Hi,
I just installed 3.0.2rc1 for testing, and I came across a problem with
cross-realm authentication. I joined samba to our active directory
domain, and I can see that it has host and cifs principals in windows
kerberos. Our organization's primary kerberos realm (CEDE.PSU.EDU) is an
MIT kerb5 realm, and we have a one-way non-transitive trust such that
windows (server 2003) kerberos (WIN.CEDE.PSU.EDU) is slaved to our MIT
realm. We have a cross-realm test account called 'krbtest' that has a
kerberos principal mapping defined in AD. The test sun server's name is
'alcor'. If I do the following, everything works as expected:
kinit [EMAIL PROTECTED]
smbclient //alcor/krbtest -k
Furthermore, if I do the following, everything is still ok:
kinit [EMAIL PROTECTED]
smbclient //alcor/krbtest -k
However, my own account is not a kerberos mapped principal in AD for
security reasons. If I do the following, the results are troubling:
kinit [EMAIL PROTECTED]
smbclient //alcor/tkeiser -k
Obviously, this should fail since cross-realm trust into AD requires an
explicit principal mapping (we don't turn on the map all principals
option). However, instead of dealing with this gracefully, smbd
segfaults! Interestingly, if I do a klist afterwards, I've managed to
acquire a cross-realm tgt and a service ticket for [EMAIL PROTECTED]
even though my prinipal isn't mapped. Here's a snippet of debug level 10
output from smbd:
[2004/01/28 02:23:56, 3] smbd/process.c:(685)
switch message SMBsesssetupX (pid 27145)
[2004/01/28 02:23:56, 3] smbd/sec_ctx.c:(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/01/28 02:23:56, 5] auth/auth_util.c:(486)
NT user token: (NULL)
[2004/01/28 02:23:56, 5] auth/auth_util.c:(505)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2004/01/28 02:23:56, 5] smbd/uid.c:(218)
change_to_root_user: now uid=(0,0) gid=(0,0)
[2004/01/28 02:23:56, 3] smbd/sesssetup.c:(638)
wct=12 flg2=0xc801
[2004/01/28 02:23:56, 3] smbd/sesssetup.c:(518)
Doing spnego session setup
[2004/01/28 02:23:56, 3] smbd/sesssetup.c:(549)
NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[]
[2004/01/28 02:23:56, 3] smbd/sesssetup.c:(427)
Got OID 1 2 840 48018 1 2 2
[2004/01/28 02:23:56, 3] smbd/sesssetup.c:(427)
Got OID 1 3 6 1 4 1 311 2 2 10
[2004/01/28 02:23:56, 3] smbd/sesssetup.c:(430)
Got secblob of size 492
[2004/01/28 02:23:56, 10] passdb/secrets.c:(698)
secrets_named_mutex: got mutex for replay cache mutex
[2004/01/28 02:23:56, 10] libads/kerberos_verify.c:(323)
ads_verify_ticket: enc type [18] failed to decrypt with error Bad
encryption type
[2004/01/28 02:23:56, 10] libads/kerberos_verify.c:(323)
ads_verify_ticket: enc type [16] failed to decrypt with error Bad
encryption type
[2004/01/28 02:23:56, 10] libads/kerberos_verify.c:(316)
ads_verify_ticket: enc type [23] decrypted message !
[2004/01/28 02:23:56, 10] passdb/secrets.c:(710)
secrets_named_mutex: released mutex for replay cache mutex
[2004/01/28 02:23:56, 10] libsmb/clikrb5.c:(386)
Got KRB5 session key of length 16
[2004/01/28 02:23:56, 0] lib/fault.c:(36)
===
[2004/01/28 02:23:56, 0] lib/fault.c:(37)
INTERNAL ERROR: Signal 11 in pid 27145 (3.0.2rc1)
Please read the appendix Bugs of the Samba HOWTO collection
[2004/01/28 02:23:56, 0] lib/fault.c:(39)
===
[2004/01/28 02:23:56, 0] lib/util.c:(1400)
PANIC: internal error
In case it matters, the build environment is Solaris 9 9/03 and Sun ONE
Studio 8. My optimization flags were "-x03 -xarch=v8plusa -xchip=ultra2".
I linked against openldap 2.1.22, mit-krb5 1.3.1, and cups 1.1.20 all from
blastwave.com's pkg-get archive. The configure flags were:
--with-pam --with-acl-support --with-ads --with-ldap --with-krb5=/opt/csw
I attached to smbd with dbx in follow child on fork mode, and here's what
I got:
Attached to process 27186
[EMAIL PROTECTED] ([EMAIL PROTECTED]) stopped in _libc_poll at 0xfed1ca1c
0xfed1ca1c: _libc_poll+0x0004: ta %icc,%g0 + 8
(dbx) cont
detaching from process 27186
Attached to process 27621
[EMAIL PROTECTED] ([EMAIL PROTECTED]) stopped in __fork at 0xfeeb5ec8
0xfeeb5ec8: __fork+0x0008: bgeu__fork+0x30
(dbx) cont
[EMAIL PROTECTED] ([EMAIL PROTECTED]) signal SEGV (no mapping at the fault address) in
get_auth_data_from_tkt at 0xcc92c
0x000cc92c: get_auth_data_from_tkt+0x0018: ld [%i4], %i2
(dbx) gdb on
(dbx) bt
current thread: [EMAIL PROTECTED]
=>[1] get_auth_data_from_tkt(0xffbfe518, 0x468350, 0x10, 0xffbfd5c4, 0x0,
0x469848), at 0xcc92c
[2] ads_verify_ticket(0x0, 0x3d2b10, 0xffbfe4ec, 0x390400, 0xffbfe50c,
0xffbfe4e0), at 0x21ccd4
[3] reply_spnego_kerberos(0x0, 0x4276b0, 0x447b00, 0xffbfe530, 0x0,
0xffbfe5d4), at 0x9705c
[4] reply_spnego_negotiate(0x0, 0x4276b0, 0x447b00, 0x278, 0x2,
0xffbfe5e8), at 0x97b94
[5] reply_sesssetup_and_X_spnego(0x0, 0x4276b0,