Re: 3.0Alpha21 and W2K AD 'dorking' Samba machine acct?
On Thu, 30 Jan 2003, Andrew Bartlett wrote: > On Thu, 2003-01-30 at 23:32, Nik Conwell wrote: > > > > Anybody seeing a scenario like this? > > > > net ads join adds our machine entry to AD just fine. > > > > The machine entry object in the AD database has: > > > >OperatingSystem"Samba" > >OperatingSystemVersion "post3.0-HEAD" > >dnsHostname"ourhost" > > > > Some time later "something" happened, and AD now has: > > > >OperatingSystem"Windows" > >OperatingSystemVersion "NT 4" > >dnsHostnameis empty. > > > > and then authentication to ourhost fails. > > Something is doing a NT4 password change. This can occur if > 'security=domain' is set, rather than 'security=ads'. > > Or if 'net rpc changetrustpw' is run. Interesting - security=ads is set in the config, and neither of the two of us who have privs to do the net cmds have run changetrustpw (or knew what it was before you wrote about it ;-)) I have an unverified pet theory that under some circumstances the smbd may think it's running as security=domain (unable to read the config file due to it being unmounted - it's on NFS disk - or since the file doesn't have o=r). I'll put some DEBUG logging statements near change_trust_account_password() to see if we're somehow getting there. Thanks for your help. -nik
3.0Alpha21 and W2K AD 'dorking' Samba machine acct?
Anybody seeing a scenario like this? net ads join adds our machine entry to AD just fine. The machine entry object in the AD database has: OperatingSystem"Samba" OperatingSystemVersion "post3.0-HEAD" dnsHostname"ourhost" Some time later "something" happened, and AD now has: OperatingSystem"Windows" OperatingSystemVersion "NT 4" dnsHostnameis empty. and then authentication to ourhost fails. In the past we've seen a couple of cases where changing the config file while the smbd was running caused the AD object to change, but now that we're trying to debug this, this isn't happening any longer. Some times when we shut down "ourhost", it causes this problem. Stopping and starting the smbd and nmbd doesn't have this effect. We've turned on auditing on the AD object for the machine account and happened to catch a situation where the object changed, yet the audit reports didn't show the change. (Changing the object manually through the gui did cause an audit report.) DOH! Doing a net ads leave and net ads join again puts the machine entry back again. Just curious if anybody's seen anything like this. We're continuing to debug... --nik
3.0 alpha21 kerberos_verify.c problems on AIX 4.3
Samba 3.0, alpha 21.
kerberos_verify.c has:
... krb5_get_permitted_enctypes(context, &enctypes) ...
for (i=0;enctypes[i];i++) {
...
if (!(ret = krb5_rd_req(context, &auth_context, &packet,
NULL, keytab, NULL, &tkt))) {
krb5_free_ktypes(context, enctypes);
^^^
break;
}
}
if (!enctypes[i]) {
DEBUG(3,("krb5_rd_req with auth failed (%s)\n",
error_message(ret)));
return NT_STATUS_LOGON_FAILURE;
}
referencing enctypes[] after it's been freed. Got away w/ the right memory crud
under Linux, but on AIX (4.3) this sometimes caused (debug 3 and above):
krb5_rd_req with auth failed (Unknown code 0)
Failed to verify incoming ticket!
error string = No such file or directory
Thanks to Ghassan Tabbara for helping track this down.
-nik
% gnudiff -u libads/kerberos_verify.c.orig libads/kerberos_verify.c
--- libads/kerberos_verify.c.orig Tue Nov 12 18:15:49 2002
+++ libads/kerberos_verify.cFri Dec 13 12:17:02 2002
@@ -46,6 +46,7 @@
char *password_s;
krb5_data password;
krb5_enctype *enctypes = NULL;
+ int authok=0;
if (!secrets_init()) {
DEBUG(1,("secrets_init failed\n"));
@@ -124,11 +125,12 @@
if (!(ret = krb5_rd_req(context, &auth_context, &packet,
NULL, keytab, NULL, &tkt))) {
krb5_free_ktypes(context, enctypes);
+ authok = 1;
break;
}
}
- if (!enctypes[i]) {
+ if (!authok) {
DEBUG(3,("krb5_rd_req with auth failed (%s)\n",
error_message(ret)));
return NT_STATUS_LOGON_FAILURE;
Re: 3.0.20 Alpha configure on AIX4.3 for -lcom_err broken
> Could you check whether your com_err library contains the _et_list symbol? > You can request a list of symbols in a library using nm /path/to/library > usually. 10:20:55 acsn08 [source] nm /usr/local/krb5-1.2.6/lib/libcom_err.a |grep _et_list _et_list D 1108 4 _et_list d 1052 4 man nm shows: The nm command represents the file's symbol type with one of the following characters: [...] D Global data symbol. d Local data symbol.
Re: 3.0.20 Alpha configure on AIX4.3 for -lcom_err broken
On Tue, 26 Nov 2002, Jelmer Vernooij wrote:
> Please don't send in patches to configure, but to configure.in
> instead. Configure is autogenerated.
Sorry; new to this.
> Is there anything useful in config.log that indicates why the test for
> _et_list in -lcom_err fails?
Nothing interesting (to me):
configure:12300: checking for _et_list in -lcom_err
configure:12319: cc -o conftest -O -D_LINUX_SOURCE_COMPAT -qmaxmem=32000
-I/usr/local/krb5-1.2.6/include -D_LAR
GE_FILES -I/usr/local/krb5-1.2.6/include -L/usr/local/krb5-1.2.6/lib conftest.c
-lcom_err -lkrb5 1>&5
+ eval ${CC-cc} -o conftest${ac_exeext} $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext
+$LIBS 1>&5
+ cc -o conftest -O -D_LINUX_SOURCE_COMPAT -qmaxmem=32000
+-I/usr/local/krb5-1.2.6/include -D_LARGE_FILES -I/usr/l
ocal/krb5-1.2.6/include -L/usr/local/krb5-1.2.6/lib conftest.c -lcom_err -lkrb5
+ 1>& 5
ld: 0711-317 ERROR: Undefined symbol: ._et_list
ld: 0711-345 Use the -bloadmap or -bnoquiet option to obtain more information.
configure: failed program was:
#line 12308 "configure"
#include "confdefs.h"
/* Override any gcc2 internal prototype to avoid an error. */
/* We use char because int might match the return type of a gcc2
builtin and then its argument prototype would still apply. */
char _et_list();
int main() {
_et_list()
; return 0; }
I broke apart the compile:
10:20:50 acsn08 [source] cat foobar2.c
/* #include "confdefs.h" */
/* Override any gcc2 internal prototype to avoid an error. */
/* We use char because int might match the return type of a gcc2
builtin and then its argument prototype would still apply. */
char _et_list();
int main() {
_et_list()
; return 0; }
10:20:52 acsn08 [source] cc -o conftest -g -L/usr/local/krb5-1.2.6/lib -lkrb5
-lk5crypto -lkrb5 -lcom_err -llber foobar2.c
ld: 0711-317 ERROR: Undefined symbol: ._et_list
ld: 0711-345 Use the -bloadmap or -bnoquiet option to obtain more information.
10:20:55 acsn08 [source] nm /usr/local/krb5-1.2.6/lib/libcom_err.a |grep _et_list
_et_list D 1108 4
_et_list d 1052 4
If I try to build Samba without -lcom_err in LIBS I get a similar undefined on
_et_list (and also error_message). If I add -lcom_err to LIBS, things build.
I checked the rest of the Samba build LIBS and added them to the above test, but
they didn't help find _et_list...
Here's the AIX cc debug output:
10:21:14 acsn08 [source] cc -o conftest -g -L/usr/local/krb5-1.2.6/lib -lkrb5
-lk5crypto -lkrb5 -lcom_err -llber foobar2.c -bnoquiet
(ld): halt 4
(ld): savename conftest
(ld): filelist 8 2
(ld): i /lib/crt0.o
(ld): lib /usr/local/krb5-1.2.6/lib/libkrb5.a
(ld): lib /usr/local/krb5-1.2.6/lib/libk5crypto.a
(ld): lib /usr/local/krb5-1.2.6/lib/libcom_err.a
(ld): lib /usr/lib/liblber.a
(ld): i foobar2.o
(ld): lib /usr/lib/libg.a
(ld): lib /usr/lib/libc.a
LIBRARY: Shared object liblber.a[liblber.so.2]: 89 symbols imported.
LIBRARY: Shared object libc.a[shr.o]: 2268 symbols imported.
LIBRARY: Shared object libc.a[meth.o]: 2 symbols imported.
LIBRARY: Shared object libc.a[aio.o]: 11 symbols imported.
LIBRARY: Shared object libc.a[pse.o]: 78 symbols imported.
LIBRARY: Shared object libc.a[dl.o]: 4 symbols imported.
LIBRARY: Shared object libc.a[pty.o]: 1 symbols imported.
FILELIST: Number of previously inserted files processed: 8
(ld): exports /usr/lib/libg.exp
EXPORTS: Symbols exported: 4
(ld): resolve
RESOLVE: 36 of 4526 symbols were kept.
(ld): addgl /usr/lib/glink.o
ADDGL: Glink code added for 4 symbols.
(ld): er full
ld: 0711-318 ERROR: Undefined symbols were found.
The following symbols are in error:
SymbolInpndx TY CL Source-File(Object-File) OR
Import-File{Shared-object}
RLD: Address Section Rld-type Referencing Symbol
--
._et_list [32]ER PR foobar2.c(foobar2.o)
000c .textR_RBR[18].main
ER: The return code is 8.
Since the same thing happens w/ gcc, I suspect it's not just an AIX linker
bug...
-nik
3.0.20 Alpha configure on AIX4.3 for -lcom_err broken
I cvs'ed the latest 3.0.20 Alpha this morning...
On the configure, the test for _et_list in libcom_err.a doesn't seem to ever
work, even though _et_list is in com_err. Perhaps it's marked as private?
(IBM cc or gcc, makes no difference.) This results in no -lcom_err being added
to LIBS, and so the build of the smbd fails due to not finding _et_list and
error_message(). Manually adding -lcom_err to LIBS causes things to build OK.
I hacked the configure to look for error_message() in -lcom_err instead of
looking for _et_list, and that seems to have worked OK.
I'm not sure what this means for systems that don't need -lcom_err since the
test apparently only checks to see if it builds with the lib, and not if the lib
is superfluous.
-nik
9:43:55 acsn08 [source] gnudiff -u configure.20021125 configure
--- configure.20021125 Fri Nov 22 01:56:28 2002
+++ configure Mon Nov 25 09:23:49 2002
@@ -12295,8 +12295,8 @@
##
# we might need the k5crypto and com_err libraries on some systems
- echo $ac_n "checking for _et_list in -lcom_err""... $ac_c" 1>&6
-echo "configure:12300: checking for _et_list in -lcom_err" >&5
+ echo $ac_n "checking for error_message in -lcom_err""... $ac_c" 1>&6
+echo "configure:12300: checking for error_message in -lcom_err" >&5
ac_lib_var=`echo com_err'_'_et_list | sed 'y%./+-%__p_%'`
if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
echo $ac_n "(cached) $ac_c" 1>&6
@@ -12309,10 +12309,10 @@
/* Override any gcc2 internal prototype to avoid an error. */
/* We use char because int might match the return type of a gcc2
builtin and then its argument prototype would still apply. */
-char _et_list();
+char error_message();
int main() {
-_et_list()
+error_message()
; return 0; }
EOF
if { (eval echo configure:12319: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test
-s conftest${ac_exeext}; then
