Bug 3421 - SIGSEGV verifying kerberos ticket (using mit-krb5-2.4.3)
Summary: SIGSEGV verifying kerberos ticket (using mit-krb5-2.4.3)
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: File Services (show other bugs)
Version: 3.0.21a
Hardware: All Linux
: P3 normal
Target Milestone: none
Assignee: Samba Bugzilla Account
QA Contact: Samba QA Contact
Depends on:
Reported: 2006-01-18 01:42 UTC by Luke
Modified: 2006-01-18 12:22 UTC (History)
0 users

See Also:

proposed patch (1.11 KB, patch)
2006-01-18 01:45 UTC, Luke
no flags Details
Patch I checked in. (1.44 KB, patch)
2006-01-18 12:21 UTC, Jeremy Allison
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Luke 2006-01-18 01:42:06 UTC
After my AD domain member server stopped accepting kerberos authentication, and I noticed some samba log messages about a SIGSEGV, I spent some time with gdb and this is what I found...  The function ads_keytab_verify_ticket in file source/libads/kerberos_verify.c has the following problem:

It uses the variable "krb5_keytab keytab" to go through each keytab entry using the functions krb5_kt_start_seq_get, krb5_kt_next_entry, and krb5_kt_end_seq_get.  This same keytab variable is also passed to the krb5_rd_req_return_keyblock_from_keytab function.

In mit-krb5-2.4.3, a "krb5_keytab" variable indirectly references a FILE* which is opened by krb5_kt_start_seq_get, used by krb5_kt_next_entry, and closed by krb5_kt_end_seq_get.

Unfortunately when the same keytab variable is passed to the krb5_rd_req_return_keyblock_from_keytab function, the FILE* is opened(overwriting the existing value) then closed then set to NULL, which causes a SIGSEGV when krb5_kt_next_entry is next called.

The moral of the story appears to be this: don't share a keytab variable between krb5_kt_next_entry and krb5_rd_req_return_keyblock_from_keytab.
Comment 1 Luke 2006-01-18 01:45:59 UTC
Created attachment 1698 [details]
proposed patch

This patch fixes kerberos authentication for me.  It adjusts the ads_keytab_verify_ticket function to use two separate keytab variables.
Comment 2 Jeremy Allison 2006-01-18 12:21:22 UTC
Created attachment 1700 [details]
Patch I checked in.
Comment 3 Jeremy Allison 2006-01-18 12:22:00 UTC
Thanks for the wonderful analysis. I've fixed this in SVN - we'll try and target 3.0.21b with this.