The Samba-Bugzilla – Bug 3421
SIGSEGV verifying kerberos ticket (using mit-krb5-2.4.3)
Last modified: 2006-01-18 12:22:00 UTC
After my AD domain member server stopped accepting kerberos authentication, and I noticed some samba log messages about a SIGSEGV, I spent some time with gdb and this is what I found... The function ads_keytab_verify_ticket in file source/libads/kerberos_verify.c has the following problem:
It uses the variable "krb5_keytab keytab" to go through each keytab entry using the functions krb5_kt_start_seq_get, krb5_kt_next_entry, and krb5_kt_end_seq_get. This same keytab variable is also passed to the krb5_rd_req_return_keyblock_from_keytab function.
In mit-krb5-2.4.3, a "krb5_keytab" variable indirectly references a FILE* which is opened by krb5_kt_start_seq_get, used by krb5_kt_next_entry, and closed by krb5_kt_end_seq_get.
Unfortunately when the same keytab variable is passed to the krb5_rd_req_return_keyblock_from_keytab function, the FILE* is opened(overwriting the existing value) then closed then set to NULL, which causes a SIGSEGV when krb5_kt_next_entry is next called.
The moral of the story appears to be this: don't share a keytab variable between krb5_kt_next_entry and krb5_rd_req_return_keyblock_from_keytab.
Created attachment 1698 [details]
This patch fixes kerberos authentication for me. It adjusts the ads_keytab_verify_ticket function to use two separate keytab variables.
Created attachment 1700 [details]
Patch I checked in.
Thanks for the wonderful analysis. I've fixed this in SVN - we'll try and target 3.0.21b with this.