Bug 1655865

Summary: samba-4.8.3-4 exits(Terminates) itself when smbclient tries to connect
Product: Red Hat Enterprise Linux 7 Reporter: amitkuma
Component: sambaAssignee: Andreas Schneider <asn>
Status: CLOSED INSUFFICIENT_DATA QA Contact: Andrej Dzilský <adzilsky>
Severity: high Docs Contact:
Priority: unspecified    
Version: 7.7-AltCC: amitkuma, asn, dpal, gdeschner, jarrpa, jstephen, sbose
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-03-01 21:21:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
samba logs none

Description amitkuma 2018-12-04 06:51:20 UTC 
Description of problem:
samba joined to AD using SSSD.
id, getent returns user information.

samba share created and expected AD authentication.
When smbclient tries accessing share using "kerberoes TGT", samba server terminates itself

[root@vm250-188 ~]# realm join --verbose --user=root windows2008-2.atest.com
 * Resolving: _ldap._tcp.windows2008-2.atest.com
 * Resolving: windows2008-2.atest.com
 * Performing LDAP DSE lookup on: 10.65.232.56
 * Successfully discovered: atest.com
Password for root: 
 * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/sbin/adcli
 * LANG=C /usr/sbin/adcli join --verbose --domain atest.com --domain-realm ATEST.COM --domain-controller 10.65.232.56 --login-type user --login-user root --stdin-password
 * Using domain name: atest.com
 * Calculated computer account name from fqdn: VM250-188
 * Using domain realm: atest.com
 * Sending netlogon pings to domain controller: cldap://10.65.232.56
 * Received NetLogon info from: windows2008-2.atest.com
 * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-6nl054/krb5.d/adcli-krb5-conf-4foHEe
 * Authenticated as user: root
 * Looked up short domain name: ATEST
 * Looked up domain SID: S-1-5-21-219570999-4236135608-484490645
 * Using fully qualified name: vm250-188.gsslab.pnq2.redhat.com
 * Using domain name: atest.com
 * Using computer account name: VM250-188
 * Using domain realm: atest.com
 * Calculated computer account name from fqdn: VM250-188
 * Generated 120 character computer password
 * Using keytab: FILE:/etc/krb5.keytab
 * Found computer account for VM250-188$ at: CN=VM250-188,CN=Computers,DC=atest,DC=com
 * Sending netlogon pings to domain controller: cldap://10.65.232.56
 * Received NetLogon info from: windows2008-2.atest.com
 * Set computer password
 * Retrieved kvno '6' for computer account in directory: CN=VM250-188,CN=Computers,DC=atest,DC=com
 * Discovered which keytab salt to use
 * Added the entries to the keytab: VM250-188$@ATEST.COM: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: host/VM250-188: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: host/vm250-188.gsslab.pnq2.redhat.com: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: RestrictedKrbHost/VM250-188: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: RestrictedKrbHost/vm250-188.gsslab.pnq2.redhat.com: FILE:/etc/krb5.keytab
 * /usr/bin/systemctl enable sssd.service
 * /usr/bin/systemctl restart sssd.service
 * /usr/bin/sh -c /usr/sbin/authconfig --update --enablesssd --enablesssdauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service
 * Successfully enrolled machine in realm
[root@vm250-188 ~]# realm list
atest.com
  type: kerberos
  realm-name: ATEST.COM
  domain-name: atest.com
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  required-package: adcli
  required-package: samba-common-tools
  login-formats: %U
  login-policy: allow-realm-logins
[root@vm250-188 ~]# # id amitk4
uid=107601137(amitk4) gid=107600513(domain users) groups=107600513(domain users)
[root@vm250-188 ~]# getent passwd arpit_sc
arpit_sc:*:107601134:107600513:arpit_sc:/home/arpit_sc:/bin/bash
[root@vm250-188 ~]# 
[root@vm250-188 ~]# cat /etc/samba/smb.conf
 [global]
security = ads
	workgroup = ATEST
	realm = ATEST.COM
   idmap config * : range = 16777216-33554431
   template shell = /bin/bash
   kerberos method = secrets only
   winbind use default domain = true
   winbind offline logon = false
        debug uid = yes
[myshare]
	path=/share
	valid users=ATEST\arpit_sc
[root@vm250-188 ~]# ls -ltr /share/
total 0
-rw-r--r--. 1 root root 0 Nov 22 05:22 test1
[root@vm250-188 ~]# 
[root@vm250-188 ~]# service winbind start
Redirecting to /bin/systemctl start winbind.service
[root@vm250-188 ~]# service winbind status
Redirecting to /bin/systemctl status winbind.service
● winbind.service - Samba Winbind Daemon
   Loaded: loaded (/usr/lib/systemd/system/winbind.service; disabled; vendor preset: disabled)
   Active: active (running) since Tue 2018-12-04 01:46:35 EST; 1s ago
     Docs: man:winbindd(8)
           man:samba(7)
           man:smb.conf(5)
 Main PID: 30722 (winbindd)
   Status: "winbindd: ready to serve connections..."
    Tasks: 2
   CGroup: /system.slice/winbind.service
           ├─30722 /usr/sbin/winbindd --foreground --no-process-group
           └─30728 /usr/sbin/winbindd --foreground --no-process-group

Dec 04 01:46:35 vm250-188.gsslab.pnq2.redhat.com systemd[1]: Starting Samba Winbind Daemon...
Dec 04 01:46:35 vm250-188.gsslab.pnq2.redhat.com winbindd[30722]: [2018/12/04 01:46:35.699726,  0, effective(0, 0), real(0, 0)] ../source3/winbindd/winb..._cache)
Dec 04 01:46:35 vm250-188.gsslab.pnq2.redhat.com winbindd[30722]:   initialize_winbindd_cache: clearing cache and re-creating with version number 2
Dec 04 01:46:35 vm250-188.gsslab.pnq2.redhat.com winbindd[30722]: [2018/12/04 01:46:35.708857,  0, effective(0, 0), real(0, 0)] ../lib/util/become_daemo..._ready)
Dec 04 01:46:35 vm250-188.gsslab.pnq2.redhat.com systemd[1]: Started Samba Winbind Daemon.
Dec 04 01:46:35 vm250-188.gsslab.pnq2.redhat.com winbindd[30722]:   daemon_ready: STATUS=daemon 'winbindd' finished starting up and ready to serve connections
Hint: Some lines were ellipsized, use -l to show in full.
[root@vm250-188 ~]#

In samba logs:
smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_MORE_PROCESSING_REQUIRED] body[8] dyn[yes:155] at ../source3/smbd/smb2_sesssetup.c:174
smb2_set_operation_credit: smb2_set_operation_credit: requested 8192, charge 1, granted 1, current possible/max 512/512, total granted/max/low/range 1/8192/3/1
smbd_server_connection_terminate_ex: conn[ipv4:10.65.232.110:58482] reason[NT_STATUS_END_OF_FILE] at ../source3/smbd/smb2_server.c:3986
......
Primary group is 0 and contains 0 supplementary groups
change_to_root_user: now uid=(0,0) gid=(0,0)
msg_dgm_ref_destructor: refs=(nil)
Server exit (NT_STATUS_END_OF_FILE)


/etc/nsswitch.conf
passwd:     files sss
shadow:     files sss
group:      files sss


*********smbclient trying to access share:***********
[root@rhel7u5-1 ~]# klist 
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: arpit_sc

Valid starting       Expires              Service principal
12/04/2018 11:56:35  12/04/2018 21:56:35  krbtgt/ATEST.COM
	renew until 12/11/2018 11:56:32
12/04/2018 12:06:07  12/04/2018 21:56:35  cifs/vm250-188.gsslab.pnq2.redhat.com
	renew until 12/11/2018 11:56:32
[root@rhel7u5-1 ~]# 
[root@rhel7u5-1 ~]# smbclient //vm250-188.gsslab.pnq2.redhat.com/myshare -k -d 10 -mSMB3
INFO: Current debug levels:
  all: 10
  tdb: 10
  printdrivers: 10
  lanman: 10
  smb: 10
  rpc_parse: 10
  rpc_srv: 10
  rpc_cli: 10
  passdb: 10
  sam: 10
  auth: 10
  winbind: 10
  vfs: 10
  idmap: 10
  quota: 10
  acls: 10
  locking: 10
  msdfs: 10
  dmapi: 10
  registry: 10
  scavenger: 10
  dns: 10
  ldb: 10
  tevent: 10
  auth_audit: 10
  auth_json_audit: 10
  kerberos: 10
  drs_repl: 10
  smb2: 10
  smb2_credits: 10
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
  all: 10
  tdb: 10
  printdrivers: 10
  lanman: 10
  smb: 10
  rpc_parse: 10
  rpc_srv: 10
  rpc_cli: 10
  passdb: 10
  sam: 10
  auth: 10
  winbind: 10
  vfs: 10
  idmap: 10
  quota: 10
  acls: 10
  locking: 10
  msdfs: 10
  dmapi: 10
  registry: 10
  scavenger: 10
  dns: 10
  ldb: 10
  tevent: 10
  auth_audit: 10
  auth_json_audit: 10
  kerberos: 10
  drs_repl: 10
  smb2: 10
  smb2_credits: 10
Processing section "[global]"
doing parameter workgroup = SAMBA
doing parameter security = user
doing parameter passdb backend = tdbsam
doing parameter printing = cups
doing parameter printcap name = cups
doing parameter load printers = yes
doing parameter cups options = raw
pm_process() returned Yes
lp_servicenumber: couldn't find homes
added interface eth0 ip=2620:52:0:41e8:216:3eff:feb8:23d0 bcast= netmask=ffff:ffff:ffff:ffff::
added interface eth0 ip=10.65.232.110 bcast=10.65.235.255 netmask=255.255.252.0
Netbios name list:-
my_netbios_names[0]="RHEL7U5-1"
Client started (version 4.8.3).
Opening cache file at /var/lib/samba/gencache.tdb
Opening cache file at /var/lib/samba/lock/gencache_notrans.tdb
Adding cache entry with key=[AD_SITENAME/DOMAIN/] and timeout=[Thu Jan  1 05:30:00 AM 1970 IST] (-1543906117 seconds in the past)
Could not get allrecord lock on gencache_notrans.tdb: Locking error
sitename_fetch: No stored sitename for realm ''
internal_resolve_name: looking up vm250-188.gsslab.pnq2.redhat.com#20 (sitename (null))
Adding cache entry with key=[NBT/VM250-188.GSSLAB.PNQ2.REDHAT.COM#20] and timeout=[Thu Jan  1 05:30:00 AM 1970 IST] (-1543906117 seconds in the past)
no entry for vm250-188.gsslab.pnq2.redhat.com#20 found.
resolve_hosts: Attempting host lookup for name vm250-188.gsslab.pnq2.redhat.com<0x20>
remove_duplicate_addrs2: looking for duplicate address/port pairs
namecache_store: storing 1 address for vm250-188.gsslab.pnq2.redhat.com#20: 10.74.250.188
Adding cache entry with key=[NBT/VM250-188.GSSLAB.PNQ2.REDHAT.COM#20] and timeout=[Thu Jan  1 05:30:00 AM 1970 IST] (-1543906117 seconds in the past)
Adding cache entry with key=[NBT/VM250-188.GSSLAB.PNQ2.REDHAT.COM#20] and timeout=[Tue Dec  4 12:29:37 PM 2018 IST] (660 seconds ahead)
internal_resolve_name: returning 1 addresses: 10.74.250.188:0 
Connecting to 10.74.250.188 at port 445
Socket options:
	SO_KEEPALIVE = 0
	SO_REUSEADDR = 0
	SO_BROADCAST = 0
	TCP_NODELAY = 1
	TCP_KEEPCNT = 9
	TCP_KEEPIDLE = 7200
	TCP_KEEPINTVL = 75
	IPTOS_LOWDELAY = 0
	IPTOS_THROUGHPUT = 0
	SO_REUSEPORT = 0
	SO_SNDBUF = 87040
	SO_RCVBUF = 367360
	SO_SNDLOWAT = 1
	SO_RCVLOWAT = 1
	SO_SNDTIMEO = 0
	SO_RCVTIMEO = 0
	TCP_QUICKACK = 1
	TCP_DEFER_ACCEPT = 0
 session request ok
 negotiated dialect[SMB3_11] against server[vm250-188.gsslab.pnq2.redhat.com]
got OID=1.2.840.48018.1.2.2
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gse_krb5
gensec_update_send: gse_krb5[0x55f813fba920]: subreq: 0x55f813fc2310
gensec_update_send: spnego[0x55f813fb8840]: subreq: 0x55f813fb9db0
gensec_update_done: gse_krb5[0x55f813fba920]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x55f813fc2310/../source3/librpc/crypto/gse.c:832]: state[2] error[0 (0x0)]  state[struct gensec_gse_update_state (0x55f813fc24a0)] timer[(nil)] finish[../source3/librpc/crypto/gse.c:842]
gensec_update_done: spnego[0x55f813fb8840]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x55f813fb9db0/../auth/gensec/spnego.c:1601]: state[2] error[0 (0x0)]  state[struct gensec_spnego_update_state (0x55f813fb9f40)] timer[(nil)] finish[../auth/gensec/spnego.c:2070]
gse_get_client_auth_token: gss_init_sec_context failed with [Unspecified GSS failure.  Minor code may provide more information: The ticket isn't for us](2529638947)
gensec_update_send: gse_krb5[0x55f813fba920]: subreq: 0x55f813fc2310
gensec_update_send: spnego[0x55f813fb8840]: subreq: 0x55f813fc33b0
gensec_update_done: gse_krb5[0x55f813fba920]: NT_STATUS_LOGON_FAILURE tevent_req[0x55f813fc2310/../source3/librpc/crypto/gse.c:832]: state[3] error[-7963671676338569107 (0x917B5ACDC000006D)]  state[struct gensec_gse_update_state (0x55f813fc24a0)] timer[(nil)] finish[../source3/librpc/crypto/gse.c:845]
gensec_spnego_client_negTokenTarg_step: SPNEGO(gse_krb5) login failed: NT_STATUS_LOGON_FAILURE
gensec_update_done: spnego[0x55f813fb8840]: NT_STATUS_LOGON_FAILURE tevent_req[0x55f813fc33b0/../auth/gensec/spnego.c:1601]: state[3] error[-7963671676338569107 (0x917B5ACDC000006D)]  state[struct gensec_spnego_update_state (0x55f813fc3540)] timer[(nil)] finish[../auth/gensec/spnego.c:1993]
SPNEGO login failed: The attempted logon is invalid. This is either due to a bad username or authentication information.
session setup failed: NT_STATUS_LOGON_FAILURE
[root@rhel7u5-1 ~]# 




Version-Release number of selected component (if applicable):
[root@vm250-188 ~]# rpm -qa|grep samba
samba-common-tools-4.8.3-4.el7.x86_64
samba-winbind-4.8.3-4.el7.x86_64
samba-common-libs-4.8.3-4.el7.x86_64
samba-common-4.8.3-4.el7.noarch
samba-libs-4.8.3-4.el7.x86_64
samba-winbind-modules-4.8.3-4.el7.x86_64
samba-client-4.8.3-4.el7.x86_64
samba-client-libs-4.8.3-4.el7.x86_64
samba-4.8.3-4.el7.x86_64
[root@vm250-188 ~]# rpm -qa | grep sssd
sssd-common-pac-1.16.2-13.el7.x86_64
sssd-client-1.16.2-13.el7.x86_64
sssd-proxy-1.16.2-13.el7.x86_64
sssd-common-1.16.2-13.el7.x86_64
python-sssdconfig-1.16.2-13.el7.noarch
sssd-ipa-1.16.2-13.el7.x86_64
sssd-1.16.2-13.el7.x86_64
sssd-krb5-common-1.16.2-13.el7.x86_64
sssd-krb5-1.16.2-13.el7.x86_64
sssd-ldap-1.16.2-13.el7.x86_64
sssd-ad-1.16.2-13.el7.x86_64
[root@vm250-188 ~]# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.6 Beta (Maipo)
[root@vm250-188 ~]#

How reproducible:
Everytime

Steps to Reproduce:
1. mentioned above
2.
3.

Actual results:
1. Samba server terminates itself.
2. Access to share hence not granted

Expected results:
1. Samba server should not terminate itself, under any circumstances.
2. Access to share should be granted.

Additional info:
Comment 2 amitkuma 2018-12-04 06:55:16 UTC 
Created attachment 1511219 [details]
samba logs
Comment 3 Sumit Bose 2018-12-05 15:38:06 UTC 
The realm output says that adcli is used for joining the domain, this is not the default for RHEL. Please retry to join with realm using 'net ads join'.
Comment 4 amitkuma 2018-12-08 02:48:25 UTC 
Hello sumit,
Thanks for response.
But don't you think samba daemon should not terminate itself in any of cases except segfault or leaks etc.
Amit
Comment 5 Sumit Bose 2018-12-10 06:26:23 UTC 
(In reply to amitkuma from comment #4)
> Hello sumit,
> Thanks for response.
> But don't you think samba daemon should not terminate itself in any of cases
> except segfault or leaks etc.

So this ticket is not about a non-working setup but about the crash which happens with an incomplete configuration?

> Amit
Comment 6 Andreas Schneider 2018-12-12 16:50:28 UTC 
How was smbd started. The log file doesn't seem to be a log file written by smbd. It looks like output from stdout.
Comment 7 Andreas Schneider 2019-01-21 14:22:27 UTC 
Ping!
Comment 9 amitkuma 2019-10-28 11:36:21 UTC 
Clearing the NEEDINFO flag.