Bug 12740 - Failed to create kerberos keytab during net ads join
Summary: Failed to create kerberos keytab during net ads join
Status: RESOLVED DUPLICATE of bug 12685
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Other (show other bugs)
Version: 4.6.2
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-04-12 01:18 UTC by Evgeny Sinelnikov
Modified: 2017-04-12 07:28 UTC (History)
3 users (show)

See Also:

Attachments
Patch for open kerberos default keytab file (731 bytes, patch)
2017-04-12 01:19 UTC, Evgeny Sinelnikov 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Evgeny Sinelnikov 2017-04-12 01:18:25 UTC 
During net ads join we got a problem with kerberos keytab creation.

# net ads join -k
Failed to join domain: failed to create kerberos keytab

In gdb It looks like this:

# gdb net
GNU gdb (GDB) 7.9-alt3 (ALT Linux)
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-alt-linux".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from net...Reading symbols from /usr/lib/debug/usr/bin/net.debug...done.
done.
(gdb) break ads_keytab_create_default
Function "ads_keytab_create_default" not defined.
Make breakpoint pending on future shared library load? (y or [n]) y
Breakpoint 1 (ads_keytab_create_default) pending.
(gdb) break ads_keytab_add_entry
Function "ads_keytab_add_entry" not defined.
Make breakpoint pending on future shared library load? (y or [n]) y
Breakpoint 2 (ads_keytab_add_entry) pending.
(gdb) run ads join -k
Starting program: /usr/bin/net ads join -k
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Detaching after fork from child process 24845.
Missing separate debuginfo for /lib64/libnss_mdns4_minimal.so.2
Try to install the hash file /usr/lib/debug/.build-id/ca/b39d28abba0e34ad5e8b46c840e843a8b8c2bf.debug
Missing separate debuginfo for /lib64/libnss_dns.so.2
Try to install the hash file /usr/lib/debug/.build-id/13/ff5c47493975a171a5f9f4fac7e77bcae20ecd.debug
Missing separate debuginfo for /usr/lib64/krb5/plugins/libkrb5/sssd_krb5_locator_plugin.so
Try to install the hash file /usr/lib/debug/.build-id/de/efb280e101d9716e0e580f067ab04f822369df.debug
Missing separate debuginfo for /usr/lib64/gconv/IBM850.so
Try to install the hash file /usr/lib/debug/.build-id/89/921a4768b80b4cc484dc88385a637944747f8b.debug
Missing separate debuginfo for /usr/lib64/gconv/UTF-16.so
Try to install the hash file /usr/lib/debug/.build-id/0d/5c6739221650099f20ac27dc648e9aaa9067b6.debug
Missing separate debuginfo for /lib64/libnss_myhostname.so.2
Try to install the hash file /usr/lib/debug/.build-id/4b/370f6107d1a4b56cf6d404684890cbbd8ba0f0.debug
Missing separate debuginfo for /lib64/libnss_fallback.so.2
Try to install the hash file /usr/lib/debug/.build-id/74/bf6740821bdecda694512ab57406a5c86a2c9e.debug
Missing separate debuginfo for /lib64/libnss_mymachines.so.2
Try to install the hash file /usr/lib/debug/.build-id/3b/ccd4619a5e1ed1ebddbbbba901d908e3eb8da1.debug

Breakpoint 1, ads_keytab_create_default (ads=0x5555558512d0) at ../source3/libads/kerberos_keytab.c:314
314     {
(gdb) c
Continuing.

Breakpoint 2, ads_keytab_add_entry (ads=ads@entry=0x5555558512d0, srvPrinc=srvPrinc@entry=0x555555853f60 "host") at ../source3/libads/kerberos_keytab.c:42
42      {
(gdb) n
44              krb5_context context = NULL;
(gdb) 
45              krb5_keytab keytab = NULL;
(gdb) 
48              krb5_enctype enctypes[6] = {
(gdb) 
70              initialize_krb5_error_table();
(gdb) 
71              ret = krb5_init_context(&context);
(gdb) 
72              if (ret) {
(gdb) display krb5_init_context
1: krb5_init_context = {krb5_error_code (krb5_context *)} 0x7ffff1065ea0 <krb5_init_context>
(gdb) display ret
2: ret = 1434813424
(gdb) n
78              ret = smb_krb5_kt_open(context, NULL, True, &keytab);
2: ret = 1434813424
1: krb5_init_context = {krb5_error_code (krb5_context *)} 0x7ffff1065ea0 <krb5_init_context>
(gdb) n
79              if (ret) {
2: ret = 1434813424
1: krb5_init_context = {krb5_error_code (krb5_context *)} 0x7ffff1065ea0 <krb5_init_context>
(gdb) n
78              ret = smb_krb5_kt_open(context, NULL, True, &keytab);
2: ret = 1434813424
1: krb5_init_context = {krb5_error_code (krb5_context *)} 0x7ffff1065ea0 <krb5_init_context>
(gdb) n
79              if (ret) {
2: ret = -1765328205
1: krb5_init_context = {krb5_error_code (krb5_context *)} 0x7ffff1065ea0 <krb5_init_context>
(gdb) n
80                      DEBUG(1, ("smb_krb5_kt_open failed (%s)\n",
2: ret = -1765328205
1: krb5_init_context = {krb5_error_code (krb5_context *)} 0x7ffff1065ea0 <krb5_init_context>
(gdb)

Main problem got from commit e0990ccf4e68a8d1bdce

commit e0990ccf4e68a8d1bdce89b7d83865d950b4c4d0
Author: Andreas Schneider <asn@samba.org>
Date:   Wed Dec 14 16:37:17 2016 +0100

    krb5_wrap: More checks for absolute path in smb_krb5_kt_open()

Attached patch resolve this problem.
Comment 1 Evgeny Sinelnikov 2017-04-12 01:19:23 UTC 
Created attachment 13150 [details]
Patch for open kerberos default keytab file
Comment 2 Stefan Metzmacher 2017-04-12 07:28:22 UTC 
I guess it's the same as 12685, which is already fixed in v4-6-test

*** This bug has been marked as a duplicate of bug 12685 ***