6429 SMB domain join doesn't work with libreSSL

Review Request #112 - Created Nov. 3, 2015 and updated

Information
Andrew Stormont
illumos-gate
master
6429
Reviewers
general
gwr, vgusev, yurip

smbd segfaults in kerberos when attempting join a domain with libreSSL as the SSL implementation:

fca38752 OBJ_add_object (81e2f68, 814f918, 6, fcb08932, fcb08940, 81e2f68) + 22
fca39503 OBJ_create (fcb08924, fcb08932, fcb08940, fcaf8c3b, fcb1a484, 0) + e3
fcaf8cb0 pkinit_init_pkinit_oids (819a0c8, 0, 34, fcb03f6c, 1, 18) + 6b
fcafcd8f pkinit_init_plg_crypto (813056c, 0, 10, feb06db9, f8, 0) + 52
fcaf7965 pkinit_client_plugin_init (8090048, fd7d9a0c, f0, 80900f8, fd7d9a0c, 1) + 92
fccd58be krb5_init_preauth_context (8090048, 8130598, fccf663d, fcd0a000, fcd0a000, 8090048) + 1e0
fccd5c70 krb5_preauth_request_context_init (8090048, fd7d9b74, f, 8130598, 6, fccf663d) + 29
fccc9c9f krb5_get_init_creds (8090048, fd7daa28, 812fdf8, 0, 0, 0) + 42d
fccd33c0 __krb5_get_init_creds_password (8090048, fd7daa28, 812fdf8, fd7db5cd, 0, 0) + 14c
fccd38a6 krb5_get_init_creds_password (8090048, fd7daa28, 812fdf8, fd7db5cd, 0, 0) + 5e
fec5d947 smb_kinit (fd7db054, fd7db5a4, fd7db5cd, fe58b000, 8090048, fe6c0059) + 1b8
fec58086 smb_ads_open_main (fd7dadd0, fd7db054, fd7db5a4, fd7db5cd, 0, 4) + 42
fec588e0 smb_ads_join (fd7db054, fd7db5a4, fd7db5cd, fd7db29a, 0, 0) + a4
fe6d1448 mlsvc_join (fd7db4a4, fd7db39c, fd7db4a4, fd7db4a4, fd7db4a4, fd7db6b4) + 22f
0805a9e4 smbd_join_domain (fd7db4a4, fd7db39c, 0, fd7db4a4, fd7db6b4, 0) + 33
0805ab48 smbd_join (fd7db4a4, fd7db39c, 8056e60, fd7db4a4, fece0018, fece08e8) + 39
080596b7 smbd_dop_join (fd7db6b4, fed281ec, 12, fed281f7, 24, 24) + 7d
08059e74 smbd_door_dispatch_op (fd7db6b4, fd7db734, 24, 0, 0, 0) + 5c
0805a3d5 smbd_door_dispatch (80718c0, fd7db734, 6cc, 0, 0, 805a22f) + 1a6
feec6c2b __door_return () + 4b

The issue was fixed by backporting these changes to MIT Kerberos:
https://github.com/krb5/krb5/commit/8ee1790ba6e3468d7ed53ed46123dc9545a4216f
https://github.com/krb5/krb5/commit/6b9e570a7e98470b806a26c5119e53b2145e2586

With the patch applied smbd no longer segfaults when attempting to join a domain.

This fix has been in production for over two years without issue.

Andrew Stormont
Andrew Stormont
Gordon Ross
Andrew Stormont
Andrew Stormont
Andrew Stormont
Andrew Stormont
Andrew Stormont
Yuri Pankov
Andrew Stormont
Vitaliy Gusev
Andrew Stormont
Andrew Stormont
Andrew Stormont
Review request changed

People:

+vgusev
+yurip
Loading...