Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-2213

net offlinejoin requestodj segfaults when kerberos method = secrets and keytab

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Undefined Undefined
    • None
    • rhel-9.2.0
    • samba
    • None
    • Impediment
    • Low
    • rhel-sst-idm-sssd
    • ssg_idm
    • 1
    • True
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • If docs needed, set a value
    • None

      Description of problem:
      Offline domain join with "net offlinejoin requestodj" crashes with a segfault when /etc/samba/smb.conf has "kerberos method" set to "secrets and keytab". My smb.conf has a Kerberos method configured so that I can request a keytab with "net ads keytab create" after join.

      Version-Release number of selected component (if applicable):
      samba-common-tools-4.17.5-102.el9.x86_64

      How reproducible:
      always

      Steps to Reproduce:
      1. Request an ODJ blob: "net offlinejoin provision domain=windows.test machine_name='CLIENT' savefile=client.odj --use-krb5-ccache=KCM:0"
      2. Configure /etc/samba/smb.conf
      [global]
      workgroup = WINDOWS
      realm = WINDOWS.TEST
      security = ads
      kerberos method = secrets and keytab
      3. Attempt to join the host with "net offlinejoin requestodj loadfile=client.odj"

      Actual results:
      ===============================================================
      INTERNAL ERROR: Signal 11: Segmentation fault in pid 22514 (4.17.5)
      If you are running a recent Samba version, and if you think this problem is not yet fixed in the latest versions, please consider reporting this bug, see https://wiki.samba.org/index.php/Bug_Reporting
      ===============================================================
      PANIC (pid 22514): Signal 11: Segmentation fault in 4.17.5
      BACKTRACE: 16 stack frames:
      #0 /usr/lib64/samba/libgenrand-samba4.so(log_stack_trace+0x34) [0x7f0387bef454]
      #1 /usr/lib64/samba/libgenrand-samba4.so(smb_panic+0xd) [0x7f0387befa0d]
      #2 /usr/lib64/samba/libgenrand-samba4.so(+0x1bd8) [0x7f0387befbd8]
      #3 /lib64/libc.so.6(+0x54df0) [0x7f0387254df0]
      #4 /usr/lib64/samba/libads-samba4.so(ads_search+0x7) [0x7f03886a1a57]
      #5 /usr/lib64/samba/libads-samba4.so(ads_find_machine_acct+0x107) [0x7f03886a2e77]
      #6 /usr/lib64/samba/libads-samba4.so(ads_get_service_principal_names+0x49) [0x7f03886a4399]
      #7 /usr/lib64/samba/libads-samba4.so(ads_keytab_create_default+0xca) [0x7f03886b016a]
      #8 /lib64/libnetapi.so.1(libnet_Join+0x1431) [0x7f03884ad1e1]
      #9 /lib64/libnetapi.so.1(NetRequestOfflineDomainJoin_l+0x239) [0x7f03884b7159]
      #10 /lib64/libnetapi.so.1(NetRequestOfflineDomainJoin+0xe5) [0x7f03884af615]
      #11 net(net_offlinejoin_requestodj+0xd9) [0x55b76a9f12e9]
      #12 net(main+0xa63) [0x55b76a996763]
      #13 /lib64/libc.so.6(+0x3feb0) [0x7f038723feb0]
      #14 /lib64/libc.so.6(__libc_start_main+0x80) [0x7f038723ff60]
      #15 net(_start+0x25) [0x55b76a9969e5]
      Can not dump core: corepath not set up

      Expected results:
      Successfully requested Offline Domain Join

      Additional info:
      The problem is a that the ads argument is NULL. Either libnet_join_post_processing_ads_sync() needs a check for r->in.ads == NULL or r->in.ads needs to be set up for offline join, too.

      $ gdb net -ex 'run offlinejoin requestodj loadfile=client.odj'
      0x00007f99f3775a57 in ads_search (ads=ads@entry=0x0, res=res@entry=0x7ffe82aa01d8, expr=0x55eca5d48820 "(samAccountName=CLIENT$)", attrs=attrs@entry=0x7ffe82aa0110)
      at ../../source3/libads/ldap.c:1419
      1419 return ads_do_search(ads, ads->config.bind_path, LDAP_SCOPE_SUBTREE,
      (gdb) bt
      #0 0x00007f99f3775a57 in ads_search (ads=ads@entry=0x0, res=res@entry=0x7ffe82aa01d8, expr=0x55eca5d48820 "(samAccountName=CLIENT$)", attrs=attrs@entry=0x7ffe82aa0110)
      at ../../source3/libads/ldap.c:1419
      #1 0x00007f99f3776e77 in ads_find_machine_acct (ads=ads@entry=0x0, res=res@entry=0x7ffe82aa01d8, machine=machine@entry=0x55eca5ceab70 "CLIENT")
      at ../../source3/libads/ldap.c:1540
      #2 0x00007f99f3778399 in ads_get_service_principal_names (mem_ctx=0x55eca5d27210, ads=0x0, machine_name=0x55eca5ceab70 "CLIENT", spn_array=0x7ffe82aa0278,
      num_spns=0x7ffe82aa0270) at ../../source3/libads/ldap.c:2142
      #3 0x00007f99f378416a in ads_keytab_create_default (ads=0x0) at ../../source3/libads/kerberos_keytab.c:553
      #4 0x00007f99f35811e1 in libnet_join_create_keytab (mem_ctx=0x55eca5d00d40, r=0x55eca5d00d40) at ../../source3/libnet/libnet_join.c:908
      #5 libnet_join_post_processing_ads_sync (r=0x55eca5d00d40, mem_ctx=0x55eca5d00d40) at ../../source3/libnet/libnet_join.c:1080
      #6 libnet_join_post_processing (r=0x55eca5d00d40, mem_ctx=0x55eca5d00d40) at ../../source3/libnet/libnet_join.c:2483
      #7 libnet_Join (mem_ctx=0x55eca5d00d40, r=0x55eca5d00d40) at ../../source3/libnet/libnet_join.c:3035
      #8 0x00007f99f358b159 in NetRequestOfflineDomainJoin_backend (odj_provision_data=0x55eca5cfc4e0, win7blob=0x7ffe82aa05f0, ctx=0x55eca5ce30f0)
      at ../../source3/lib/netapi/joindomain.c:864
      #9 NetRequestOfflineDomainJoin_l (ctx=0x55eca5ce30f0, r=<optimized out>) at ../../source3/lib/netapi/joindomain.c:935
      #10 0x00007f99f3583615 in NetRequestOfflineDomainJoin (provision_bin_data=0x55eca5cfdeb0 "\377\376A", provision_bin_data_size=5724, options=options@entry=1073741824,
      windows_path=windows_path@entry=0x0) at ../../source3/lib/netapi/libnetapi.c:383
      #11 0x000055eca48262e9 in net_offlinejoin_requestodj (c=0x55eca5cdf1c0, argc=<optimized out>, argv=<optimized out>) at ../../source3/utils/net_offlinejoin.c:281
      #12 0x000055eca47cb763 in main (argc=4, argv=0x7ffe82aa12f8) at ../../source3/utils/net.c:1364

              pfilipen@redhat.com Pavel Filipensky
              cheimes-hmsidm Christian HMSIDM Heimes (Inactive)
              Gunther Deschner Gunther Deschner
              SSSD QE SSSD QE
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated:
                Resolved: