Kerberos Help Needed
Rick Stevens
rstevens at vitalstream.com
Thu Aug 25 17:12:47 UTC 2005
Greg Julius wrote:
>>>While I don't have a problem with doing this, I'm not sure that samba
>>>is the culprit, just a victum.
>>
>>Well, actually we just installed Samba 3.0.20 last night. There are a
>>LOT of updates in it--so many that the Samba gang decided to skip
>>versions 3.0.15, .16, .17, .18 and .19 and went straight to .20.
>
>
> Lots of Stuff on that it appears. Still, If I shut off samba and winbind
> I still fail on the 'net join'.
>
>
>>>The net command fails the same way when I do a 'net join':
>>> *** glibc detected *** net: free(): invalid pointer: 0x00bd1db0 ***
>>> ======= Backtrace: =========
>>> /lib/libc.so.6[0x1be424]
>>> /lib/libc.so.6(__libc_free+0x77)[0x1be95f]
>>> /lib/libcom_err.so.2(remove_error_table+0x4b)[0x114abb]
>>> /usr/lib/libkrb5.so.3[0xb6f8c4]
>>> /usr/lib/libkrb5.so.3[0xb6f5c7]
>>> /usr/lib/libkrb5.so.3[0xbc09da]
>>> /lib/ld-linux.so.2[0xda4058]
>>> /lib/libc.so.6(exit+0xc5)[0x185c69]
>>> /lib/libc.so.6(__libc_start_main+0xce)[0x16fdee]
>>> net[0x3070f1]
>>> ======= Memory map: ========
>>>
>>>The addresses shown appear to be the same relative to each other.
>>>I haven't shot dumps since writing APAR's for IBM 20 years ago
>>>but looking at the backtrace I would guess that the free is being
>>>issued by libcom_err, perhaps as part of a request from libkrb5.
>>
>>That's entirely possible. Have you upgraded the kerberos RPMs yet?
>
>
> I did a 'yum update' and installed everything it had to offer.
>
>
>>>All that aside, could the failure be caused by a bad config parm?
>>>I have a very minimal krb5.conf file. I have been trying
>>>variations of that. I stopped winbind and did a 'net join' test
>>>and it failed the same way, seems that winbind couldn't be a
>>>part of the problem. What else might be involved parameterwise?
>>
>>I doubt it's a config issue. The trying to free an invalid pointer is
>>typically caused by a coding bug. I have no idea which parameter would
>>cause the thread of execution to go down this buggy path, but trying to
>>find it would take a full-up debug session.
>
>
> Ug!.
Yeah, ugh!
>>>If it's not likely that a parameter change could work around the
>>>failure, what would you suggest as the next step?
>>>
>>>Which source items should I try first and where would I get them?
>>>(Gad I must be desparate to even ask this...)
>>
>>First off, make sure you update Kerberos and possibly glibc. I can't
>>recall which system you have (I think it was CentOS), but update ASAP.
>>Under CentOS or a licensed version of RHEL, you should be able to
>>"up2date" it. For Fedora Core, use "yum -y update".
>
>
> I'm running Fedora Core 4. Scratch install and all updates applied.
Hmmm. I've not tried this with FC4. The running environment we're
using is RHES3U4 with a U5 kernel.
> I just did a 'yum -y update' and rebooted after all was installed.
> There were some glibc stuff that I saw go in this time, but I didn't
> see any kerberos looking things.
>
> Still failed, same way, same (relative) offsets.
>
> Here is what I have for krb5:
> [xxx at guardian ~]# rpm -qa | grep krb5
> krb5-workstation-1.4-3
> krb5-auth-dialog-0.2-5
> krb5-workstation-1.4.1-5
> pam_krb5-2.1.7-3
> krb5-server-1.4-3
> krb5-devel-1.4.1-5
> krb5-libs-1.4-3
> krb5-devel-1.4-3
> krb5-libs-1.4.1-5
> krb5-server-1.4.1-5
>
>
> Is the fact that I have what look to be two releases a problem?
> I have krb5-libs twice. a -1.4.1-5 and a -1.4-3
Well, it's a bit disconcerning, but it shouldn't be fatal. It rather
depends on what ld uses when it links things on the fly. The only way
to really see that is to do an "ldconfig -v" and verify that it's using
the latest krb5 libraries.
Here's what we have:
[root at dn-1a root]# rpm -qa | grep krb5
krb5-workstation-1.2.7-44
pam_krb5-1.75-1
krb5-libs-1.2.7-44
krb5-devel-1.2.7-44
Cleaned up, here's our krb5.conf file:
------------------------------ cut here --------------------------------
[root at dn-1a etc]# cat krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = NT.SITESTREAM.NET
dns_lookup_realm = false
dns_lookup_kdc = false
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
[realms]
NT.SITESTREAM.NET = {
kdc = nt.sitestream.net
default_domain = NT.SITESTREAM.NET
}
[domain_realm]
nt.sitestream.net = NT.SITESTREAM.NET
.nt.sitestream.net = NT.SITESTREAM.NET
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
------------------------------ cut here --------------------------------
And yet more cleaned up, here's our smb.conf file:
------------------------------ cut here --------------------------------
#-----------------------------------------------------------------------------
# Filename: smb.conf Main Samba config file
#
# Synopsis:
# This file is the main config file for Samba.
#
# Author: Rick Stevens, VitalStream, Inc.
# Last Edit: 22 June 2005
#
#-----------------------------------------------------------------------------
[global]
# netbios name is the name of the machine in NetBIOS...
netbios name = dn-1a
unix charset = LOCAL
# server string is the equivalent of the NT Description field...
server string = dn-1a Media connection node
# Items specific to clustered file system...
kernel oplocks = Yes
oplocks = Yes
level2 oplocks = Yes
oplock contention limit = 2
blocking locks = yes
locking = yes
posix locking = yes
strict locking = no
# Include the VitalStream-specific stuff...
# Set the domain we belong to...
workgroup = NT
realm = NT.SITESTREAM.NET
# domain = NT.SITESTREAM.NET
# This option is important for security. It allows you to restrict
# connections to machines which are on your local network. The
# following example restricts access to two C class networks and
# the "loopback" interface. For more examples of the syntax see
# the smb.conf man page
; hosts allow = 192.168.1. 192.168.2. 127.
# if you want to automatically load your printer list rather
# than setting them up individually then you'll need this
printcap name = cups
load printers = yes
disable spoolss = yes
show add printer wizard = no
# It should not be necessary to spell out the print system type unless
# yours is non-standard. Currently supported print systems include:
# bsd, sysv, plp, lprng, aix, hpux, qnx
printing = cups
# Uncomment this if you want a guest account, you must add this to
/etc/passwd
# otherwise the user "nobody" is used
; guest account = pcguest
# this tells Samba to use a separate log file for each machine
# that connects
# log file = /var/log/samba/%m.log
# all log information in one file (with 170+ machines, we need this!)
log file = /var/log/samba/log.smbd
# Put a capping on the size of the log files (in Kb).
max log size = 50
# Security mode. Most people will want user level security. See
# security_level.txt for details.
security = ADS
# Use password server option only with security = server
password server = nt.sitestream.net
client schannel = no
# Password Level allows matching of _n_ characters of the password for
# all combinations of upper and lower case.
; password level = 8
; username level = 8
# You may wish to use password encryption. Please read
# ENCRYPTION.txt, Win95.txt and WinNT.txt in the Samba documentation.
# Do not enable this option unless you have read those documents
encrypt passwords = yes
; smb passwd file = /etc/samba/smbpasswd
# The following are needed to allow password changing from Windows to
# update the Linux system password also.
# NOTE: Use these with 'encrypt passwords' and 'smb passwd file' above.
# NOTE2: You do NOT need these to allow workstations to change only
# the encrypted SMB passwords. They allow the Unix password
# to be kept in sync with the SMB password.
; unix password sync = Yes
; passwd program = /usr/bin/passwd %u
; passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password*
%n\n *passwd:*all*authentication*tokens*updated*successfully*
# Unix users can map to different SMB User names
username map = /etc/samba/smbusers
# Set up the UID and GID numbers allowed
idmap uid = 15000-40000
idmap gid = 15000-40000
# Use the default Windows domain
winbind use default domain = yes
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind uid = 400001-60000
winbind gid = 400001-60000
# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
; include = /etc/samba/smb.conf.%m
# Most people will find that this option gives better performance.
# See speed.txt and the manual pages for details
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
# Configure Samba to use multiple interfaces
# If you have multiple network interfaces then you must list them
# here. See the man page for details.
; interfaces = 192.168.12.2/24 192.168.13.2/24
# Configure remote browse list synchronisation here
# request announcement to, or browse list sync from:
# a specific host or from / to a whole subnet (see below)
; remote browse sync = 192.168.3.25 192.168.5.255
# Cause this host to announce itself to local subnets here
; remote announce = 192.168.1.255 192.168.2.44
# Browser Control Options:
# set local master to no if you don't want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
; local master = no
# OS Level determines the precedence of this server in master browser
# elections. The default value should be reasonable
; os level = 33
# Domain Master specifies Samba to be the Domain Master Browser. This
# allows Samba to collate browse lists between subnets. Don't use this
# if you already have a Windows NT domain controller doing this job
; domain master = yes
# Preferred Master causes Samba to force a local browser election on startup
# and gives it a slightly higher chance of winning the election
; preferred master = yes
# Enable this if you want Samba to be a domain logon server for
# Windows95 workstations.
; domain logons = yes
# if you enable domain logons then you may want a per-machine or
# per user logon script
# run a specific logon batch file per workstation (machine)
; logon script = %m.bat
# run a specific logon batch file per username
; logon script = %U.bat
# Where to store roving profiles (only for Win95 and WinNT)
# %L substitutes for this servers netbios name, %U is username
# You must uncomment the [Profiles] share below
; logon path = \\%L\Profiles\%U
# All NetBIOS names must be resolved to IP Addresses
# 'Name Resolve Order' allows the named resolution mechanism to be specified
# the default order is "host lmhosts wins bcast". "host" means use the unix
# system gethostbyname() function call that will use either /etc/hosts OR
# DNS or NIS depending on the settings of /etc/host.config,
/etc/nsswitch.conf
# and the /etc/resolv.conf file. "host" therefore is system configuration
# dependant. This parameter is most often of use to prevent DNS lookups
# in order to resolve NetBIOS names to IP Addresses. Use with care!
# The example below excludes use of name resolution for machines that
are NOT
# on the local network segment
# - OR - are not deliberately to be known via lmhosts or via WINS.
; name resolve order = wins lmhosts bcast
# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable it's WINS
Server
; wins support = yes
# WINS Server - Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but
NOT both
; wins server = w.x.y.z
# WINS Proxy - Tells Samba to answer name resolution queries on
# behalf of a non WINS capable client, for this to work there must be
# at least one WINS Server on the network. The default is NO.
; wins proxy = yes
# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups. The built-in default for versions 1.9.17 is yes,
# this has been changed in version 1.9.18 to no.
dns proxy = no
# Case Preservation can be handy - system default is _no_
# NOTE: These can be set on a per share basis
; preserve case = no
; short preserve case = no
# Default case is normally upper case for all DOS files
; default case = lower
# Be very careful with case sensitivity - it can break things!
; case sensitive = no
# Include the share definitions...
(scrubbed...you really don't need to know that stuff)
------------------------------ cut here --------------------------------
> BTW, you sent the reply straight to me, so I replied straight
> to you. Was that your intent? If not, feel free to resend your
> reply via RHIL and I will re-reply to it to keep the thread
> intact.
Oops! I guess you were the first entry in the "Reply-To:" header and
I only did a "Reply", not a "Reply All". I'll add the install list
to the "To:" fields to get this back on the list. It will be out of
thread order, but that's the best I can do.
> OK, what's next?
You could try the layout I've given above. It works for us, but I
really am concerned about that crash from the kerberos libraries.
Have you checked bugzilla about such behaviour?
----------------------------------------------------------------------
- Rick Stevens, Senior Systems Engineer rstevens at vitalstream.com -
- VitalStream, Inc. http://www.vitalstream.com -
- -
- To err is human, to moo bovine. -
----------------------------------------------------------------------
More information about the Redhat-install-list
mailing list