Package: winbind
Version: 2:4.1.17+dfsg-2
Severity: grave
We have a Debian jessie machine that is not able to authenticate a user
against a Samba 4 domain controller with winbind. When the domain user
tries to logon with the correct password, winbind crashes.
Running winbind in debug level 10 gives us:
##### log.wb-CORP #####
[2015/05/07 10:59:03.245096, 10, pid=30054, effective(2001, 0),
real(2001, 0)]
../source3/librpc/crypto/gse_krb5.c:279(fill_mem_keytab_from_secrets)
../source3/librpc/crypto/gse_krb5.c:279: no prev machine password
[2015/05/07 10:59:03.245231, 10, pid=30054, effective(2001, 0),
real(2001, 0)] ../source3/lib/util.c:1868(name_to_fqdn)
name_to_fqdn: lookup for ABBY -> abby.corp.lsexperts.de.
[2015/05/07 10:59:03.245317, 1, pid=30054, effective(2001, 0),
real(2001, 0)]
../source3/librpc/crypto/gse_krb5.c:416(fill_mem_keytab_from_system_keytab)
../source3/librpc/crypto/gse_krb5.c:416: krb5_kt_start_seq_get failed
(Permission denied)
[2015/05/07 10:59:03.245381, 0, pid=30054, effective(2001, 0),
real(2001, 0)] ../lib/util/fault.c:72(fault_report)
===============================================================
[2015/05/07 10:59:03.246279, 0, pid=30054, effective(2001, 0),
real(2001, 0)] ../lib/util/fault.c:73(fault_report)
INTERNAL ERROR: Signal 11 in pid 30054 (4.1.17-Debian)
Please read the Trouble-Shooting section of the Samba HOWTO
[2015/05/07 10:59:03.247275, 0, pid=30054, effective(2001, 0),
real(2001, 0)] ../lib/util/fault.c:75(fault_report)
===============================================================
[2015/05/07 10:59:03.247942, 0, pid=30054, effective(2001, 0),
real(2001, 0)] ../source3/lib/util.c:785(smb_panic_s3)
PANIC (pid 30054): internal error
[2015/05/07 10:59:03.249204, 0, pid=30054, effective(2001, 0),
real(2001, 0)] ../source3/lib/util.c:896(log_stack_trace)
BACKTRACE: 27 stack frames:
#0 /usr/lib/x86_64-linux-gnu/libsmbconf.so.0(log_stack_trace+0x1a)
[0x7fa0f68972ca]
#1 /usr/lib/x86_64-linux-gnu/libsmbconf.so.0(smb_panic_s3+0x20)
[0x7fa0f68973b0]
#2 /usr/lib/x86_64-linux-gnu/libsamba-util.so.0(smb_panic+0x2f)
[0x7fa0fabc1caf]
#3 /usr/lib/x86_64-linux-gnu/libsamba-util.so.0(+0x1cecf)
[0x7fa0fabc1ecf]
#4 /lib/x86_64-linux-gnu/libpthread.so.0(+0xf8d0) [0x7fa0faff18d0]
#5 /usr/lib/x86_64-linux-gnu/libkrb5.so.26(krb5_storage_free+0x1)
[0x7fa0f53d12a1]
#6 /usr/lib/x86_64-linux-gnu/libkrb5.so.26(+0x47665) [0x7fa0f53b6665]
#7 /usr/lib/x86_64-linux-gnu/samba/libgse.so.0(+0x8e06) [0x7fa0f742de06]
#8
/usr/lib/x86_64-linux-gnu/samba/libgse.so.0(gse_krb5_get_server_keytab+0xeb)
[0x7fa0f742e32b]
#9 /usr/lib/x86_64-linux-gnu/samba/libgse.so.0(+0xb03a) [0x7fa0f743003a]
#10 /usr/lib/x86_64-linux-gnu/libgensec.so.0(gensec_start_mech+0x72)
[0x7fa0f78bfab2]
#11
/usr/lib/x86_64-linux-gnu/libgensec.so.0(gensec_start_mech_by_oid+0x26)
[0x7fa0f78bfd96]
#12 /usr/sbin/winbindd(kerberos_return_pac+0x42c) [0x7fa0fb447cac]
#13 /usr/sbin/winbindd(winbindd_dual_pam_auth+0x1150) [0x7fa0fb46d5a0]
#14 /usr/sbin/winbindd(+0x5fd5c) [0x7fa0fb481d5c]
#15 /usr/lib/x86_64-linux-gnu/libtevent.so.0(+0x92cb) [0x7fa0f48f22cb]
#16 /usr/lib/x86_64-linux-gnu/libtevent.so.0(+0x7797) [0x7fa0f48f0797]
#17 /usr/lib/x86_64-linux-gnu/libtevent.so.0(_tevent_loop_once+0x8d)
[0x7fa0f48ecf9d]
#18 /usr/sbin/winbindd(+0x620d8) [0x7fa0fb4840d8]
#19 /usr/sbin/winbindd(+0x627d5) [0x7fa0fb4847d5]
#20
/usr/lib/x86_64-linux-gnu/libtevent.so.0(tevent_common_loop_immediate+0xd4)
[0x7fa0f48ed7c4]
#21 /usr/lib/x86_64-linux-gnu/libtevent.so.0(+0x908e) [0x7fa0f48f208e]
#22 /usr/lib/x86_64-linux-gnu/libtevent.so.0(+0x7797) [0x7fa0f48f0797]
#23 /usr/lib/x86_64-linux-gnu/libtevent.so.0(_tevent_loop_once+0x8d)
[0x7fa0f48ecf9d]
#24 /usr/sbin/winbindd(main+0xad4) [0x7fa0fb447024]
#25 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5)
[0x7fa0f4561b45]
#26 /usr/sbin/winbindd(+0x25699) [0x7fa0fb447699]
[2015/05/07 10:59:03.254728, 0, pid=30054, effective(2001, 0),
real(2001, 0)] ../source3/lib/dumpcore.c:312(dump_core)
unable to change to /var/log/samba/cores/winbindd
refusing to dump core
##### log.wb-CORP #####
##### log.winbindd #####
[2015/05/07 10:59:03.121241, 1, pid=30049, effective(0, 0), real(0, 0)]
../librpc/ndr/ndr.c:333(ndr_print_function_debug)
wbint_LookupName: struct wbint_LookupName
out: struct wbint_LookupName
type : *
type : SID_NAME_DOM_GRP (2)
sid : *
sid :
S-1-5-21-1063204605-3499843724-851943503-1135
result : NT_STATUS_OK
[2015/05/07 10:59:03.121463, 10, pid=30049, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd.c:755(wb_request_done)
wb_request_done[29718:LOOKUPNAME]: NT_STATUS_OK
[2015/05/07 10:59:03.121570, 10, pid=30049, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd.c:816(winbind_client_response_written)
winbind_client_response_written[29718:LOOKUPNAME]: delivered response
to client
[2015/05/07 10:59:03.121873, 10, pid=30049, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd.c:693(process_request)
process_request: Handling async request 29718:PAM_AUTH
[2015/05/07 10:59:03.121949, 3, pid=30049, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd_pam_auth.c:54(winbindd_pam_auth_send)
[29718]: pam auth stefan.pietsch
[2015/05/07 10:59:03.122011, 10, pid=30049, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd_cache.c:538(refresh_sequence_number)
refresh_sequence_number: CORP time ok
[2015/05/07 10:59:03.122067, 10, pid=30049, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd_cache.c:583(refresh_sequence_number)
refresh_sequence_number: CORP seq number is now 4819
[2015/05/07 10:59:03.122136, 10, pid=30049, effective(0, 0), real(0, 0),
class=idmap] ../source3/winbindd/idmap_ad.c:64(ad_idmap_cached_connection)
ad_idmap_cached_connection: called for domain 'CORP'
[2015/05/07 10:59:03.122188, 7, pid=30049, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd_ads.c:61(ads_cached_connection_reuse)
Current tickets expire in 35940 seconds (at 1431025083, time is now
1430989143)
[2015/05/07 10:59:03.145935, 5, pid=30049, effective(0, 0), real(0, 0)]
../source3/libads/ldap_utils.c:81(ads_do_search_retry_internal)
Search for (uid=stefan.pietsch) in <dc=CORP,dc=LSEXPERTS,dc=DE> gave 0
replies
[2015/05/07 10:59:03.146194, 5, pid=30049, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd_cache.c:1272(resolve_alias_to_username)
resolve_alias_to_username: backend query returned
NT_STATUS_OBJECT_NAME_NOT_FOUND
[2015/05/07 10:59:03.257675, 10, pid=30049, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd.c:755(wb_request_done)
wb_request_done[29718:PAM_AUTH]: NT_STATUS_CONNECTION_DISCONNECTED
[2015/05/07 10:59:03.257773, 10, pid=30049, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd.c:816(winbind_client_response_written)
winbind_client_response_written[29718:PAM_AUTH]: delivered response to
client
[2015/05/07 10:59:03.258371, 5, pid=30049, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_dual.c:525(winbind_child_died)
Already reaped child 30054 died
##### log.winbindd #####
#########
smb.conf:
#########
[global]
workgroup = CORP
security = ADS
realm = CORP.LSEXPERTS.DE
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
ldap ssl = start tls
ldap ssl ads = yes
tls cafile = /usr/local/share/ca-certificates/LSE_CA_2015.crt
idmap config * : backend = tdb
idmap config * : range = 1000000-1999999
idmap config CORP : backend = ad
idmap config CORP : schema_mode = rfc2307
idmap config CORP : range = 2000-999999
winbind nss info = rfc2307, template
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = yes
winbind expand groups = 4
winbind normalize names = yes
winbind offline logon = no
template homedir = /home/%U
template shell = /bin/bash
restrict anonymous = 2
domain master = no
local master = no
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
load printers = no
show add printer wizard = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
