Bug 1850 - winbind crash
winbind crash
Status: RESOLVED WORKSFORME
Product: Samba 3.0
Classification: Unclassified
Component: winbind
3.0.7
x86 Linux
: P3 normal
: none
Assigned To: Guenther Deschner
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2004-09-29 10:07 UTC by Pascal Aubry
Modified: 2004-10-06 02:46 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Pascal Aubry 2004-09-29 10:07:57 UTC
SuSe Linux 9.1 
Samba 3.0.7 from rpm for SuSe Linux 9.1

deadking for Samba  WINBIND daemon
srvcao02:/lib # /etc/init.d/winbind start
doneting Samba WINBIND daemon - Warning: /var/run/samba/winbindd.pid exists.
srvcao02:/lib # /etc/init.d/winbind status
deadking for Samba  WINBIND daemon
srvcao02:/lib #

Here is the log file :

________________________________________________________________________________

[2004/09/29 16:20:50, 1] libsmb/clikrb5.c:ads_krb5_mk_req(313)
  krb5_cc_get_principal failed (No such file or directory)
[2004/09/29 16:20:51, 0] lib/fault.c:fault_report(36)
  ===============================================================
[2004/09/29 16:20:51, 0] lib/fault.c:fault_report(37)
  INTERNAL ERROR: Signal 11 in pid 7118 (3.0.7-1.1-SUSE)
  Please read the appendix Bugs of the Samba HOWTO collection
   #15 /usr/sbin/winbindd(main+0x5d4) [0x80705e0]
   #16 /lib/tls/libc.so.6(__libc_start_main+0xe0) [0x40257500]
   #17 /usr/sbin/winbindd [0x806e9f1]
[2004/09/29 16:20:50, 1] libsmb/clikrb5.c:ads_krb5_mk_req(313)
  krb5_cc_get_principal failed (No such file or directory)
[2004/09/29 16:20:51, 0] lib/fault.c:fault_report(36)
  ===============================================================
[2004/09/29 16:20:51, 0] lib/fault.c:fault_report(37)
  INTERNAL ERROR: Signal 11 in pid 7118 (3.0.7-1.1-SUSE)
  Please read the appendix Bugs of the Samba HOWTO collection
[2004/09/29 16:20:51, 0] lib/fault.c:fault_report(39)
  ===============================================================
[2004/09/29 16:20:51, 0] lib/util.c:smb_panic2(1381)
  PANIC: internal error
[2004/09/29 16:20:51, 0] lib/util.c:smb_panic2(1389)
  BACKTRACE: 18 stack frames:
   #0 /usr/sbin/winbindd(smb_panic2+0x1ec) [0x80d2a05]
   #1 /usr/sbin/winbindd(smb_panic+0x25) [0x80d2813]
   #2 /usr/sbin/winbindd [0x80be377]
   #3 /usr/sbin/winbindd [0x80be3ed]
   #4 [0xffffe420]
   #5 /usr/lib/libkrb5.so.17 [0x400b0d12]
   #6 /usr/lib/libkrb5.so.17(krb5_cc_default+0x40) [0x400b0ed0]
   #7 /usr/sbin/winbindd(kerberos_kinit_password+0x85) [0x81920f0]
________________________________________________________________________________

testparm :

srvcao02:/ # /usr/local/samba/bin/testparm /etc/samba/smb.conf
Load smb config files from /etc/samba/smb.conf
Processing section "[printers]"
Processing section "[print$]"
Processing section "[mmedia$]"
Processing section "[databem$]"
Loaded services file OK.
'winbind separator = +' might cause problems with group membership.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions

# Global parameters
[global]
        workgroup = DUBUSIND
        realm = DUBUSIND.COM
        server string = Test samba 3.0 on Windows 2000 domain
        security = ADS
        auth methods = winbind
        obey pam restrictions = Yes
        password server = serveur
        log file = /var/log/samba/%m.log
        max log size = 50
        socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY
        os level = 33
        local master = No
        domain master = No
        dns proxy = No
        wins server = 192.0.0.51
        ldap ssl = no
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        winbind separator = +
        winbind cache time = 10
        winbind use default domain = Yes
        preserve case = No
        short preserve case = No

[printers]
        comment = All Printers
        path = /var/tmp
        create mask = 0600
        printable = Yes
        browseable = No

[print$]
        comment = Printer Drivers
        path = /var/lib/samba/drivers
        write list = @ntadmin, root
        force group = ntadmin
        create mask = 0664
        directory mask = 0775

[mmedia$]
        comment = Mmedia
        path = /Data/mmedia
        read only = No
        create mask = 0777
        directory mask = 0777
        inherit permissions = Yes
        inherit acls = Yes

[databem$]
        comment = Bemeca
        path = /Data/data-bem/
        admin users = @DUBUSIND.COM+AdminBEM, DUBUSIND.COM+admbem
        write list = @DUBUSIND.COM+BEM
        read only = No
        create mask = 0777
        directory mask = 0777
        inherit permissions = Yes
        inherit acls = Yes

________________________________________________________________________________

Find below the /etc/krb5.conf

[libdefaults]
        default_realm = DUBUSIND.COM
	clockskew = 300
	ticket_lifetime = 24000
	dns_lookup_realm = false
	dns_lookup_kdc = false
	
[realms]
	DUBUSIND.COM = {
		kdc = serveur.dubusind.com:88
		admin_server = serveur.dubusind.com:749
		kpasswd_server = serveur.dubusind.com
		default_domain = dubusind.com
	}
	OTHER.REALM = {
		kdc = OTHER.COMPUTER
	}

[domain_realms]
	.dubusind.com = DUBUSIND.COM
	dubusind.com = DUBUSIND.COM

[logging]
	default = FILE:/var/log/krb5libs.log
	kdc = FILE:/var/log/kdc5kdc.log
	admin_server = FILE:/var/log/kadmind.log

[KDC]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
	pam = {
		ticket_lifetime = 1d
		renew_lifetime = 1d
		forwardable = true
		proxiable = false
		retain_after_close = false
		minimum_uid = 0
		debug = false
	}

________________________________________________________________________________

kinit work well but net ads testjoin :

srvcao02:/etc # net ads testjoin
Segmentation fault
Comment 1 Guenther Deschner 2004-09-29 10:37:30 UTC
There is a very high chance this is triggered by several memleaks that were
fixed in winbindd. Fixing those memleaks triggers a bug in SuSE 9.1's
kerberos-implementation (heimdal 0.6.1rc3; AFAIK, SuSE is currently preparing an
update).

Until SuSE has this update available, you could either
a) avoid using security=ads
b) give sernet-rpms a try. they use a custom, bugfixed and statically linked
kerberos-version, see: ftp://ftp.sernet.de/pub/samba/suse91/

manually limiting auth methods is really something you should only do when you
exactly know what you're doing.

please give use feedback :)
Comment 2 Pascal Aubry 2004-09-30 02:34:41 UTC
I have verified all configuration files and re - installed every rpm binary of
the samba 3.0.7 with the tool SuSE YAST2.
Now Winbind does not crach any more, but I always have the error " Segmentation
fault " for all the commands "net ads".

I would like knowing from SuSE if there is the same problem with the version
SUSE Linux Enterprise 9 of the Operating system.
Comment 3 Guenther Deschner 2004-09-30 03:35:26 UTC
SLES9 suffers the same heimdal-problem, yes.
Comment 4 Björn Jacke 2004-09-30 05:38:03 UTC
Pascal, can you please check if the SerNet RPMs work fine for you?
Comment 5 Pascal Aubry 2004-09-30 07:17:45 UTC
Yes, I shall like making it but I am blocked by a dependency problem of  package
rpm between the version 3.0.7-1.1 and the version 3.0.7-14.

I have to uninstall all old rpm packages ?
Comment 6 Guenther Deschner 2004-10-04 15:31:44 UTC
Not all, just the samba-related ones :)

rpm -qa | grep ^samba 

will show you the list.
Comment 7 Pascal Aubry 2004-10-05 10:51:22 UTC
Uninstall 3.0.7-1.1 ok
Install 3.0.7-14 sernet-rpms ok

The configuration seems good (join domain OK, kinit = OK, testparm = OK,
wbinfo -u = OK), but it does not work...

srvcao02:~ # smbclient -Uoroussy //srvcao02/databem$
Password:
session setup failed: Call timed out: server did not respond after 20000 millise
conds

under windows 2k client i have olso a time out message

srvcao02:/etc/samba # wbinfo -g
Error looking up domain groups

?
I think i have some error in the krb5.conf
____________________________________________________________________________

/etc/krb5.conf
[libdefaults]
        default_realm = DUBUSIND.COM
        clockskew = 300
        ticket_lifetime = 24000
        dns_lookup_realm = false
        dns_lookup_kdc = false

[realms]
        DUBUSIND.COM = {
                kdc = serveur.dubusind.com:88
                admin_server = serveur.dubusind.com:749
                kpasswd_server = serveur.dubusind.com
                default_domain = dubusind.com
        }
        OTHER.REALM = {
                kdc = OTHER.COMPUTER
        }

[domain_realms]
        .dubusind.com = DUBUSIND.COM
        dubusind.com = DUBUSIND.COM

[logging]
        default = FILE:/var/log/krb5libs.log
        kdc = FILE:/var/log/kdc5kdc.log
        admin_server = FILE:/var/log/kadmind.log

[KDC]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
        pam = {
                ticket_lifetime = 1d
                renew_lifetime = 1d
                forwardable = true
                proxiable = false
                retain_after_close = false
                minimum_uid = 0
                debug = false
        }

____________________________________________________________________________

srvcao02:~ # net ads status
accountExpires: 9223372036854775807
badPasswordTime: 0
badPwdCount: 0
codePage: 0
cn: srvcao02
countryCode: 0
dNSHostName: srvcao02.dubusind.com
instanceType: 4
isCriticalSystemObject: FALSE
lastLogoff: 0
lastLogon: 127411132820156250
logonCount: 5
distinguishedName: CN=srvcao02,CN=Computers,DC=DUBUSIND,DC=com
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=DUBUSIND,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
objectGUID: be1d9931-b830-4ae9-a6cd-3f210411ef45
objectSid: S-1-5-21-1211050506-785693551-330609462-1346
operatingSystem: Samba
operatingSystemVersion: 3.0.7-SerNet-SuSE
primaryGroupID: 515
pwdLastSet: 127411114600937500
name: srvcao02
sAMAccountName: srvcao02$
sAMAccountType: 805306369
servicePrincipalName: CIFS/srvcao02.dubusind.com
servicePrincipalName: CIFS/srvcao02
servicePrincipalName: HOST/srvcao02.dubusind.com
servicePrincipalName: HOST/srvcao02
userAccountControl: 69632
userPrincipalName: HOST/srvcao02@DUBUSIND.COM
uSNChanged: 547798
uSNCreated: 547795
whenChanged: 20041001133740.0Z
whenCreated: 20041001133739.0Z


Comment 8 Guenther Deschner 2004-10-05 13:53:21 UTC
Are you sure, you have restarted your servers with "rcsmb restart; rcwinbind
restart"? I cannot reproduce your problem.
Comment 9 Pascal Aubry 2004-10-06 02:31:31 UTC
yes i have restart all services with

/etc/init.d/nmb stop 
/etc/init.d/smb stop
/etc/init.d/winbind stop

/etc/init.d/nmb start 
/etc/init.d/smb start
/etc/init.d/winbind start

i have change the smb.conf file with security = domain

and now all work well.
Comment 10 Guenther Deschner 2004-10-06 02:46:14 UTC
ok, now winbind does not use kerberos-authentication any more :)

Closing this bug - after thoroughly testing the sernet rpms, I could not
reproduce any heimdal-related crashes. Please reopen this bug, if you feel this
is not correct.