[Bug 1290448] Re: Invalid Opcode when running samba-tool domain exportkeytab

Ian McMichael 1290448 at bugs.launchpad.net
Mon Mar 10 17:18:07 UTC 2014 

I've just upgraded Samba to 2:4.1.5+dfsg-1 from the Debian Jessie
repository.  This also forced the following updates:

 2014-03-10 17:13:00 upgrade python-samba:amd64 2:4.1.3+dfsg-2ubuntu3 2:4.1.5+dfsg-1
 2014-03-10 17:13:00 upgrade samba-dsdb-modules:amd64 2:4.1.3+dfsg-2ubuntu3 2:4.1.5+dfsg-1
 2014-03-10 17:13:00 upgrade samba:amd64 2:4.1.3+dfsg-2ubuntu3 2:4.1.5+dfsg-1
 2014-03-10 17:13:01 upgrade samba-common-bin:amd64 2:4.1.3+dfsg-2ubuntu3 2:4.1.5+dfsg-1
 2014-03-10 17:13:01 upgrade smbclient:amd64 2:4.1.3+dfsg-2ubuntu3 2:4.1.5+dfsg-1
 2014-03-10 17:13:01 upgrade samba-common:all 2:4.1.3+dfsg-2ubuntu3 2:4.1.5+dfsg-1
 2014-03-10 17:13:01 upgrade samba-vfs-modules:amd64 2:4.1.3+dfsg-2ubuntu3 2:4.1.5+dfsg-1
 2014-03-10 17:13:01 upgrade libsmbclient:amd64 2:4.1.3+dfsg-2ubuntu3 2:4.1.5+dfsg-1
 2014-03-10 17:13:01 upgrade samba-libs:amd64 2:4.1.3+dfsg-2ubuntu3 2:4.1.5+dfsg-1

Once complete the "samba-tool domain exportkeytab" command runs without
error and produces the expected keytab file.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1290448

Title:
  Invalid Opcode when running samba-tool domain exportkeytab

Status in “samba” package in Ubuntu:
  New

Bug description:
  To reproduce this bug, carry out the following:

  Install a fresh Trust Tahr 14.04 AMD64 development build in a (KVM)
  virtual machine as a basic server.

  Install the samba (2:4.1.3+dfsg-2ubuntu3) and bind9 packages.

  Provision an Active Directory Domain with the following commands:

  	rm /etc/samba/smb.conf
  	samba-tool domain provision \
  	   --realm=EXAMPLE.NET --domain=EXAMPLE --adminpass='p4$$word' --dns-backend=BIND9_DLZ \
  	   --server-role=dc --function-level=2008_R2 --use-xattrs=yes --use-rfc2307

  Add the following to /etc/bind/named.conf.options:	
  	
  	tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
  	
  Set the appropriate permissions on the Kerberos keytab used by BIND:	
  	
  	chgrp bind /var/lib/samba/private/dns.keytab
  	chmod g+r /var/lib/samba/private/dns.keytab
  	
  Edit /etc/bind/named.conf.local and add:	
  	
  	include "/var/lib/samba/private/named.conf";
  	
  Edit /etc/apparmor.d/local/usr.sbin.named and add the following:	
  	
  	# Samba4 DLZ and Active Directory Zones
  	/usr/lib/x86_64-linux-gnu/samba/** rm,
  	/usr/lib/x86_64-linux-gnu/ldb/modules/ldb/** rm,
  	/var/lib/samba/private/dns.keytab rk,
  	/var/lib/samba/private/named.conf r,
  	/var/lib/samba/private/dns/** rwk,
  	/dev/urandom rw,
  	/var/tmp/** rw,
  	
  Restart apparmor and bind:	
  	
  	service apparmor reload
  	service bind9 restart
  	
  Test the DNS entries:	
  	
  	host -t SRV _ldap._tcp.example.net.
  	host -t SRV _kerberos._udp.example.net.
  	host -t A server.example.net.
  	
  Configure and test Kerberos:	
  	
  	cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
  	service samba-ad-dc start
  	kinit administrator at EXAMPLE.NET
  	klist
  	
  Test Samba dynamic DNS updates:	
  	
  	samba_dnsupdate --verbose --all-names
  	
  Add the following to /etc/ntp.conf:	
  	
  	# Samba4 Secure Time Socket
  	ntpsigndsocket /var/lib/samba/ntp_signd/
  	restrict default mssntp
  	
  Create the NTP socket directory, assign permissions and restart NTP:	
  	
  	chown root:ntp /var/lib/samba/ntp_signd
  	chmod 750 /var/lib/samba/ntp_signd
  	service ntp restart
  	
  Extract and secure the Kerberos keytab for the DC:	
  	
  	samba-tool domain exportkeytab /etc/krb5.dc.keytab --principal=server$

  At this stage you receive "Illegal instruction (core dumped)".  In
  syslog, the following is logged:

          kernel: [ 2982.725574] traps: samba-tool[2650] trap invalid
  opcode ip:7f7e26aad8de sp:7fff2fc67308 error:0 in
  libHDB_SAMBA4.so.0[7f7e26aac000+2000]

  No keytab file is generated.  Adding a "-d 10" option to the command
  produces the following debug output:

  	INFO: Current debug levels:
  	  all: 10
  	  tdb: 10
  	  printdrivers: 10
  	  lanman: 10
  	  smb: 10
  	  rpc_parse: 10
  	  rpc_srv: 10
  	  rpc_cli: 10
  	  passdb: 10
  	  sam: 10
  	  auth: 10
  	  winbind: 10
  	  vfs: 10
  	  idmap: 10
  	  quota: 10
  	  acls: 10
  	  locking: 10
  	  msdfs: 10
  	  dmapi: 10
  	  registry: 10
  	  scavenger: 10
  	  dns: 10
  	  ldb: 10
  	lpcfg_load: refreshing parameters from /etc/samba/smb.conf
  	params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
  	Processing section "[global]"
  	Processing section "[netlogon]"
  	Processing section "[sysvol]"
  	pm_process() returned Yes
  	GENSEC backend 'gssapi_spnego' registered
  	GENSEC backend 'gssapi_krb5' registered
  	GENSEC backend 'gssapi_krb5_sasl' registered
  	GENSEC backend 'schannel' registered
  	GENSEC backend 'spnego' registered
  	GENSEC backend 'ntlmssp' registered
  	GENSEC backend 'krb5' registered
  	GENSEC backend 'fake_gssapi_krb5' registered
  	added interface br0 ip=192.168.115.2 bcast=192.168.115.255 netmask=255.255.255.0
  	added interface br0 ip=192.168.115.2 bcast=192.168.115.255 netmask=255.255.255.0
  	Illegal instruction (core dumped)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1290448/+subscriptions

More information about the foundations-bugs mailing list