During my tests to use Samba4 as a kdc for kerberized NFS,
I found a bug in the KDC code, when generating a principal
without pac (e.g. with msktutil and option --no-pac), that
causes Samba4 to crash:
Running the following command on one of the client machines
msktutil -c --upn nfs/testa.linex.org -h testa.linex.org --computer-name testa-service-nfs --server s4-dc1.linex.org --no-pac
results in this gdb backtrace on the samba4 dc (s4-dc1.linex.org):
Program received signal SIGSEGV, Segmentation fault.
0x00000000005e82e6 in samba_make_krb5_pac ()
Current language: auto; currently asm
#0 0x00000000005e82e6 in samba_make_krb5_pac ()
#1 0x00000000004ce243 in samba_wdc_get_pac ()
#2 0x000000000059290b in _kdc_pac_generate ()
#3 0x0000000000588055 in _kdc_as_rep ()
#4 0x00000000005922ec in kdc_as_req ()
#5 0x000000000059258e in krb5_kdc_process_krb5_request ()
#6 0x00000000005fc1dc in kdc_process ()
#7 0x00000000005fc4bb in kdc_tcp_call_loop ()
Looking at the code, the error is quite easy to find:
source4/kdc/wdc-samba4.c: krb5_error_code samba_wdc_get_pac()
1.) source4/kdc/pac-glue.c: samba_kdc_get_pac_blob()
/* The user account may be set not to want the PAC */
*_pac_blob = NULL;
and then calls
2. source4/kdc/pac-glue.c: samba_make_krb5_pac()
which tries to use uninitalized "pac_blob" and segfaults
I'll attach a simple patch solved the problem for me.
Sorry Andrew, somehow even my second e-mail didn't make it
to the list, so let's try it the bugzilla way :-)
Created attachment 5659 [details]
Fix no-pac principal creation
Probably there's a better place to prevent this bug, however the patch is very simple and solves the problems for now.
Applied and fixed. Thanks!