[Bug 1761737] Re: [bionic] samba PANIC, INTERNAL ERROR: Signal 11
Andreas Hasenack
andreas at canonical.com
Wed Apr 18 12:48:14 UTC 2018
(sorry if I'm telling you something you already know: the text below is
also for my own benefit and thought process)
Joining a domain means basically creating a computer account in the AD.
That is what allows the computer to query the domain for information
like usernames, uid numbers, and even authenticate users.
sssd can do that, for its own benefit. It installs a pam module, a nss
module, configures files accordingly, and you get a machine where users
can login to the linux system and be treated almost like local users, as
if they were in /etc/{passwd,shadow}. sssd can largely do that because
of kerberos.
Samba can also join a domain, of course, and it stores the credentials
for that locally somewhere. I believe that's ultimately what the
"kerberos method" setting controls: if it's in the secrets.tdb database,
or in a normal kerberos keytab. I believe when you use "net ads join",
it uses secrets.tdb. You can check the /etc/krb5.keytab to see if it
changed after you ran "net ads join".
Now, the question is how to take advantage of the already running sssd
(for your linux users to login on the box via ssh, login, gdm, etc) for
samba. As we know, for samba to authenticate and recognize a windows
user, that user also needs to appear as a linux user, as if it existed
in /etc/passwd. That's one of the functions of winbind, or nss_ldap, or
even sssd. But samba also needs to contact the kerberos server (AD in
this case) to authenticate the user and obtain a TGT, and for that it
needs to have its own account. An account that sssd created, not "net
ads join" in your case. Samba should be able to use the system keytab
(that's /etc/krb5.keytab), where apparently sssd did all the work for
us, but we are seeing segfaults in our way when messing with that
parameter.
In the release notes for samba 4.8.0, for example, they state that
having winbind is required for domain membership, because the rpc calls
were delegated to it (https://github.com/samba-
team/samba/blob/v4-8-stable/WHATSNEW.txt#L24). In 4.7.x that doesn't
seem to be the case yet, but maybe they were on that path already.
You have evidence that in previous ubuntu releases it is possible: using
only sssd, and having samba authenticate domain users. I don't know if
by design, or by accident. Or maybe you are using just a subset of all
the possible rpc calls and it works.
I have documentation that says "net ads join" is necessary for this to
work (it's in the smb.conf manpage). It doesn't elaborate if winbind is
needed, though. Above when you said "it works" after trying "net ads
join", did you mean just the join, or that samba started to authenticate
domain users normally?
Bottom line is, I don't know if you can use sssd for samba, or if you
need both sssd and winbind. I would have to experiment with it. The
segfault is a bug, and shouldn't happen even with invalid
configurations, so that has to be fixed. But it might be unrelated to
the big question.
What I suggest:
- try the net ads join way. It's what the samba documentation recommends
- check if "net ads join" creates another entry in the keytab file
- subscribe to https://lists.samba.org/mailman/listinfo/samba and post this question of sssd+samba there, mentioning the bug about the segfault perhaps (https://bugzilla.samba.org/show_bug.cgi?id=13376)
I will try to find some time this week to validate the domain join
scenarios, at least with samba tools (net ads join, winbind, etc).
For this bug here, I think the focus should be in the segfault.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1761737
Title:
[bionic] samba PANIC, INTERNAL ERROR: Signal 11
Status in samba:
Unknown
Status in samba package in Ubuntu:
Confirmed
Bug description:
Our Ubuntu clients are in an AD domain using realm. Accessing a samba share (SSO) with dolphin/nautilus (smb://HOST/share) is working on ubuntu clients where the host with the shared directory is ubuntu 16.04 or 17.10.
Accessing the shared folder on ubuntu 18.04 with same configuration as 16.04 or 17.10 clients throws a panic on the system with 18.04:
/var/log/samba/log.LOCALHOST on HOST with 18.04
===============================================
[2018/04/06 13:43:50.360655, 5] ../source3/smbd/reply.c:780(reply_special)
init msg_type=0x81 msg_flags=0x0
[2018/04/06 13:43:50.361179, 3] ../source3/smbd/process.c:1959(process_smb)
Transaction 0 of length 194 (0 toread)
[2018/04/06 13:43:50.361241, 5] ../source3/lib/util.c:184(show_msg)
[2018/04/06 13:43:50.361264, 5] ../source3/lib/util.c:194(show_msg)
size=190
smb_com=0x72
smb_rcls=0
smb_reh=0
smb_err=0
smb_flg=24
smb_flg2=51267
smb_tid=0
smb_pid=65534
smb_uid=0
smb_mid=0
smt_wct=0
smb_bcc=155
[2018/04/06 13:43:50.361467, 3] ../source3/smbd/process.c:1539(switch_message)
switch message SMBnegprot (pid 2538) conn 0x0
[2018/04/06 13:43:50.361554, 4] ../source3/smbd/sec_ctx.c:320(set_sec_ctx_internal)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2018/04/06 13:43:50.361617, 5] ../libcli/security/security_token.c:53(security_token_debug)
Security token: (NULL)
[2018/04/06 13:43:50.361667, 5] ../source3/auth/token_util.c:651(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2018/04/06 13:43:50.361766, 5] ../source3/smbd/uid.c:425(smbd_change_to_root_user)
change_to_root_user: now uid=(0,0) gid=(0,0)
[2018/04/06 13:43:50.363559, 3] ../source3/smbd/negprot.c:612(reply_negprot)
Requested protocol [PC NETWORK PROGRAM 1.0]
[2018/04/06 13:43:50.363638, 3] ../source3/smbd/negprot.c:612(reply_negprot)
Requested protocol [MICROSOFT NETWORKS 1.03]
[2018/04/06 13:43:50.363677, 3] ../source3/smbd/negprot.c:612(reply_negprot)
Requested protocol [MICROSOFT NETWORKS 3.0]
[2018/04/06 13:43:50.363712, 3] ../source3/smbd/negprot.c:612(reply_negprot)
Requested protocol [LANMAN1.0]
[2018/04/06 13:43:50.363747, 3] ../source3/smbd/negprot.c:612(reply_negprot)
Requested protocol [LM1.2X002]
[2018/04/06 13:43:50.363782, 3] ../source3/smbd/negprot.c:612(reply_negprot)
Requested protocol [DOS LANMAN2.1]
[2018/04/06 13:43:50.363817, 3] ../source3/smbd/negprot.c:612(reply_negprot)
Requested protocol [LANMAN2.1]
[2018/04/06 13:43:50.363852, 3] ../source3/smbd/negprot.c:612(reply_negprot)
Requested protocol [Samba]
[2018/04/06 13:43:50.363888, 3] ../source3/smbd/negprot.c:612(reply_negprot)
Requested protocol [NT LANMAN 1.0]
[2018/04/06 13:43:50.363924, 3] ../source3/smbd/negprot.c:612(reply_negprot)
Requested protocol [NT LM 0.12]
[2018/04/06 13:43:50.364019, 5] ../lib/dbwrap/dbwrap.c:160(dbwrap_check_lock_order)
check lock order 2 for /var/run/samba/serverid.tdb
[2018/04/06 13:43:50.364077, 5] ../lib/dbwrap/dbwrap.c:128(dbwrap_lock_order_state_destructor)
release lock order 2 for /var/run/samba/serverid.tdb
[2018/04/06 13:43:50.364259, 5] ../source3/auth/auth.c:537(make_auth3_context_for_ntlm)
Making default auth method list for server role = 'standalone server', encrypt passwords = yes
[2018/04/06 13:43:50.364282, 5] ../source3/auth/auth.c:48(smb_register_auth)
Attempting to register auth backend trustdomain
[2018/04/06 13:43:50.364300, 5] ../source3/auth/auth.c:60(smb_register_auth)
Successfully added auth method 'trustdomain'
[2018/04/06 13:43:50.364316, 5] ../source3/auth/auth.c:48(smb_register_auth)
Attempting to register auth backend ntdomain
[2018/04/06 13:43:50.364334, 5] ../source3/auth/auth.c:60(smb_register_auth)
Successfully added auth method 'ntdomain'
[2018/04/06 13:43:50.364352, 5] ../source3/auth/auth.c:48(smb_register_auth)
Attempting to register auth backend guest
[2018/04/06 13:43:50.364364, 5] ../source3/auth/auth.c:60(smb_register_auth)
Successfully added auth method 'guest'
[2018/04/06 13:43:50.364392, 5] ../source3/auth/auth.c:48(smb_register_auth)
Attempting to register auth backend sam
[2018/04/06 13:43:50.364404, 5] ../source3/auth/auth.c:60(smb_register_auth)
Successfully added auth method 'sam'
[2018/04/06 13:43:50.364415, 5] ../source3/auth/auth.c:48(smb_register_auth)
Attempting to register auth backend sam_ignoredomain
[2018/04/06 13:43:50.364427, 5] ../source3/auth/auth.c:60(smb_register_auth)
Successfully added auth method 'sam_ignoredomain'
[2018/04/06 13:43:50.364438, 5] ../source3/auth/auth.c:48(smb_register_auth)
Attempting to register auth backend sam_netlogon3
[2018/04/06 13:43:50.364450, 5] ../source3/auth/auth.c:60(smb_register_auth)
Successfully added auth method 'sam_netlogon3'
[2018/04/06 13:43:50.364461, 5] ../source3/auth/auth.c:48(smb_register_auth)
Attempting to register auth backend winbind
[2018/04/06 13:43:50.364473, 5] ../source3/auth/auth.c:60(smb_register_auth)
Successfully added auth method 'winbind'
[2018/04/06 13:43:50.364484, 5] ../source3/auth/auth.c:48(smb_register_auth)
Attempting to register auth backend unix
[2018/04/06 13:43:50.364502, 5] ../source3/auth/auth.c:60(smb_register_auth)
Successfully added auth method 'unix'
[2018/04/06 13:43:50.364514, 5] ../source3/auth/auth.c:400(load_auth_module)
load_auth_module: Attempting to find an auth method to match guest
[2018/04/06 13:43:50.364527, 5] ../source3/auth/auth.c:425(load_auth_module)
load_auth_module: auth method guest has a valid init
[2018/04/06 13:43:50.364539, 5] ../source3/auth/auth.c:400(load_auth_module)
load_auth_module: Attempting to find an auth method to match sam_ignoredomain
[2018/04/06 13:43:50.364551, 5] ../source3/auth/auth.c:425(load_auth_module)
load_auth_module: auth method sam_ignoredomain has a valid init
[2018/04/06 13:43:50.365880, 3] ../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'gssapi_spnego' registered
[2018/04/06 13:43:50.365916, 3] ../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'gssapi_krb5' registered
[2018/04/06 13:43:50.365930, 3] ../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'gssapi_krb5_sasl' registered
[2018/04/06 13:43:50.365942, 3] ../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'spnego' registered
[2018/04/06 13:43:50.365954, 3] ../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'schannel' registered
[2018/04/06 13:43:50.365967, 3] ../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'naclrpc_as_system' registered
[2018/04/06 13:43:50.365979, 3] ../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'sasl-EXTERNAL' registered
[2018/04/06 13:43:50.365992, 3] ../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'ntlmssp' registered
[2018/04/06 13:43:50.366004, 3] ../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'ntlmssp_resume_ccache' registered
[2018/04/06 13:43:50.366017, 3] ../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'http_basic' registered
[2018/04/06 13:43:50.366029, 3] ../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'http_ntlm' registered
[2018/04/06 13:43:50.366042, 3] ../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'krb5' registered
[2018/04/06 13:43:50.366055, 3] ../auth/gensec/gensec_start.c:977(gensec_register)
GENSEC backend 'fake_gssapi_krb5' registered
[2018/04/06 13:43:50.366109, 5] ../auth/gensec/gensec_start.c:739(gensec_start_mech)
Starting GENSEC mechanism spnego
[2018/04/06 13:43:50.366144, 5] ../auth/gensec/gensec_start.c:739(gensec_start_mech)
Starting GENSEC submechanism gse_krb5
[2018/04/06 13:43:50.366323, 0] ../lib/util/fault.c:78(fault_report)
===============================================================
[2018/04/06 13:43:50.366346, 0] ../lib/util/fault.c:79(fault_report)
INTERNAL ERROR: Signal 11 in pid 2538 (4.7.6-Ubuntu)
Please read the Trouble-Shooting section of the Samba HOWTO
[2018/04/06 13:43:50.366368, 0] ../lib/util/fault.c:81(fault_report)
===============================================================
[2018/04/06 13:43:50.366387, 0] ../source3/lib/util.c:815(smb_panic_s3)
PANIC (pid 2538): internal error
[2018/04/06 13:43:50.366896, 0] ../source3/lib/util.c:926(log_stack_trace)
BACKTRACE: 33 stack frames:
#0 /usr/lib/x86_64-linux-gnu/libsmbconf.so.0(log_stack_trace+0x1f) [0x7f738c2bd9cf]
#1 /usr/lib/x86_64-linux-gnu/libsmbconf.so.0(smb_panic_s3+0x20) [0x7f738c2bdaa0]
#2 /usr/lib/x86_64-linux-gnu/libsamba-util.so.0(smb_panic+0x2f) [0x7f738e3a65af]
#3 /usr/lib/x86_64-linux-gnu/libsamba-util.so.0(+0x197c6) [0x7f738e3a67c6]
#4 /lib/x86_64-linux-gnu/libpthread.so.0(+0x12890) [0x7f738e817890]
#5 /usr/lib/x86_64-linux-gnu/samba/libgse.so.0(+0x8070) [0x7f73866c5070]
#6 /usr/lib/x86_64-linux-gnu/samba/libgse.so.0(gse_krb5_get_server_keytab+0x95) [0x7f73866c5ac5]
#7 /usr/lib/x86_64-linux-gnu/samba/libgse.so.0(+0xac89) [0x7f73866c7c89]
#8 /usr/lib/x86_64-linux-gnu/samba/libgensec.so.0(+0x187a5) [0x7f73864ab7a5]
#9 /usr/lib/x86_64-linux-gnu/samba/libgensec.so.0(+0xa2a7) [0x7f738649d2a7]
#10 /usr/lib/x86_64-linux-gnu/samba/libgensec.so.0(+0xb7fe) [0x7f738649e7fe]
#11 /usr/lib/x86_64-linux-gnu/samba/libgensec.so.0(gensec_update_ev+0x64) [0x7f73864aafa4]
#12 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(negprot_spnego+0xa8) [0x7f738df764f8]
#13 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(+0x12ba3b) [0x7f738df76a3b]
#14 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(reply_negprot+0x4e3) [0x7f738df771f3]
#15 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(+0x1814ca) [0x7f738dfcc4ca]
#16 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(+0x183aee) [0x7f738dfceaee]
#17 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(+0x1849fc) [0x7f738dfcf9fc]
#18 /usr/lib/x86_64-linux-gnu/libtevent.so.0(+0x9ed0) [0x7f738aeefed0]
#19 /usr/lib/x86_64-linux-gnu/libtevent.so.0(+0x8357) [0x7f738aeee357]
#20 /usr/lib/x86_64-linux-gnu/libtevent.so.0(_tevent_loop_once+0x9d) [0x7f738aeea7cd]
#21 /usr/lib/x86_64-linux-gnu/libtevent.so.0(tevent_common_loop_wait+0x1b) [0x7f738aeea9eb]
#22 /usr/lib/x86_64-linux-gnu/libtevent.so.0(+0x82f7) [0x7f738aeee2f7]
#23 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(smbd_process+0x718) [0x7f738dfd0d78]
#24 /usr/sbin/smbd(+0xcfcc) [0x55a15e207fcc]
#25 /usr/lib/x86_64-linux-gnu/libtevent.so.0(+0x9ed0) [0x7f738aeefed0]
#26 /usr/lib/x86_64-linux-gnu/libtevent.so.0(+0x8357) [0x7f738aeee357]
#27 /usr/lib/x86_64-linux-gnu/libtevent.so.0(_tevent_loop_once+0x9d) [0x7f738aeea7cd]
#28 /usr/lib/x86_64-linux-gnu/libtevent.so.0(tevent_common_loop_wait+0x1b) [0x7f738aeea9eb]
#29 /usr/lib/x86_64-linux-gnu/libtevent.so.0(+0x82f7) [0x7f738aeee2f7]
#30 /usr/sbin/smbd(main+0x1d0a) [0x55a15e20334a]
#31 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xe7) [0x7f738ab16b97]
#32 /usr/sbin/smbd(_start+0x2a) [0x55a15e20345a]
[2018/04/06 13:43:50.367078, 0] ../source3/lib/util.c:827(smb_panic_s3)
smb_panic(): calling panic action [/usr/share/samba/panic-action 2538]
30 ../sysdeps/unix/sysv/linux/waitpid.c: No such file or directory.
mail: cannot send message: Process exited with a non-zero status
[2018/04/06 13:43:51.587520, 0] ../source3/lib/util.c:835(smb_panic_s3)
smb_panic(): action returned status 36
[2018/04/06 13:43:51.587618, 0] ../source3/lib/dumpcore.c:318(dump_core)
coredump is handled by helper binary specified at /proc/sys/kernel/core_pattern[2018/04/06 13:43:52.153171, 5]
client
======
HOST: Ubuntu 18.04RC (2018-04-06), amd64
samba: 4.7.6+dfsg~ubuntu-0ubuntu1
krb5: 1.16-2build1
sssd: 1.16.0-5ubuntu2
This is a blocker for us to upgrade from 16.04 to 18.04 after release. :-(
To manage notifications about this bug go to:
https://bugs.launchpad.net/samba/+bug/1761737/+subscriptions
More information about the foundations-bugs
mailing list