Created attachment 14119 [details] core dump An Ubuntu user reported (https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1761737) a crash in samba 2:4.7.6+dfsg~ubuntu-0ubuntu1 when trying to access a share. I was able to reproduce it with a fresh install of 4.7.6 and the following smb.conf: [global] dns proxy = No domain master = No kerberos method = secrets and keytab local master = No log file = /var/log/samba/log.%m map to guest = Bad User max log size = 1000 obey pam restrictions = Yes pam password change = Yes panic action = /usr/share/samba/panic-action %d passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . passwd program = /usr/bin/passwd %u security = USER server role = standalone server server string = %h %a syslog = 0 unix password sync = Yes usershare allow guests = Yes idmap config * : backend = tdb With that in place, this is enough to trigger the crash: smbclient -L localhost -N If I remove the "kerberos method" option, then it does not crash. There is no kerberos setup at all here, no keytab file available, no initial users created by me. This may as well be an invalid configuration, and I asked the user for more details about how he expects this samba server to authenticate his users. gdb: (gdb) frame 8 #8 0x00007f55132a7070 in fill_mem_keytab_from_secrets (krbctx=0x5633f370b420, keytab=0x5633f36f2be0) at ../source3/librpc/crypto/gse_krb5.c:184 184 ct = &info->password->cleartext_blob; (gdb) l 179 DBG_WARNING("secrets_fetch_or_upgrade_domain_info(%s) - %s\n", 180 domain, nt_errstr(status)); 181 TALLOC_FREE(frame); 182 return KRB5_LIBOS_CANTREADPWD; 183 } 184 ct = &info->password->cleartext_blob; 185 186 if (info->domain_info.dns_domain.string != NULL) { 187 realm = strupper_talloc(frame, 188 info->domain_info.dns_domain.string); (gdb) p info $1 = (struct secrets_domain_info1 *) 0x0 I'm attaching logs and the actual core dump next. This can be easily reproduced in an ubuntu 18.04 lxd container or VM: echo "deb http://ddebs.ubuntu.com $(lsb_release -cs) main restricted universe multiverse deb http://ddebs.ubuntu.com $(lsb_release -cs)-updates main restricted universe multiverse deb http://ddebs.ubuntu.com $(lsb_release -cs)-proposed main restricted universe multiverse" | sudo tee -a /etc/apt/sources.list.d/ddebs.list sudo apt update sudo apt install samba samba-dbgsym samba-dsdb-modules-dbgsym python-samba-dbgsym samba-common-bin-dbgsym samba-libs-dbgsym samba-vfs-modules-dbgsym smbclient # create /etc/samba/smb.conf as above sudo systemctl restart smbd nmbd smbclient -L localhost -N # crash file will be in /var/crash/_usr_sbin_smbd.0.crash # unpack crash file, ignore apport bug apport-unpack /var/crash/_usr_sbin_smbd.0.crash /tmp/samba-crash # coredump will be located in /tmp/samba-crash/CoreDump
Created attachment 14120 [details] log with debug 5
This also happens with 4.7.7
*** Bug 13393 has been marked as a duplicate of this bug. ***
This happens with sssd instead of winbindd. We should fix the crash, but in at the same time I think it's an invalid configuration. 'secrets and keytab' should be just 'keytab'.
Created attachment 14155 [details] patch for master
Can someone try what happens with https://attachments.samba.org/attachment.cgi?id=14155 together with "kerberos method = secrets and keytab"? I'd guess it should behave like "system keytab" or "dedicated keytab", but it would be good to have this verified.
I'll prep a build with that patch
The patch fixes the crash in the testcase from this bug, where "kerberos method = secrets and keytab". smbclient -L lists the shares as usual. root@bionic-samba-1761737:~# smbclient -L localhost -N WARNING: The "syslog" option is deprecated Sharename Type Comment --------- ---- ------- IPC$ IPC IPC Service (bionic-samba-1761737 Samba) Reconnecting with SMB1 for workgroup listing. Server Comment --------- ------- Workgroup Master --------- ------- WORKGROUP Test packages for ubuntu bionic are available at https://launchpad.net/~ahasenack/+archive/ubuntu/samba-kerberos-method-1761737 if someone wants to verify.
Created attachment 14158 [details] patch for 4.8
Created attachment 14159 [details] patch for 4.7
Pushed to autobuild-v4-[7,8]-test.
(In reply to Karolin Seeger from comment #11) Pushed to both branches. Closing out bug report. Thanks!