Windows 2003 AD Controller -- gladstonewireless.net aka QLD-80211B-GLD1. Samba Server -- 3rc1, Kernel 2.4.20, gcc version 3.2.2 (Mandrake Linux 9.1 3.2.2-3mdk) Samba server is happily a member of the domain, and I have a valid ticket: [root@fserv source]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: Administrator@GLADSTONEWIRELESS.NET Valid starting Expires Service principal 08/19/03 20:05:42 08/20/03 06:05:42 krbtgt/GLADSTONEWIRELESS.NET@GLADSTONEWIRELESS.NET 08/19/03 20:06:01 08/20/03 06:05:42 gw-server$@GLADSTONEWIRELESS.NET [root@fserv sbin]# net ads testjoin Join is OK [root@fserv sbin]# smb.conf is: workgroup = QLD-80211B-GLD1 netbios name = filesrv realm = gw-server.gladstonewireless.net idmap uid = 10000-20000 idmap gid = 10000-20000 encrypt passwords = yes client use spnego = no password server = gw-server ; use spnego = no server string = Samba Server security = ads load printers = no guest account = nobody log level = 10 log file = /usr/local/samba/var/log.%m max log size = 50 passdb backend = tdbsam socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 local master = no domain master = no preferred master = no dns proxy = no smbd crashes when I try to attach, with this traceback: #3 0x0818db5d in smb_panic (why=0x82391bd "internal error") at lib/util.c:1483 #4 0x0817e275 in fault_report (sig=11) at lib/fault.c:41 #5 0x401613b8 in __libc_sigaction () from /lib/i686/libc.so.6 #6 0x0809fc9f in reply_spnego_kerberos (conn=0x0, inbuf=0x4042a008 "", outbuf=0x4044b008 "", length=1476, bufsize=131072, secblob=0xbfffe98c) at smbd/sesssetup.c:167 #7 0x080a04ef in reply_spnego_negotiate (conn=0x0, inbuf=0x4042a008 "", outbuf=0x4044b008 "", length=1476, bufsize=131072, blob1= {data = 0x8378a98 "`\202\005\e\006\006+\006\001\005\005\002 \202\005\0170\202\005\v $0\"\006\t*\206H\202÷\022\001\002\002\006\t*\206H\206÷\022\001\002\002\006\n+\006\001\004\001\2027\002\002\n¢\202\004á\004\202\004Ý`\202\004Ù\006\t*\206H\206÷\022\001\002\002\001", length = 1311, free = 0x818b7a0 <free_data_blob>}) at smbd/sesssetup.c:390 #8 0x080a0844 in reply_sesssetup_and_X_spnego (conn=0x0, inbuf=0x4042a008 "", outbuf=0x4044b008 "", length=1476, bufsize=131072) at smbd/sesssetup.c:505 #9 0x080a143c in reply_sesssetup_and_X (conn=0x0, inbuf=0x0, outbuf=0x4044b008 "", length=1476, bufsize=131072) at smbd/sesssetup.c:591 #10 0x080bb82d in switch_message (type=115, inbuf=0x4042a008 "", outbuf=0x4044b008 "", size=1476, bufsize=131072) at smbd/process.c:767 #11 0x080bb999 in construct_reply (inbuf=0x4042a008 "", outbuf=0x4044b008 "", size=1476, bufsize=131072) at smbd/process.c:797 #12 0x080bbb93 in process_smb (inbuf=0x4042a008 "", outbuf=0x4044b008 "") at smbd/process.c:897 And the relevant parts of the log are: [2003/08/20 07:27:28, 3] smbd/process.c:switch_message(685) switch message SMBsesssetupX (pid 4455) [2003/08/20 07:27:28, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2003/08/20 07:27:28, 5] auth/auth_util.c:debug_nt_user_token(486) NT user token: (NULL) [2003/08/20 07:27:28, 5] auth/auth_util.c:debug_unix_user_token(505) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2003/08/20 07:27:28, 5] smbd/uid.c:change_to_root_user(218) change_to_root_user: now uid=(0,0) gid=(0,0) [2003/08/20 07:27:28, 3] smbd/sesssetup.c:reply_sesssetup_and_X(577) wct=12 flg2=0xc807 [2003/08/20 07:27:28, 2] smbd/sesssetup.c:setup_new_vc_session(533) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2003/08/20 07:27:28, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(474) Doing spnego session setup [2003/08/20 07:27:28, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(498) NativeOS=[Windows Server 2003 3790] NativeLanMan=[] [2003/08/20 07:27:28, 3] smbd/sesssetup.c:reply_spnego_negotiate(383) Got OID 1 2 840 48018 1 2 2 [2003/08/20 07:27:28, 3] smbd/sesssetup.c:reply_spnego_negotiate(383) Got OID 1 2 840 113554 1 2 2 [2003/08/20 07:27:28, 3] smbd/sesssetup.c:reply_spnego_negotiate(383) Got OID 1 3 6 1 4 1 311 2 2 10 [2003/08/20 07:27:28, 3] smbd/sesssetup.c:reply_spnego_negotiate(386) Got secblob of size 1245 [2003/08/20 07:27:28, 10] passdb/secrets.c:secrets_named_mutex(697) secrets_named_mutex: got mutex for replay cache mutex [2003/08/20 07:27:28, 10] libads/kerberos_verify.c:ads_verify_ticket(175) ads_verify_ticket: enc type [16] failed to decrypt with error Bad encryption type [2003/08/20 07:27:28, 10] libads/kerberos_verify.c:ads_verify_ticket(175) ads_verify_ticket: enc type [1] failed to decrypt with error Bad encryption type [2003/08/20 07:27:28, 10] passdb/secrets.c:secrets_named_mutex_release(709) secrets_named_mutex: released mutex for replay cache mutex [2003/08/20 07:27:28, 3] libads/kerberos_verify.c:ads_verify_ticket(182) ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type) [2003/08/20 07:27:28, 0] lib/fault.c:fault_report(36) =============================================================== [2003/08/20 07:27:28, 0] lib/fault.c:fault_report(37) INTERNAL ERROR: Signal 11 in pid 4455 (3.0.0rc1) Please read the appendix Bugs of the Samba HOWTO collection [2003/08/20 07:27:28, 0] lib/fault.c:fault_report(39) =============================================================== [2003/08/20 07:27:28, 0] lib/util.c:smb_panic(1462) PANIC: internal error [2003/08/20 07:27:28, 0] lib/util.c:smb_panic(1469) BACKTRACE: 14 stack frames: #0 ./smbd(smb_panic+0xf9) [0x818dac9] #1 ./smbd [0x817e275] #2 /lib/i686/libc.so.6 [0x401613b8] #3 ./smbd [0x809fc9f] #4 ./smbd [0x80a04ef] #5 ./smbd [0x80a0844] #6 ./smbd(reply_sesssetup_and_X+0xb0c) [0x80a143c] #7 ./smbd [0x80bb82d] #8 ./smbd [0x80bb999] #9 ./smbd(process_smb+0x83) [0x80bbb93] #10 ./smbd(smbd_process+0x19b) [0x80bc75b] #11 ./smbd(main+0x413) [0x81e64e3] #12 /lib/i686/libc.so.6(__libc_start_main+0xc7) [0x4014e7f7] #13 ./smbd(strcpy+0x31) [0x8076051] The error on the windows box is 'The specified network name is no longer available'. You'll notice that it does seem to want to use spnego, even tho the config says not to use it. If I turn off spnego in smb.conf, I get a different error. This possibly should be in a different bug report, but I'm not clued up enough on the new samba to make that call 8-) Set the config option 'use spnego = no' and this happens: I try to connect and I get (on the windows machine) 'The account is not authorized to log in from this station'. No crash. The logfile is as follows. [2003/08/20 07:32:48, 10] smbd/negprot.c:get_challenge(40) get challenge: creating negprot_global_auth_context [2003/08/20 07:32:48, 5] auth/auth.c:make_auth_context_subsystem(484) Making default auth method list for security=ADS [2003/08/20 07:32:48, 5] auth/auth.c:smb_register_auth(45) Attempting to register auth backend rhosts [2003/08/20 07:32:48, 5] auth/auth.c:smb_register_auth(57) Successfully added auth method 'rhosts' [2003/08/20 07:32:48, 5] auth/auth.c:smb_register_auth(45) Attempting to register auth backend hostsequiv [2003/08/20 07:32:48, 5] auth/auth.c:smb_register_auth(57) Successfully added auth method 'hostsequiv' [2003/08/20 07:32:48, 5] auth/auth.c:smb_register_auth(45) Attempting to register auth backend sam [2003/08/20 07:32:48, 5] auth/auth.c:smb_register_auth(57) Successfully added auth method 'sam' [2003/08/20 07:32:48, 5] auth/auth.c:smb_register_auth(45) Attempting to register auth backend sam_ignoredomain [2003/08/20 07:32:48, 5] auth/auth.c:smb_register_auth(57) Successfully added auth method 'sam_ignoredomain' [2003/08/20 07:32:48, 5] auth/auth.c:smb_register_auth(45) Attempting to register auth backend unix [2003/08/20 07:32:48, 5] auth/auth.c:smb_register_auth(57) Successfully added auth method 'unix' [2003/08/20 07:32:48, 5] auth/auth.c:smb_register_auth(45) Attempting to register auth backend winbind [2003/08/20 07:32:48, 5] auth/auth.c:smb_register_auth(57) Successfully added auth method 'winbind' [2003/08/20 07:32:48, 5] auth/auth.c:smb_register_auth(45) Attempting to register auth backend smbserver [2003/08/20 07:32:48, 5] auth/auth.c:smb_register_auth(57) Successfully added auth method 'smbserver' [2003/08/20 07:32:48, 5] auth/auth.c:smb_register_auth(45) Attempting to register auth backend trustdomain [2003/08/20 07:32:48, 5] auth/auth.c:smb_register_auth(57) Successfully added auth method 'trustdomain' [2003/08/20 07:32:48, 5] auth/auth.c:smb_register_auth(45) Attempting to register auth backend ntdomain [2003/08/20 07:32:48, 5] auth/auth.c:smb_register_auth(57) Successfully added auth method 'ntdomain' [2003/08/20 07:32:48, 5] auth/auth.c:smb_register_auth(45) Attempting to register auth backend guest [2003/08/20 07:32:48, 5] auth/auth.c:smb_register_auth(57) Successfully added auth method 'guest' [2003/08/20 07:32:48, 5] auth/auth.c:load_auth_module(370) load_auth_module: Attempting to find an auth method to match guest [2003/08/20 07:32:48, 5] auth/auth.c:load_auth_module(395) load_auth_module: auth method guest has a valid init [2003/08/20 07:32:48, 5] auth/auth.c:load_auth_module(370) load_auth_module: Attempting to find an auth method to match sam [2003/08/20 07:32:48, 5] auth/auth.c:load_auth_module(395) load_auth_module: auth method sam has a valid init [2003/08/20 07:32:48, 5] auth/auth.c:load_auth_module(370) load_auth_module: Attempting to find an auth method to match winbind:ntdomain [2003/08/20 07:32:48, 5] auth/auth.c:load_auth_module(370) load_auth_module: Attempting to find an auth method to match ntdomain [2003/08/20 07:32:48, 5] auth/auth.c:load_auth_module(395) load_auth_module: auth method ntdomain has a valid init [2003/08/20 07:32:48, 5] auth/auth.c:load_auth_module(395) load_auth_module: auth method winbind has a valid init [2003/08/20 07:32:48, 10] smbd/negprot.c:get_challenge(45) get challenge: getting challenge [2003/08/20 07:32:48, 5] auth/auth.c:get_ntlm_challenge(93) auth_get_challenge: module guest did not want to specify a challenge [2003/08/20 07:32:48, 5] auth/auth.c:get_ntlm_challenge(93) auth_get_challenge: module sam did not want to specify a challenge [2003/08/20 07:32:48, 5] auth/auth.c:get_ntlm_challenge(93) auth_get_challenge: module winbind did not want to specify a challenge [2003/08/20 07:32:48, 5] auth/auth.c:get_ntlm_challenge(132) auth_context challenge created by random [2003/08/20 07:32:48, 5] auth/auth.c:get_ntlm_challenge(133) challenge is: [2003/08/20 07:32:48, 5] lib/util.c:dump_data(1887) [000] 76 0C 54 11 12 15 ED 52 v.T...íR [2003/08/20 07:32:48, 3] smbd/negprot.c:reply_nt1(323) not using SPNEGO [2003/08/20 07:32:48, 3] smbd/negprot.c:reply_negprot(532) Selected protocol NT LM 0.12 [2003/08/20 07:32:48, 5] smbd/negprot.c:reply_negprot(538) negprot index=5 [2003/08/20 07:32:48, 5] lib/util.c:show_msg(456) [2003/08/20 07:32:48, 5] lib/util.c:show_msg(466) size=109 smb_com=0x72 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=136 smb_flg2=51201 smb_tid=0 smb_pid=65279 smb_uid=0 smb_mid=0 smt_wct=17 smb_vwv[ 0]= 5 (0x5) smb_vwv[ 1]=12803 (0x3203) smb_vwv[ 2]= 256 (0x100) smb_vwv[ 3]= 1024 (0x400) smb_vwv[ 4]= 65 (0x41) smb_vwv[ 5]= 0 (0x0) smb_vwv[ 6]= 256 (0x100) smb_vwv[ 7]=36096 (0x8D00) smb_vwv[ 8]= 17 (0x11) smb_vwv[ 9]=64768 (0xFD00) smb_vwv[10]= 227 (0xE3) smb_vwv[11]= 0 (0x0) smb_vwv[12]=20288 (0x4F40) smb_vwv[13]=39279 (0x996F) smb_vwv[14]=50022 (0xC366) smb_vwv[15]=43009 (0xA801) smb_vwv[16]= 2301 (0x8FD) smb_bcc=40 [2003/08/20 07:32:48, 10] lib/util.c:dump_data(1887) [000] 76 0C 54 11 12 15 ED 52 51 00 4C 00 44 00 2D 00 v.T...íR Q.L.D.-. [010] 38 00 30 00 32 00 31 00 31 00 42 00 2D 00 47 00 8.0.2.1. 1.B.-.G. [020] 4C 00 44 00 31 00 00 00 L.D.1... [2003/08/20 07:32:48, 6] lib/util_sock.c:write_socket(407) write_socket(16,113) [2003/08/20 07:32:48, 6] lib/util_sock.c:write_socket(410) write_socket(16,113) wrote 113 [2003/08/20 07:32:48, 10] lib/util_sock.c:read_socket_data(336) read_socket_data: recv of 4 returned 0. Error = Success [2003/08/20 07:32:48, 10] lib/util_sock.c:receive_smb(512) receive_smb: length < 0! [2003/08/20 07:32:48, 3] smbd/process.c:timeout_processing(1099) timeout_processing: End of file from client (client has disconnected). [2003/08/20 07:32:48, 5] lib/gencache.c:gencache_shutdown(88) Closing cache file [2003/08/20 07:32:48, 5] libsmb/namecache.c:namecache_shutdown(79) namecache_shutdown: netbios namecache closed successfully. [2003/08/20 07:32:48, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2003/08/20 07:32:48, 5] auth/auth_util.c:debug_nt_user_token(486) NT user token: (NULL) [2003/08/20 07:32:48, 5] auth/auth_util.c:debug_unix_user_token(505) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2003/08/20 07:32:48, 5] smbd/uid.c:change_to_root_user(218) change_to_root_user: now uid=(0,0) gid=(0,0) [2003/08/20 07:32:48, 2] smbd/server.c:exit_server(558) Closing connections [2003/08/20 07:32:48, 3] smbd/connection.c:yield_connection(69) Yielding connection to [2003/08/20 07:32:48, 3] smbd/connection.c:yield_connection(76) yield_connection: tdb_delete for name failed with error Record does not exist. [2003/08/20 07:32:48, 5] smbd/oplock.c:receive_local_message(107) receive_local_message: doing select with timeout of 1 ms [2003/08/20 07:32:48, 3] smbd/server.c:exit_server(601) Server exit (normal exit) The only thing that stands out is the 'Yielding connection to %s' and 'tdb_delete for name %s ...'where %s is blank. This is coming from yield_connection in source/smbd/connections.c, but I'm not good enough to trace it back any further than that. Sorry!
Note: Due to some hints I found whilst googling earlier, I have set the 2003 machine's registry entry of HKLM/System/CCS/Services/lanmanserver/parameters/requiresecuritysignature to 0 --Rob
Does disabl;ing SMB signing on the 2003 DC prevent the smbd crash from occurring?
No, it makes no difference either way. That crash was with it set to 0 - I had changed it earlier to see if it fixed it, and it was still doing it. I have just noticed that it's managed to set itself back to 1. Odd.
Hmm, I suspect the coredump itself may have been fixed. Volker checked something in since rc2 to prevent the coredump when tickets are not obtained. That doesn't solve the tickets not being decrypted, but it should stop the coredump itself.
Yep, it certainly fixed the crashing, but I still can't view shares from the ADS. My testing methology is: kill smbd/nmbd kdestroy ./smbd -D && ../nmbd -D && ./winbindd kinit Administrator@GLADSTONEWIRELESS.NET klist (to ensure I have a valid ticket) net ads join [This works, I can view it in AD Users & Computers] Try to browse to it, by typing \\f1 in the run box, and I get prompted for a username/password - I tried entering my Admin password in the box, and it just re-prompted. I've zipped up the logs that were created at loglevel 9, hopefully they may be of some assistance. Attached shortly!
Created attachment 115 [details] Logfiles created whilst not authenticating ADS into Samba Built from the current (as of 3 hours ago) CVS snapshot. Loglevel = 9
What krb5 libraries are you using? Heimdal I would guess. ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
I'm using the default Mandrake 9.1 Kerberos libs: [root@fserv disk2]# rpm -qa | grep krb krb5-workstation-1.2.7-1mdk ftp-client-krb5-1.2.7-1mdk krb5-libs-1.2.7-1mdk telnet-server-krb5-1.2.7-1mdk krb5-devel-1.2.7-1mdk telnet-client-krb5-1.2.7-1mdk [root@fserv disk2]# Are there other Kerberos libs that I should be running?
From the "Passwg Backends and Authentication" section in WHATSNEW MIT kerberos 1.3.1 supports the ARCFOUR-HMAC-MD5 encryption type which is neccessary for servers on which the administrator password has not been changed, or kerberos-enabled SMB connections to servers that require Kerberos SMB signing. Besides this one difference, either MIT or Heimdal Kerberos distributions are usable by Samba 3.0. Are there 1.3.1 libs from cooker you could try ?
Perhaps changing the user password once would create the other encryption types? I'm not sure if this works in win2k3 as it did in win2k...
Still not happy. Cooker only has 1.3, not 1.3.1, so I downloaded and compiled 1.3.1, installed, updated my CVS, recompiled, realised I hadn't enabled shared libraries in Kerberos, recompiled 1.3.1, recompiled pre-rc3, and installed. *lo and behold*, smbclient -k //gw-server/c$ -worked!-. So it at least works one way. However, I'm still having the same problem with samba acting as the server. I'll do some diagnosis later (possibly), but tomorrow's fathers day and I'm otherwise occupied. So, so far resolved, is that 1.2.7 is pretty much dysfunctional, and shouldn't be used. Should that be stuck in the docco somewhere? (If it was there and I didn't see it, I'm a dope and I apologise)
Fixed. requires MIT krb 1.3.1 as outlined in WHATSNEW.
originally reported against one of the 3.0.0rc[1-4] releases. Cleaning up non-production versions.
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.
database cleanup