[Bug 1290448] [NEW] Invalid Opcode when running samba-tool domain exportkeytab
Ian McMichael
1290448 at bugs.launchpad.net
Mon Mar 10 16:50:58 UTC 2014
Public bug reported:
To reproduce this bug, carry out the following:
Install a fresh Trust Tahr 14.04 AMD64 development build in a (KVM)
virtual machine as a basic server.
Install the samba (2:4.1.3+dfsg-2ubuntu3) and bind9 packages.
Provision an Active Directory Domain with the following commands:
rm /etc/samba/smb.conf
samba-tool domain provision \
--realm=EXAMPLE.NET --domain=EXAMPLE --adminpass='p4$$word' --dns-backend=BIND9_DLZ \
--server-role=dc --function-level=2008_R2 --use-xattrs=yes --use-rfc2307
Add the following to /etc/bind/named.conf.options:
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
Set the appropriate permissions on the Kerberos keytab used by BIND:
chgrp bind /var/lib/samba/private/dns.keytab
chmod g+r /var/lib/samba/private/dns.keytab
Edit /etc/bind/named.conf.local and add:
include "/var/lib/samba/private/named.conf";
Edit /etc/apparmor.d/local/usr.sbin.named and add the following:
# Samba4 DLZ and Active Directory Zones
/usr/lib/x86_64-linux-gnu/samba/** rm,
/usr/lib/x86_64-linux-gnu/ldb/modules/ldb/** rm,
/var/lib/samba/private/dns.keytab rk,
/var/lib/samba/private/named.conf r,
/var/lib/samba/private/dns/** rwk,
/dev/urandom rw,
/var/tmp/** rw,
Restart apparmor and bind:
service apparmor reload
service bind9 restart
Test the DNS entries:
host -t SRV _ldap._tcp.example.net.
host -t SRV _kerberos._udp.example.net.
host -t A server.example.net.
Configure and test Kerberos:
cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
service samba-ad-dc start
kinit administrator at EXAMPLE.NET
klist
Test Samba dynamic DNS updates:
samba_dnsupdate --verbose --all-names
Add the following to /etc/ntp.conf:
# Samba4 Secure Time Socket
ntpsigndsocket /var/lib/samba/ntp_signd/
restrict default mssntp
Create the NTP socket directory, assign permissions and restart NTP:
chown root:ntp /var/lib/samba/ntp_signd
chmod 750 /var/lib/samba/ntp_signd
service ntp restart
Extract and secure the Kerberos keytab for the DC:
samba-tool domain exportkeytab /etc/krb5.dc.keytab --principal=server$
At this stage you receive "Illegal instruction (core dumped)". In
syslog, the following is logged:
kernel: [ 2982.725574] traps: samba-tool[2650] trap invalid
opcode ip:7f7e26aad8de sp:7fff2fc67308 error:0 in
libHDB_SAMBA4.so.0[7f7e26aac000+2000]
No keytab file is generated. Adding a "-d 10" option to the command
produces the following debug output:
INFO: Current debug levels:
all: 10
tdb: 10
printdrivers: 10
lanman: 10
smb: 10
rpc_parse: 10
rpc_srv: 10
rpc_cli: 10
passdb: 10
sam: 10
auth: 10
winbind: 10
vfs: 10
idmap: 10
quota: 10
acls: 10
locking: 10
msdfs: 10
dmapi: 10
registry: 10
scavenger: 10
dns: 10
ldb: 10
lpcfg_load: refreshing parameters from /etc/samba/smb.conf
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
Processing section "[global]"
Processing section "[netlogon]"
Processing section "[sysvol]"
pm_process() returned Yes
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'schannel' registered
GENSEC backend 'spnego' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
added interface br0 ip=192.168.115.2 bcast=192.168.115.255 netmask=255.255.255.0
added interface br0 ip=192.168.115.2 bcast=192.168.115.255 netmask=255.255.255.0
Illegal instruction (core dumped)
** Affects: samba (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1290448
Title:
Invalid Opcode when running samba-tool domain exportkeytab
Status in “samba” package in Ubuntu:
New
Bug description:
To reproduce this bug, carry out the following:
Install a fresh Trust Tahr 14.04 AMD64 development build in a (KVM)
virtual machine as a basic server.
Install the samba (2:4.1.3+dfsg-2ubuntu3) and bind9 packages.
Provision an Active Directory Domain with the following commands:
rm /etc/samba/smb.conf
samba-tool domain provision \
--realm=EXAMPLE.NET --domain=EXAMPLE --adminpass='p4$$word' --dns-backend=BIND9_DLZ \
--server-role=dc --function-level=2008_R2 --use-xattrs=yes --use-rfc2307
Add the following to /etc/bind/named.conf.options:
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
Set the appropriate permissions on the Kerberos keytab used by BIND:
chgrp bind /var/lib/samba/private/dns.keytab
chmod g+r /var/lib/samba/private/dns.keytab
Edit /etc/bind/named.conf.local and add:
include "/var/lib/samba/private/named.conf";
Edit /etc/apparmor.d/local/usr.sbin.named and add the following:
# Samba4 DLZ and Active Directory Zones
/usr/lib/x86_64-linux-gnu/samba/** rm,
/usr/lib/x86_64-linux-gnu/ldb/modules/ldb/** rm,
/var/lib/samba/private/dns.keytab rk,
/var/lib/samba/private/named.conf r,
/var/lib/samba/private/dns/** rwk,
/dev/urandom rw,
/var/tmp/** rw,
Restart apparmor and bind:
service apparmor reload
service bind9 restart
Test the DNS entries:
host -t SRV _ldap._tcp.example.net.
host -t SRV _kerberos._udp.example.net.
host -t A server.example.net.
Configure and test Kerberos:
cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
service samba-ad-dc start
kinit administrator at EXAMPLE.NET
klist
Test Samba dynamic DNS updates:
samba_dnsupdate --verbose --all-names
Add the following to /etc/ntp.conf:
# Samba4 Secure Time Socket
ntpsigndsocket /var/lib/samba/ntp_signd/
restrict default mssntp
Create the NTP socket directory, assign permissions and restart NTP:
chown root:ntp /var/lib/samba/ntp_signd
chmod 750 /var/lib/samba/ntp_signd
service ntp restart
Extract and secure the Kerberos keytab for the DC:
samba-tool domain exportkeytab /etc/krb5.dc.keytab --principal=server$
At this stage you receive "Illegal instruction (core dumped)". In
syslog, the following is logged:
kernel: [ 2982.725574] traps: samba-tool[2650] trap invalid
opcode ip:7f7e26aad8de sp:7fff2fc67308 error:0 in
libHDB_SAMBA4.so.0[7f7e26aac000+2000]
No keytab file is generated. Adding a "-d 10" option to the command
produces the following debug output:
INFO: Current debug levels:
all: 10
tdb: 10
printdrivers: 10
lanman: 10
smb: 10
rpc_parse: 10
rpc_srv: 10
rpc_cli: 10
passdb: 10
sam: 10
auth: 10
winbind: 10
vfs: 10
idmap: 10
quota: 10
acls: 10
locking: 10
msdfs: 10
dmapi: 10
registry: 10
scavenger: 10
dns: 10
ldb: 10
lpcfg_load: refreshing parameters from /etc/samba/smb.conf
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
Processing section "[global]"
Processing section "[netlogon]"
Processing section "[sysvol]"
pm_process() returned Yes
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'schannel' registered
GENSEC backend 'spnego' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
added interface br0 ip=192.168.115.2 bcast=192.168.115.255 netmask=255.255.255.0
added interface br0 ip=192.168.115.2 bcast=192.168.115.255 netmask=255.255.255.0
Illegal instruction (core dumped)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1290448/+subscriptions
More information about the foundations-bugs
mailing list