Bug 105 - Winbindd segfaults on wbinfo --sequence or a getgrent for any joined or trusted NT4 domain [Changed Summary]
Summary: Winbindd segfaults on wbinfo --sequence or a getgrent for any joined or trust...
Status: CLOSED FIXED
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: winbind (show other bugs)
Version: 3.0.0preX
Hardware: Other other
: P1 regression
Target Milestone: none
Assignee: Tim Potter
QA Contact:
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2003-05-21 19:00 UTC by Marc Kaplan
Modified: 2005-08-24 10:19 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marc Kaplan 2003-05-21 19:00:58 UTC
winbindd seg faults when a wbinfo --sequence is issued a second time. It seems 
to be segfaulting against the trusted domain that has restrict anonymous set (I 
did not wbinfo -A user%password)




Here is the record of the segfault -- and I will add a bt full when I get 
recompile with the right options:




[27407]: show sequence


rpc: fetch sequence_number for TEST.DOMAIN.CM


===============================================================


INTERNAL ERROR: Signal 11 in pid 27400 (3.0alpha24)


Please read the appendix Bugs of the Samba HOWTO collection


===============================================================


PANIC: internal error


BACKTRACE: 12 stack frames:


 #0 winbindd(smb_panic+0xf9) [0x80ae439]


 #1 winbindd [0x809ed55]


 #2 /lib/i686/libc.so.6 [0x401603b8]


 #3 winbindd(cm_get_sam_handle+0x42) [0x8076432]


 #4 winbindd [0x80786b3]


 #5 winbindd(winbindd_show_sequence+0x7b) [0x8074a9b]


 #6 winbindd(strftime+0x11f7) [0x806b18f]


 #7 winbindd(winbind_process_packet+0x1d) [0x806b44d]


 #8 winbindd(strftime+0x1cf4) [0x806bc8c]


 #9 winbindd(main+0x33a) [0x806c0fa]


 #10 /lib/i686/libc.so.6(__libc_start_main+0xc7) [0x4014d7f7]


 #11 winbindd(strcpy+0x39) [0x806aad1]
Comment 1 Tim Potter 2003-05-22 18:51:48 UTC
Reassigning to me.
Comment 2 Tim Potter 2003-05-22 21:23:43 UTC
A stacktrace would be good.  I wasn't able to reproduce this on my initial attempts.
Comment 3 Marc Kaplan 2003-05-23 08:59:09 UTC
More information on this one: Seems that winbindd segfaults on any joined or 
trusted NT4 domain. This should be an easy one to reproduce, and I'm going to 
get a backtrace when I have a chance
Comment 4 Marc Kaplan 2003-05-23 09:25:39 UTC
Here is that backtrace:
No symbol table info available.
#1  0x40160215 in raise () from /lib/i686/libc.so.6
No symbol table info available.
#2  0x4016176b in abort () from /lib/i686/libc.so.6
No symbol table info available.
#3  0x080ae4cd in smb_panic (why=0x8149a5d "internal error") at lib/util.c:1482
        cmd = 0x10 <Address 0x10 out of bounds>
        result = 16
        i = 16
        backtrace_stack = {0x80ae439, 0x809ed55, 0x401603b8, 0x8076212,
  0x8078903, 0x8072a75, 0x807022d, 0x807042a, 0x806fdc7, 0x8074a7c, 0x806b18f,
  0x806b44d, 0x806bc8c, 0x806c0fa, 0x4014d7f7, 0x806aad1, 0x81f29f0,
  0xbfffecd8, 0x809eaa9, 0x402682e0, 0x0, 0x401a1f6d, 0xbfffecf0, 0xbffff1b8,
  0xc0000001, 0xbffff0f8, 0x809ec7b, 0xbfffecf0, 0x3ff, 0x813d267, 0xbffff104,
  0x3a637072, 0x75727420, 0x64657473, 0x6d6f645f, 0x736e6961, 0xa, 0xbfffed38,
  0x1c, 0xbfffed70, 0x0, 0xbfffed38, 0x809e9e1, 0x8147eba, 0x81787e0, 0x0,
  0x14, 0xbfffed90, 0x0, 0xbfffed58, 0x809eaa9, 0x8147eba, 0x81787e0,
  0x401a1f6d, 0xbfffed70, 0x0, 0x0, 0xbffff178, 0x809ec7b, 0xbfffed70, 0x3ff,
  0x813b689, 0xbffff184, 0x6e616373}
        backtrace_size = 16
        backtrace_strings = (char **) 0x81c1f50
#4  0x0809ed55 in fault_report (sig=11) at lib/fault.c:41
        counter = 1
#5  0x401603b8 in __libc_sigaction () from /lib/i686/libc.so.6
No symbol table info available.
#6  0x08076212 in cm_get_lsa_handle (domain=0x819a838 "MORIA")
    at nsswitch/winbindd_cm.c:565
        conn = (struct winbindd_cm_conn *) 0x0
        result = {v = 1076264784}
        hnd = {cli = 0x0, pol = {data1 = 0, data2 = 0, data3 = 0, data4 = 0,
    data5 = "\0\0\0\0\0\0\0"}}
#7  0x08078903 in trusted_domains (domain=0x81f5490, mem_ctx=0x81f47a0,
    num_domains=0xbffff1a8, names=0xbffff1ac, alt_names=0x310,
    dom_sids=0xbffff1b4) at nsswitch/winbindd_rpc.c:713
        hnd = (CLI_POLICY_HND *) 0x81f5490
        result = {v = 3221225473}
        enum_ctx = 0
        retry = 0
#8  0x08072a75 in trusted_domains (domain=0x81f5490, mem_ctx=0x81f47a0,
    num_domains=0xbffff1a8, names=0xbffff1ac, alt_names=0xbffff1b0,
    dom_sids=0xbffff1b4) at nsswitch/winbindd_cache.c:982
        cache = (struct winbind_cache *) 0x310
#9  0x0807022d in rescan_trusted_domains (force=1)
    at nsswitch/winbindd_util.c:181
        domain = (struct winbindd_domain *) 0x81f5490
        mem_ctx = (TALLOC_CTX *) 0x81f47a0
        last_scan = 1053705020
        t = 1053705020
#10 0x0807042a in init_domain_list () at nsswitch/winbindd_util.c:224
        domain = (struct winbindd_domain *) 0x81f5490
#11 0x0806fdc7 in domain_list () at nsswitch/winbindd_util.c:56
#12 0x08074a7c in winbindd_show_sequence (state=0x81f6718)
    at nsswitch/winbindd_misc.c:160
        domain = (struct winbindd_domain *) 0x0
        extra_data = 0x81f4e20 ""
#13 0x0806b18f in process_request (state=0x81f6718) at nsswitch/winbindd.c:273
        table = (struct dispatch_table *) 0x8174118
#14 0x0806b44d in winbind_process_packet (state=0x81f6718)
    at nsswitch/winbindd.c:397
No locals.
#15 0x0806bc8c in process_loop () at nsswitch/winbindd.c:694
No locals.
#16 0x0806c0fa in main (argc=3, argv=0xbffff904) at nsswitch/winbindd.c:891
        logfile =
"/usr/local/samba/var/log.winbindd\0\0\0L)\001@L)\001@\030\0\0\0\0\0\0\0\n\0\0\0\220º&@\020,\001@\t\0\0\0r\b\0@,\002\0@\0\0\0@í·\0@í·\0@L)\001@\002\0\0\0`ìÿ¿\0\0\0\0\0\0\0\0\020,\001@",
'\0' <repeats 12 times>,
"í·\0@\0\0\0\0\0\0\0\0\001\0\0\0\020,\001@\224\t\0@h\0\0\0\0\0\0\0`\221\006\b\0\0\0\0\001\0\0\0\210õÿ¿Ú¨\0@\030öÿ¿\020,\001@\034\006\0@\200õÿ¿5ÿ\0@<\0\0\0<\0"...
        interactive = 1
        Fork = 0
        log_stdout = 1
        long_options = {{longName = 0x0, shortName = 0 '\0', argInfo = 4,
    arg = 0x817a0c0, val = 0, descrip = 0x813a06d "Help options",
    argDescrip = 0x0}, {longName = 0x813a081 "stdout", shortName = 83 'S',
    argInfo = 7, arg = 0x81741ec, val = 1, descrip = 0x813a07a "Log to stdout",
    argDescrip = 0x0}, {longName = 0x813a088 "foreground", shortName = 70 'F',
    argInfo = 7, arg = 0x81741e8, val = 0,
    descrip = 0x813a093 "Daemon in foreground mode", argDescrip = 0x0}, {
    longName = 0x813a0ad "interactive", shortName = 105 'i', argInfo = 0,
    arg = 0x0, val = 105, descrip = 0x813a0b9 "Interactive mode",
    argDescrip = 0x0}, {longName = 0x813a0ca "dual-daemon", shortName = 66 'B',
    argInfo = 7, arg = 0x8174024, val = 1,
    descrip = 0x813a0d6 "Dual daemon mode", argDescrip = 0x0}, {
    longName = 0x813a0e7 "no-caching", shortName = 110 'n', argInfo = 7,
    arg = 0x8174020, val = 0, descrip = 0x813a0f2 "Disable caching",
    argDescrip = 0x0}, {longName = 0x0, shortName = 0 '\0', argInfo = 4,
    arg = 0x8179ee0, val = 0, descrip = 0x813a102 "Common samba options:",
    argDescrip = 0x0}, {longName = 0x0, shortName = 0 '\0', argInfo = 0,
    arg = 0x0, val = 0, descrip = 0x0, argDescrip = 0x0}}
        pc = 0x819a340
        opt = 136269344
#17 0x4014d7f7 in __libc_start_main () from /lib/i686/libc.so.6
No symbol table info available.
Comment 5 Tim Potter 2003-05-27 23:19:03 UTC
Thanks Mark.

This doesn't make much sense!  According to the stack backtrace at line 565 in
nsswitch/winbindd_cm.c conn is NULL and result is 1076264784 (an invalid NT
status code).

However at line 561 if result is non-zero then we should return from the function.

Is it possible to get a level 10 debug?  It looks like there is some
reconnection-fu going on that I don't understand.
Comment 6 John H Terpstra (mail address dead( 2003-07-26 23:31:58 UTC
I hammered on winbind a lot today. wbinfo could not be made to barf.

Please review this. If it is still an issue please say so, otherwise please
close this one out. Thx.

- July 27, 2003
Comment 7 Marc Kaplan 2003-07-28 08:59:39 UTC
Yes, this is fixed now
Comment 8 Gerald (Jerry) Carter (dead mail address) 2005-02-07 07:57:11 UTC
originally reported against 3.0aph24.  Bugzilla spring cleaning.  
Removing old alpha versions.
Comment 9 Gerald (Jerry) Carter (dead mail address) 2005-08-24 10:19:12 UTC
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.