free+0x1)
[0x7f177ff2c061]
Jul 17 20:23:28 dc1 winbindd[1620]: #6
/usr/lib/x86_64-linux-gnu/samba/libkrb5-samba4.so.26(+0x382f5)
[0x7f177ff182f5]
Jul 17 20:23:28 dc1 winbindd[1620]: #7
/usr/lib/x86_64-linux-gnu/samba/libgse.so.0(+0x90d6) [0x7f177c8290d6]
Jul 17 20:23:28 dc1 winbindd[1620]: #8
/usr/lib/x86_64-linux-gnu/samba/libgse.so.0(gse_krb5_get_server_keytab+0x11d)
[0x7f177c82962d]
Jul 17 20:23:28 dc1 winbindd[1620]: #9
/usr/lib/x86_64-linux-gnu/samba/libgse.so.0(+0xb15a) [0x7f177c82b15a]
Jul 17 20:23:28 dc1 winbindd[1620]: #10
/usr/lib/x86_64-linux-gnu/samba/libgensec.so.0(gensec_start_mech+0xb1)
[0x7f177c605e91]
Jul 17 20:23:28 dc1 winbindd[1620]: #11
/usr/lib/x86_64-linux-gnu/samba/libgensec.so.0(gensec_start_mech_by_oid+0x26)
[0x7f177c6061d6]
Jul 17 20:23:28 dc1 winbindd[1620]: #12
/usr/sbin/winbindd(kerberos_return_pac+0x419) [0x7f17833f6a69]
Jul 17 20:23:28 dc1 winbindd[1620]: #13
/usr/sbin/winbindd(winbindd_dual_pam_auth+0x1248) [0x7f1783416008]
Jul 17 20:23:28 dc1 winbindd[1620]: #14 /usr/sbin/winbindd(+0x5c8d4)
[0x7f178342c8d4]
Jul 17 20:23:28 dc1 winbindd[1620]: #15
/usr/lib/x86_64-linux-gnu/libtevent.so.0(+0x9d23) [0x7f177af11d23]
Jul 17 20:23:28 dc1 winbindd[1620]: #16
/usr/lib/x86_64-linux-gnu/libtevent.so.0(+0x8217) [0x7f177af10217]
Jul 17 20:23:28 dc1 winbindd[1620]: #17
/usr/lib/x86_64-linux-gnu/libtevent.so.0(_tevent_loop_once+0x8d)
[0x7f177af0c43d]
Jul 17 20:23:28 dc1 winbindd[1620]: #18 /usr/sbin/winbindd(+0x5ec48)
[0x7f178342ec48]
Jul 17 20:23:28 dc1 winbindd[1620]: #19 /usr/sbin/winbindd(+0x5f345)
[0x7f178342f345]
Jul 17 20:23:28 dc1 winbindd[1620]: #20
/usr/lib/x86_64-linux-gnu/libtevent.so.0(tevent_common_loop_immediate+0xd4)
[0x7f177af0cc74]
Jul 17 20:23:28 dc1 winbindd[1620]: #21
/usr/lib/x86_64-linux-gnu/libtevent.so.0(+0x9aee) [0x7f177af11aee]
Jul 17 20:23:28 dc1 winbindd[1620]: #22
/usr/lib/x86_64-linux-gnu/libtevent.so.0(+0x8217) [0x7f177af10217]
Jul 17 20:23:28 dc1 winbindd[1620]: #23
/usr/lib/x86_64-linux-gnu/libtevent.so.0(_tevent_loop_once+0x8d)
[0x7f177af0c43d]
Jul 17 20:23:28 dc1 winbindd[1620]: #24
/usr/sbin/winbindd(main+0xbc4) [0x7f17833f5d64]
Jul 17 20:23:28 dc1 winbindd[1620]: #25
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5) [0x7f177a921b45]
Jul 17 20:23:28 dc1 winbindd[1620]: #26 /usr/sbin/winbindd(+0x263f0)
[0x7f17833f63f0]
Jul 17 20:23:28 dc1 winbindd[1620]: [2016/07/17 20:23:28.711374, 0]
../source3/lib/dumpcore.c:298(dump_core)
Jul 17 20:23:28 dc1 winbindd[1620]: unable to change to
/var/log/samba/cores/winbindd
Jul 17 20:23:28 dc1 winbindd[1620]: refusing to dump core
/var/log/samba/log.samba (loglevel 5) shows preauth succeded
[2016/07/17 20:31:16.430264, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: AS-REQ achim at DOMAIN.LOCAL from ipv4:192.192.12.101:54231
for krbtgt/DOMAIN.LOCAL at DOMAIN.LOCAL
[2016/07/17 20:31:16.434801, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Client sent patypes: 128
[2016/07/17 20:31:16.434879, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for PKINIT pa-data -- achim at DOMAIN.LOCAL
[2016/07/17 20:31:16.434932, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for ENC-TS pa-data -- achim at DOMAIN.LOCAL
[2016/07/17 20:31:16.435008, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: No preauth found, returning PREAUTH-REQUIRED --
achim at DOMAIN.LOCAL
[2016/07/17 20:31:16.463167, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: AS-REQ achim at DOMAIN.LOCAL from ipv4:192.192.12.101:56933
for krbtgt/DOMAIN.LOCAL at DOMAIN.LOCAL
[2016/07/17 20:31:16.464866, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Client sent patypes: encrypted-timestamp, 128
[2016/07/17 20:31:16.464900, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for PKINIT pa-data -- achim at DOMAIN.LOCAL
[2016/07/17 20:31:16.464922, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Looking for ENC-TS pa-data -- achim at DOMAIN.LOCAL
[2016/07/17 20:31:16.464991, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: ENC-TS Pre-authentication succeeded -- achim at DOMAIN.LOCAL
using aes256-cts-hmac-sha1-96
[2016/07/17 20:31:16.465019, 4]
../source4/auth/sam.c:182(authsam_account_ok)
authsam_account_ok: Checking SMB password for user achim at DOMAIN.LOCAL
[2016/07/17 20:31:16.465119, 5] ../source4/auth/sam.c:116(logon_hours_ok)
logon_hours_ok: No hours restrictions for user achim at DOMAIN.LOCAL
[2016/07/17 20:31:16.465149, 5]
../source4/auth/sam.c:820(authsam_logon_success_accounting)
lastLogonTimestamp is 131127322764566420
[2016/07/17 20:31:16.465263, 5]
../source4/auth/sam.c:744(authsam_update_lastlogon_timestamp)
sync interval is 14
[2016/07/17 20:31:16.465299, 5]
../source4/auth/sam.c:761(authsam_update_lastlogon_timestamp)
randomised sync interval is 12 (-2)
[2016/07/17 20:31:16.465320, 5]
../source4/auth/sam.c:770(authsam_update_lastlogon_timestamp)
old timestamp is 131127322764566420, threshold 131122170764651720,
diff 5151999914700
[2016/07/17 20:31:16.475116, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: AS-REQ authtime: 2016-07-17T20:31:16 starttime: unset
endtime: 2016-07-18T06:31:10 renew till: 2016-07-24T20:31:16
[2016/07/17 20:31:16.475259, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
aes128-cts-hmac-sha1-96, des3-cbc-sha1, des3-cbc-md5, arcfour-hmac-md5,
using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
[2016/07/17 20:31:16.475321, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Requested flags: renewable, forwardable
[2016/07/17 20:31:19.510167, 4]
../source4/dsdb/repl/drepl_notify.c:463(dreplsrv_notify_schedule)
dreplsrv_notify_schedule(5) scheduled for: Sun Jul 17 20:31:25 2016 CEST
[2016/07/17 20:31:22.509068, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: TGS-REQ achim at DOMAIN.LOCAL from ipv4:192.192.12.101:37962
for DC1$@DOMAIN.LOCAL
[2016/07/17 20:31:22.514670, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: TGS-REQ authtime: 2016-07-17T20:31:16 starttime:
2016-07-17T20:31:22 endtime: 2016-07-18T06:31:10 renew till: unset
[2016/07/17 20:31:24.519075, 4]
../source4/dsdb/repl/drepl_notify.c:463(dreplsrv_notify_schedule)
dreplsrv_notify_schedule(5) scheduled for: Sun Jul 17 20:31:30 2016 CEST
[2016/07/17 20:31:26.196142, 3]
../source4/smbd/service_stream.c:66(stream_terminate_connection)
Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
[2016/07/17 20:31:26.196220, 3]
../source4/smbd/process_single.c:114(single_terminate)
single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED]
[2016/07/17 20:31:26.206726, 3]
../source4/smbd/service_stream.c:66(stream_terminate_connection)
Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
[2016/07/17 20:31:26.206796, 3]
../source4/smbd/process_single.c:114(single_terminate)
Going back to Internal dns fixes the issue.
Using an wrong password does not segfault winbindd so the error must
happen at some place after password verification (also the samba log
looks like authetification has succeeded).
Here are the config files (no avahi running on my servers so .local
causes no problems, also no nscd or unscd is running :-) )
/etc/krb5.conf
[libdefaults]
default_realm = DOMAIN.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
/etc/samba/smb.conf
[global]
netbios name = DC1
realm = DOMAIN.LOCAL
workgroup = DOMAIN
dns forwarder = 192.168.100.102
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
kccsrv:samba_kcc=true
template shell = /bin/bash
log level = 5
max log size = 2000000
wins support = Yes
ea support = yes
store dos attributes = yes
map readonly = no
map archive = no
map system = no
map hidden = no
strict allocate = yes
acl allow execute always = yes
aio read size = 16384
aio write size = 16384
write cache size = 262144
csc policy = disable
deadtime = 1
socket options = TCP_NODELAY SO_KEEPALIVE TCP_KEEPIDLE=60
TCP_KEEPINTVL=10 TCP_KEEPCNT=5
idmap config * : range = 3000000-4000000
smb2 leases = yes
kerberos method = system keytab
client ldap sasl wrapping = sign
allow dns updates = nonsecure and secure
nsupdate command = /usr/bin/nsupdate -g
server services = -dns
spoolss: architecture = Windows x64
tls cafile=/etc/samba/tls/ca.crt
tls certfile=/etc/samba/tls/dc1.domain.local.crt
tls keyfile=/etc/samba/tls/dc1.domain.local.key
[netlogon]
path = /var/lib/samba/sysvol/domain.local/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[printers]
comment = All Printers
path = /var/spool/samba
browseable = Yes
read only = No
printable = Yes
[print$]
comment = Point and Print Printer Drivers
path = /var/lib/samba/printers
read only = No
/etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.
passwd: compat winbind
group: compat winbind
shadow: compat
gshadow: files
hosts: files dns wins
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
sudoers: files
Achim Gottinger
2016-Jul-17 19:14 UTC
[Samba] Winbindd segfaults with bind9-dlz trying to login via libwinbind-pam
Am 17.07.2016 um 20:54 schrieb Achim Gottinger:> Hello, > > I just found and odd behaviour here on my test environment (debian > jessie with samba 4.4.5 backported from sid). > > I create and ad-dc as usual, adjust nsswitch.conf and enable > pam-auth-winbind (ruuning pam-auth-update). I also define /bin/bash as > template shell. > Now after i create an samba-user and the users home directory > (/home/DOMAIN/achim). > I can login with that account on the console. > > Then I switch to bind9 dlz backend now (samba_upgradedns > --dns-backend=BIND9_DLZ), adjust bind and samba settings and verify > /var/lib/samba/private/dns.keytab read access for bind group. > Name resolutions works and windows clients are able to enter there dns > records. > > But if i try to login as previously working samb a user achim i get: > > root at dc1:~# login achim > Password: > > Login incorrect > dc1 login: > > /var/log/auth.log > Jul 17 20:23:28 dc1 login[1724]: pam_unix(login:auth): authentication > failure; logname=root uid=0 euid=0 tty=/dev/pts/0 ruser= rhost= > user=achim > Jul 17 20:23:28 dc1 login[1724]: pam_winbind(login:auth): getting > password (0x00000388) > Jul 17 20:23:28 dc1 login[1724]: pam_winbind(login:auth): pam_get_item > returned a password > Jul 17 20:23:28 dc1 login[1724]: pam_winbind(login:auth): request > wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_SYSTEM_ERR > (4), NTSTATUS: NT_STATUS_CONNECTION_DISCONNECTED, Error message was: > The transport connection is now disconnected. > Jul 17 20:23:28 dc1 login[1724]: pam_winbind(login:auth): internal > module error (retval = PAM_SYSTEM_ERR(4), user = 'achim') > Jul 17 20:23:30 dc1 login[1724]: FAILED LOGIN (1) on '/dev/pts/0' FOR > 'achim', Authentication failure > > /var/log/syslog shows winbindd segfaults but is not able to write an > core dump file. (Folder /var/log/samba/cores/winbindd exists with mode > 1700) > > Jul 17 20:23:28 dc1 winbindd[1620]: [2016/07/17 20:23:28.659642, 0] > ../lib/util/fault.c:78(fault_report) > Jul 17 20:23:28 dc1 winbindd[1620]: > ==============================================================> Jul 17 20:23:28 dc1 winbindd[1620]: [2016/07/17 20:23:28.659714, 0] > ../lib/util/fault.c:79(fault_report) > Jul 17 20:23:28 dc1 winbindd[1620]: INTERNAL ERROR: Signal 11 in pid > 1620 (4.4.5-Debian) > Jul 17 20:23:28 dc1 winbindd[1620]: Please read the Trouble-Shooting > section of the Samba HOWTO > Jul 17 20:23:28 dc1 winbindd[1620]: [2016/07/17 20:23:28.659759, 0] > ../lib/util/fault.c:81(fault_report) > Jul 17 20:23:28 dc1 winbindd[1620]: > ==============================================================> Jul 17 20:23:28 dc1 winbindd[1620]: [2016/07/17 20:23:28.659789, 0] > ../source3/lib/util.c:791(smb_panic_s3) > Jul 17 20:23:28 dc1 winbindd[1620]: PANIC (pid 1620): internal error > Jul 17 20:23:28 dc1 winbindd[1620]: [2016/07/17 20:23:28.701122, 0] > ../source3/lib/util.c:902(log_stack_trace) > Jul 17 20:23:28 dc1 winbindd[1620]: BACKTRACE: 27 stack frames: > Jul 17 20:23:28 dc1 winbindd[1620]: #0 > /usr/lib/x86_64-linux-gnu/libsmbconf.so.0(log_stack_trace+0x1a) > [0x7f177df19cba] > Jul 17 20:23:28 dc1 winbindd[1620]: #1 > /usr/lib/x86_64-linux-gnu/libsmbconf.so.0(smb_panic_s3+0x20) > [0x7f177df19da0] > Jul 17 20:23:28 dc1 winbindd[1620]: #2 > /usr/lib/x86_64-linux-gnu/libsamba-util.so.0(smb_panic+0x2f) > [0x7f17814cb96f] > Jul 17 20:23:28 dc1 winbindd[1620]: #3 > /usr/lib/x86_64-linux-gnu/libsamba-util.so.0(+0x1bb8f) [0x7f17814cbb8f] > Jul 17 20:23:28 dc1 winbindd[1620]: #4 > /lib/x86_64-linux-gnu/libpthread.so.0(+0xf8d0) [0x7f1782f978d0] > Jul 17 20:23:28 dc1 winbindd[1620]: #5 > /usr/lib/x86_64-linux-gnu/samba/libkrb5-samba4.so.26(krb5_storage_free+0x1) > [0x7f177ff2c061] > Jul 17 20:23:28 dc1 winbindd[1620]: #6 > /usr/lib/x86_64-linux-gnu/samba/libkrb5-samba4.so.26(+0x382f5) > [0x7f177ff182f5] > Jul 17 20:23:28 dc1 winbindd[1620]: #7 > /usr/lib/x86_64-linux-gnu/samba/libgse.so.0(+0x90d6) [0x7f177c8290d6] > Jul 17 20:23:28 dc1 winbindd[1620]: #8 > /usr/lib/x86_64-linux-gnu/samba/libgse.so.0(gse_krb5_get_server_keytab+0x11d) > [0x7f177c82962d] > Jul 17 20:23:28 dc1 winbindd[1620]: #9 > /usr/lib/x86_64-linux-gnu/samba/libgse.so.0(+0xb15a) [0x7f177c82b15a] > Jul 17 20:23:28 dc1 winbindd[1620]: #10 > /usr/lib/x86_64-linux-gnu/samba/libgensec.so.0(gensec_start_mech+0xb1) > [0x7f177c605e91] > Jul 17 20:23:28 dc1 winbindd[1620]: #11 > /usr/lib/x86_64-linux-gnu/samba/libgensec.so.0(gensec_start_mech_by_oid+0x26) > [0x7f177c6061d6] > Jul 17 20:23:28 dc1 winbindd[1620]: #12 > /usr/sbin/winbindd(kerberos_return_pac+0x419) [0x7f17833f6a69] > Jul 17 20:23:28 dc1 winbindd[1620]: #13 > /usr/sbin/winbindd(winbindd_dual_pam_auth+0x1248) [0x7f1783416008] > Jul 17 20:23:28 dc1 winbindd[1620]: #14 > /usr/sbin/winbindd(+0x5c8d4) [0x7f178342c8d4] > Jul 17 20:23:28 dc1 winbindd[1620]: #15 > /usr/lib/x86_64-linux-gnu/libtevent.so.0(+0x9d23) [0x7f177af11d23] > Jul 17 20:23:28 dc1 winbindd[1620]: #16 > /usr/lib/x86_64-linux-gnu/libtevent.so.0(+0x8217) [0x7f177af10217] > Jul 17 20:23:28 dc1 winbindd[1620]: #17 > /usr/lib/x86_64-linux-gnu/libtevent.so.0(_tevent_loop_once+0x8d) > [0x7f177af0c43d] > Jul 17 20:23:28 dc1 winbindd[1620]: #18 > /usr/sbin/winbindd(+0x5ec48) [0x7f178342ec48] > Jul 17 20:23:28 dc1 winbindd[1620]: #19 > /usr/sbin/winbindd(+0x5f345) [0x7f178342f345] > Jul 17 20:23:28 dc1 winbindd[1620]: #20 > /usr/lib/x86_64-linux-gnu/libtevent.so.0(tevent_common_loop_immediate+0xd4) > [0x7f177af0cc74] > Jul 17 20:23:28 dc1 winbindd[1620]: #21 > /usr/lib/x86_64-linux-gnu/libtevent.so.0(+0x9aee) [0x7f177af11aee] > Jul 17 20:23:28 dc1 winbindd[1620]: #22 > /usr/lib/x86_64-linux-gnu/libtevent.so.0(+0x8217) [0x7f177af10217] > Jul 17 20:23:28 dc1 winbindd[1620]: #23 > /usr/lib/x86_64-linux-gnu/libtevent.so.0(_tevent_loop_once+0x8d) > [0x7f177af0c43d] > Jul 17 20:23:28 dc1 winbindd[1620]: #24 > /usr/sbin/winbindd(main+0xbc4) [0x7f17833f5d64] > Jul 17 20:23:28 dc1 winbindd[1620]: #25 > /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5) [0x7f177a921b45] > Jul 17 20:23:28 dc1 winbindd[1620]: #26 > /usr/sbin/winbindd(+0x263f0) [0x7f17833f63f0] > Jul 17 20:23:28 dc1 winbindd[1620]: [2016/07/17 20:23:28.711374, 0] > ../source3/lib/dumpcore.c:298(dump_core) > Jul 17 20:23:28 dc1 winbindd[1620]: unable to change to > /var/log/samba/cores/winbindd > Jul 17 20:23:28 dc1 winbindd[1620]: refusing to dump core > > /var/log/samba/log.samba (loglevel 5) shows preauth succeded > > [2016/07/17 20:31:16.430264, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: AS-REQ achim at DOMAIN.LOCAL from ipv4:192.192.12.101:54231 > for krbtgt/DOMAIN.LOCAL at DOMAIN.LOCAL > [2016/07/17 20:31:16.434801, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: Client sent patypes: 128 > [2016/07/17 20:31:16.434879, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: Looking for PKINIT pa-data -- achim at DOMAIN.LOCAL > [2016/07/17 20:31:16.434932, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: Looking for ENC-TS pa-data -- achim at DOMAIN.LOCAL > [2016/07/17 20:31:16.435008, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: No preauth found, returning PREAUTH-REQUIRED -- > achim at DOMAIN.LOCAL > [2016/07/17 20:31:16.463167, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: AS-REQ achim at DOMAIN.LOCAL from ipv4:192.192.12.101:56933 > for krbtgt/DOMAIN.LOCAL at DOMAIN.LOCAL > [2016/07/17 20:31:16.464866, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: Client sent patypes: encrypted-timestamp, 128 > [2016/07/17 20:31:16.464900, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: Looking for PKINIT pa-data -- achim at DOMAIN.LOCAL > [2016/07/17 20:31:16.464922, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: Looking for ENC-TS pa-data -- achim at DOMAIN.LOCAL > [2016/07/17 20:31:16.464991, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: ENC-TS Pre-authentication succeeded -- achim at DOMAIN.LOCAL > using aes256-cts-hmac-sha1-96 > [2016/07/17 20:31:16.465019, 4] > ../source4/auth/sam.c:182(authsam_account_ok) > authsam_account_ok: Checking SMB password for user achim at DOMAIN.LOCAL > [2016/07/17 20:31:16.465119, 5] > ../source4/auth/sam.c:116(logon_hours_ok) > logon_hours_ok: No hours restrictions for user achim at DOMAIN.LOCAL > [2016/07/17 20:31:16.465149, 5] > ../source4/auth/sam.c:820(authsam_logon_success_accounting) > lastLogonTimestamp is 131127322764566420 > [2016/07/17 20:31:16.465263, 5] > ../source4/auth/sam.c:744(authsam_update_lastlogon_timestamp) > sync interval is 14 > [2016/07/17 20:31:16.465299, 5] > ../source4/auth/sam.c:761(authsam_update_lastlogon_timestamp) > randomised sync interval is 12 (-2) > [2016/07/17 20:31:16.465320, 5] > ../source4/auth/sam.c:770(authsam_update_lastlogon_timestamp) > old timestamp is 131127322764566420, threshold 131122170764651720, > diff 5151999914700 > [2016/07/17 20:31:16.475116, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: AS-REQ authtime: 2016-07-17T20:31:16 starttime: unset > endtime: 2016-07-18T06:31:10 renew till: 2016-07-24T20:31:16 > [2016/07/17 20:31:16.475259, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, > aes128-cts-hmac-sha1-96, des3-cbc-sha1, des3-cbc-md5, > arcfour-hmac-md5, using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96 > [2016/07/17 20:31:16.475321, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: Requested flags: renewable, forwardable > [2016/07/17 20:31:19.510167, 4] > ../source4/dsdb/repl/drepl_notify.c:463(dreplsrv_notify_schedule) > dreplsrv_notify_schedule(5) scheduled for: Sun Jul 17 20:31:25 2016 > CEST > [2016/07/17 20:31:22.509068, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: TGS-REQ achim at DOMAIN.LOCAL from ipv4:192.192.12.101:37962 > for DC1$@DOMAIN.LOCAL > [2016/07/17 20:31:22.514670, 3] > ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: TGS-REQ authtime: 2016-07-17T20:31:16 starttime: > 2016-07-17T20:31:22 endtime: 2016-07-18T06:31:10 renew till: unset > [2016/07/17 20:31:24.519075, 4] > ../source4/dsdb/repl/drepl_notify.c:463(dreplsrv_notify_schedule) > dreplsrv_notify_schedule(5) scheduled for: Sun Jul 17 20:31:30 2016 > CEST > [2016/07/17 20:31:26.196142, 3] > ../source4/smbd/service_stream.c:66(stream_terminate_connection) > Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED' > [2016/07/17 20:31:26.196220, 3] > ../source4/smbd/process_single.c:114(single_terminate) > single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED] > [2016/07/17 20:31:26.206726, 3] > ../source4/smbd/service_stream.c:66(stream_terminate_connection) > Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED' > [2016/07/17 20:31:26.206796, 3] > ../source4/smbd/process_single.c:114(single_terminate) > > Going back to Internal dns fixes the issue. > Using an wrong password does not segfault winbindd so the error must > happen at some place after password verification (also the samba log > looks like authetification has succeeded). > > > Here are the config files (no avahi running on my servers so .local > causes no problems, also no nscd or unscd is running :-) ) > > /etc/krb5.conf > [libdefaults] > default_realm = DOMAIN.LOCAL > dns_lookup_realm = false > dns_lookup_kdc = true > > /etc/samba/smb.conf > [global] > netbios name = DC1 > realm = DOMAIN.LOCAL > workgroup = DOMAIN > dns forwarder = 192.168.100.102 > server role = active directory domain controller > idmap_ldb:use rfc2307 = yes > kccsrv:samba_kcc=true > template shell = /bin/bash > log level = 5 > max log size = 2000000 > wins support = Yes > ea support = yes > store dos attributes = yes > map readonly = no > map archive = no > map system = no > map hidden = no > strict allocate = yes > acl allow execute always = yes > aio read size = 16384 > aio write size = 16384 > write cache size = 262144 > csc policy = disable > deadtime = 1 > socket options = TCP_NODELAY SO_KEEPALIVE TCP_KEEPIDLE=60 > TCP_KEEPINTVL=10 TCP_KEEPCNT=5 > idmap config * : range = 3000000-4000000 > smb2 leases = yes > > kerberos method = system keytab > client ldap sasl wrapping = sign > allow dns updates = nonsecure and secure > nsupdate command = /usr/bin/nsupdate -g > server services = -dns > > spoolss: architecture = Windows x64 > > tls cafile=/etc/samba/tls/ca.crt > tls certfile=/etc/samba/tls/dc1.domain.local.crt > tls keyfile=/etc/samba/tls/dc1.domain.local.key > > [netlogon] > path = /var/lib/samba/sysvol/domain.local/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > [printers] > comment = All Printers > path = /var/spool/samba > browseable = Yes > read only = No > printable = Yes > > [print$] > comment = Point and Print Printer Drivers > path = /var/lib/samba/printers > read only = No > > /etc/nsswitch.conf > > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages installed, > try: > # `info libc "Name Service Switch"' for information about this file. > > passwd: compat winbind > group: compat winbind > shadow: compat > gshadow: files > > hosts: files dns wins > networks: files > > protocols: db files > services: db files > ethers: db files > rpc: db files > > netgroup: nis > sudoers: files >With help of https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=784656 i tracked the issue down to the line kerberos method = system keytab If I remove the line or change it to "kerberos method = secrets" login's as samba users work and also bind9 still seems to work including dynamic updates. That line is recommended in the wiki https://wiki.samba.org/index.php/Configure_BIND_as_backend_for_Samba_AD but seems to be no longer needed for bind9-dlz but cause problems with libpam-winbind. achim~