Kerberos Help Needed

Rick Stevens rstevens at vitalstream.com
Wed Aug 24 18:19:10 UTC 2005 

Greg Julius wrote:
>>>I deleted the prior join attempt and did a 'kinit administrator'.
>>>The kinit failed however because of "KDC has no support for 
>>>encryption type while getting initial credentials".  So I removed
>>>the enctypes that were suggested in the first reply and tried again.
>>>That seemed to work just fine.
>>>
>>>When I then did the 'net join' it seemed to work except that it 
>>>died a horrible death in glibc free() with an invalid
>>>pointer.  It looks like it added to the ads anyway.
>>>
>>>In fact, when I try to view the guardian machine from the windows server,
>>>I get further than I have ever gotten in this configuration.  I can
>>>actually see the shares!  This is progress.
>>>
>>>HOWEVER, when I trie to view a share, I get the following in the samba
> 
> log
> 
>>>area under the IP address of the windows ads server:
>>>    *** glibc detected *** smbd: free(): invalid pointer: 0x001bedb0 ***
>>>    ======= Backtrace: =========
>>>    /lib/libc.so.6[0x76d424]
>>>    /lib/libc.so.6(__libc_free+0x77)[0x76d95f]
>>>    /lib/libcom_err.so.2(remove_error_table+0x4b)[0x1e3abb]
>>>    /usr/lib/libkrb5.so.3[0x15c8c4]
>>>    /usr/lib/libkrb5.so.3[0x15c5c7]
>>>    /usr/lib/libkrb5.so.3[0x1ad9da]
>>>    /lib/ld-linux.so.2[0x5d0058]
>>>    /lib/libc.so.6(exit+0xc5)[0x734c69]
>>>    smbd(exit_server+0x25c)[0xad1ae6]
>>>    smbd(main+0x995)[0xad26a1]
>>>    /lib/libc.so.6(__libc_start_main+0xc6)[0x71ede6]
>>>    smbd[0x8d04f1]
>>>    ======= Memory map: ========
>>>
>>>I snipped the Memory map area as it was pretty long.  It appears that
>>>smbd takes a dive during a free operation.  This looks exactly like 
>>>failure that I got at the end of the 'net join' command.
>>>
>>>I did a 'yum update' hoping there was some fix out there that I
>>>hadn't yet picked up.  All installed well, but same problem.
>>>
>>>The failure happens every time.
>>>
>>>So, What next?  
>>
>>I'd try to get the samba source code from samba.org and build it myself.
>>The updates from Red Hat or Fedora are necessarily behind the current
>>release.  My guess is that yours has a bug (trying to free an invalid
>>pointer is certainly and example of a coding bug).  We are using 3.0.14a
>>ourselves, built from the source tarballs at samba.org.
> 
> 
> While I don't have a problem with doing this, I'm not sure that samba
> is the culprit, just a victum.

Well, actually we just installed Samba 3.0.20 last night.  There are a
LOT of updates in it--so many that the Samba gang decided to skip
versions 3.0.15, .16, .17, .18 and .19 and went straight to .20.

> The net command fails the same way when I do a 'net join':
>     *** glibc detected *** net: free(): invalid pointer: 0x00bd1db0 ***
>     ======= Backtrace: =========
>     /lib/libc.so.6[0x1be424]
>     /lib/libc.so.6(__libc_free+0x77)[0x1be95f]
>     /lib/libcom_err.so.2(remove_error_table+0x4b)[0x114abb]
>     /usr/lib/libkrb5.so.3[0xb6f8c4]
>     /usr/lib/libkrb5.so.3[0xb6f5c7]
>     /usr/lib/libkrb5.so.3[0xbc09da]
>     /lib/ld-linux.so.2[0xda4058]
>     /lib/libc.so.6(exit+0xc5)[0x185c69]
>     /lib/libc.so.6(__libc_start_main+0xce)[0x16fdee]
>     net[0x3070f1]
>     ======= Memory map: ========
> 
> The addresses shown appear to be the same relative to each other.
> I haven't shot dumps since writing APAR's for IBM 20 years ago
> but looking at the backtrace I would guess that the free is being
> issued by libcom_err, perhaps as part of a request from libkrb5.

That's entirely possible.  Have you upgraded the kerberos RPMs yet?

> All that aside, could the failure be caused by a bad config parm?
> I have a very minimal krb5.conf file.  I have been trying 
> variations of that.  I stopped winbind and did a 'net join' test
> and it failed the same way, seems that winbind couldn't be a
> part of the problem.  What else might be involved parameterwise?

I doubt it's a config issue.  The trying to free an invalid pointer is
typically caused by a coding bug.  I have no idea which parameter would
cause the thread of execution to go down this buggy path, but trying to
find it would take a full-up debug session.

> If it's not likely that a parameter change could work around the 
> failure, what would you suggest as the next step?
> 
> Which source items should I try first and where would I get them?
> (Gad I must be desparate to even ask this...)

First off, make sure you update Kerberos and possibly glibc.  I can't
recall which system you have (I think it was CentOS), but update ASAP.
Under CentOS or a licensed version of RHEL, you should be able to
"up2date" it.  For Fedora Core, use "yum -y update".
----------------------------------------------------------------------
- Rick Stevens, Senior Systems Engineer     rstevens at vitalstream.com -
- VitalStream, Inc.                       http://www.vitalstream.com -
-                                                                    -
-   Whoever said "Money can't buy friends" obviously never brought   -
-                        donuts to the office.                       -
----------------------------------------------------------------------

More information about the Redhat-install-list mailing list