Ubuntu
samba package

Invalid Opcode when running samba-tool domain exportkeytab

Bug #1290448 reported by Ian McMichael
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
samba (Ubuntu)
New
Undecided
Unassigned

Bug Description

To reproduce this bug, carry out the following:

Install a fresh Trust Tahr 14.04 AMD64 development build in a (KVM) virtual machine as a basic server.

Install the samba (2:4.1.3+dfsg-2ubuntu3) and bind9 packages.

Provision an Active Directory Domain with the following commands:

 rm /etc/samba/smb.conf
 samba-tool domain provision \
    --realm=EXAMPLE.NET --domain=EXAMPLE --adminpass='p4$$word' --dns-backend=BIND9_DLZ \
    --server-role=dc --function-level=2008_R2 --use-xattrs=yes --use-rfc2307

Add the following to /etc/bind/named.conf.options:

 tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";

Set the appropriate permissions on the Kerberos keytab used by BIND:

 chgrp bind /var/lib/samba/private/dns.keytab
 chmod g+r /var/lib/samba/private/dns.keytab

Edit /etc/bind/named.conf.local and add:

 include "/var/lib/samba/private/named.conf";

Edit /etc/apparmor.d/local/usr.sbin.named and add the following:

 # Samba4 DLZ and Active Directory Zones
 /usr/lib/x86_64-linux-gnu/samba/** rm,
 /usr/lib/x86_64-linux-gnu/ldb/modules/ldb/** rm,
 /var/lib/samba/private/dns.keytab rk,
 /var/lib/samba/private/named.conf r,
 /var/lib/samba/private/dns/** rwk,
 /dev/urandom rw,
 /var/tmp/** rw,

Restart apparmor and bind:

 service apparmor reload
 service bind9 restart

Test the DNS entries:

 host -t SRV _ldap._tcp.example.net.
 host -t SRV _kerberos._udp.example.net.
 host -t A server.example.net.

Configure and test Kerberos:

 cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
 service samba-ad-dc start
 kinit <email address hidden>
 klist

Test Samba dynamic DNS updates:

 samba_dnsupdate --verbose --all-names

Add the following to /etc/ntp.conf:

 # Samba4 Secure Time Socket
 ntpsigndsocket /var/lib/samba/ntp_signd/
 restrict default mssntp

Create the NTP socket directory, assign permissions and restart NTP:

 chown root:ntp /var/lib/samba/ntp_signd
 chmod 750 /var/lib/samba/ntp_signd
 service ntp restart

Extract and secure the Kerberos keytab for the DC:

 samba-tool domain exportkeytab /etc/krb5.dc.keytab --principal=server$

At this stage you receive "Illegal instruction (core dumped)". In syslog, the following is logged:

 kernel: [ 2982.725574] traps: samba-tool[2650] trap invalid opcode ip:7f7e26aad8de sp:7fff2fc67308 error:0 in libHDB_SAMBA4.so.0[7f7e26aac000+2000]

No keytab file is generated. Adding a "-d 10" option to the command produces the following debug output:

 INFO: Current debug levels:
   all: 10
   tdb: 10
   printdrivers: 10
   lanman: 10
   smb: 10
   rpc_parse: 10
   rpc_srv: 10
   rpc_cli: 10
   passdb: 10
   sam: 10
   auth: 10
   winbind: 10
   vfs: 10
   idmap: 10
   quota: 10
   acls: 10
   locking: 10
   msdfs: 10
   dmapi: 10
   registry: 10
   scavenger: 10
   dns: 10
   ldb: 10
 lpcfg_load: refreshing parameters from /etc/samba/smb.conf
 params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
 Processing section "[global]"
 Processing section "[netlogon]"
 Processing section "[sysvol]"
 pm_process() returned Yes
 GENSEC backend 'gssapi_spnego' registered
 GENSEC backend 'gssapi_krb5' registered
 GENSEC backend 'gssapi_krb5_sasl' registered
 GENSEC backend 'schannel' registered
 GENSEC backend 'spnego' registered
 GENSEC backend 'ntlmssp' registered
 GENSEC backend 'krb5' registered
 GENSEC backend 'fake_gssapi_krb5' registered
 added interface br0 ip=192.168.115.2 bcast=192.168.115.255 netmask=255.255.255.0
 added interface br0 ip=192.168.115.2 bcast=192.168.115.255 netmask=255.255.255.0
 Illegal instruction (core dumped)

Revision history for this message
Ian McMichael (ian-sigma-uk) wrote :

I've just upgraded Samba to 2:4.1.5+dfsg-1 from the Debian Jessie repository. This also forced the following updates:

 2014-03-10 17:13:00 upgrade python-samba:amd64 2:4.1.3+dfsg-2ubuntu3 2:4.1.5+dfsg-1
 2014-03-10 17:13:00 upgrade samba-dsdb-modules:amd64 2:4.1.3+dfsg-2ubuntu3 2:4.1.5+dfsg-1
 2014-03-10 17:13:00 upgrade samba:amd64 2:4.1.3+dfsg-2ubuntu3 2:4.1.5+dfsg-1
 2014-03-10 17:13:01 upgrade samba-common-bin:amd64 2:4.1.3+dfsg-2ubuntu3 2:4.1.5+dfsg-1
 2014-03-10 17:13:01 upgrade smbclient:amd64 2:4.1.3+dfsg-2ubuntu3 2:4.1.5+dfsg-1
 2014-03-10 17:13:01 upgrade samba-common:all 2:4.1.3+dfsg-2ubuntu3 2:4.1.5+dfsg-1
 2014-03-10 17:13:01 upgrade samba-vfs-modules:amd64 2:4.1.3+dfsg-2ubuntu3 2:4.1.5+dfsg-1
 2014-03-10 17:13:01 upgrade libsmbclient:amd64 2:4.1.3+dfsg-2ubuntu3 2:4.1.5+dfsg-1
 2014-03-10 17:13:01 upgrade samba-libs:amd64 2:4.1.3+dfsg-2ubuntu3 2:4.1.5+dfsg-1

Once complete the "samba-tool domain exportkeytab" command runs without error and produces the expected keytab file.

Revision history for this message
Ian McMichael (ian-sigma-uk) wrote :

As this bug stops an other application using the Kerberos details stored in the Samba directory, it is quite a show-stopper for the Trusty release. Is there anything I can tag this bug with or anyone I should notify in an attempt to get 4.1.5 pulled from Jessie for the Trusty release?

Revision history for this message
Ian McMichael (ian-sigma-uk) wrote :

In case it assists when this bug gets triaged, I've repeated my build today with Samba 2:4.1.6+dfsg-1 from Jessie and this bug is also not present in the 4.1.6 release, which includes security fixes over 4.1.5.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.