Bug 11197 - SetPrinter info level 2 marshalling fails
Summary: SetPrinter info level 2 marshalling fails
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Printing (show other bugs)
Version: 4.2.0
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-04-07 08:07 UTC by Alejandro Escanero Blanco
Modified: 2016-11-21 10:58 UTC (History)
3 users (show)

See Also:


Attachments
Network Trace (7.94 KB, application/octet-stream)
2015-04-13 13:07 UTC, Alejandro Escanero Blanco
no flags Details
patch for 4.5 (12.14 KB, patch)
2016-11-14 13:39 UTC, Andreas Schneider
jra: review-
Details
patch for 4.4 (2.97 KB, patch)
2016-11-14 13:39 UTC, Andreas Schneider
jra: review-
gd: review-
Details
patch for 4.5 v2 (12.02 KB, patch)
2016-11-17 08:10 UTC, Andreas Schneider
jra: review+
Details
patch for 4.4 v2 (12.02 KB, patch)
2016-11-17 08:11 UTC, Andreas Schneider
jra: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Alejandro Escanero Blanco 2015-04-07 08:07:21 UTC
Any try to change the security list in any printer spool in samba 4.2.0 running over Centos 6.6 give me a error.

I get this trace (error level 10):


[2015/04/06 15:14:35.305817,  5, pid=10303, effective(9201, 513), real(9201, 0)] ../source3/smbd/uid.c:452(smbd_become_authenticated_pipe_user)
  Impersonated user: uid=(9201,9201), gid=(0,513)
[2015/04/06 15:14:35.305830,  5, pid=10303, effective(9201, 513), real(9201, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1238(api_pipe_request)
  Requested spoolss rpc service
[2015/04/06 15:14:35.305842,  4, pid=10303, effective(9201, 513), real(9201, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1263(api_rpcTNP)
  api_rpcTNP: spoolss op 0x7 - api_rpcTNP: rpc command: SPOOLSS_SETPRINTER
[2015/04/06 15:14:35.305856,  6, pid=10303, effective(9201, 513), real(9201, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1303(api_rpcTNP)
  api_rpc_cmds[7].fn == 0x7fa4f333e4ac
[2015/04/06 15:14:35.305875,  1, pid=10303, effective(9201, 513), real(9201, 0)] ../librpc/ndr/ndr.c:578(ndr_pull_error)
  ndr_pull_error(7): Bad subcontext (PULL) size_is(0) mismatch content_size 131076
[2015/04/06 15:14:35.305893,  0, pid=10303, effective(9201, 513), real(9201, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1308(api_rpcTNP)
  api_rpcTNP: spoolss: SPOOLSS_SETPRINTER failed.
[2015/04/06 15:14:35.305920,  4, pid=10303, effective(9201, 513), real(9201, 0)] ../source3/smbd/sec_ctx.c:421(pop_sec_ctx)
  pop_sec_ctx (9201, 513) - sec_ctx_stack_ndx = 0
[2015/04/06 15:14:35.305933,  3, pid=10303, effective(9201, 513), real(9201, 0), class=rpc_srv] ../source3/rpc_server/srv_pipe.c:1622(process_complete_pdu)
  DCE/RPC fault sent!Setting fault state
[2015/04/06 15:14:35.305951,  1, pid=10303, effective(9201, 513), real(9201, 0)] ../librpc/ndr/ndr.c:402(ndr_print_debug)
       &r: struct ncacn_packet
          rpc_vers                 : 0x05 (5)
          rpc_vers_minor           : 0x00 (0)
          ptype                    : DCERPC_PKT_FAULT (3)
          pfc_flags                : 0x23 (35)
                 1: DCERPC_PFC_FLAG_FIRST   
                 1: DCERPC_PFC_FLAG_LAST    
                 0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
                 0: DCERPC_PFC_FLAG_CONC_MPX
                 1: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
                 0: DCERPC_PFC_FLAG_MAYBE   
                 0: DCERPC_PFC_FLAG_OBJECT_UUID
          drep: ARRAY(4)
              [0]                      : 0x10 (16)
              [1]                      : 0x00 (0)
              [2]                      : 0x00 (0)
              [3]                      : 0x00 (0)
          frag_length              : 0x0020 (32)
          auth_length              : 0x0000 (0)
          call_id                  : 0x00000063 (99)
          u                        : union dcerpc_payload(case 3)
          fault: struct dcerpc_fault
              alloc_hint               : 0x00000000 (0)
              context_id               : 0x0000 (0)
              cancel_count             : 0x00 (0)
              status                   : DCERPC_NCA_S_OP_RNG_ERROR (469827586)
              _pad                     : DATA_BLOB length=4
  [0000] 00 00 00 00                                       ....
Comment 1 Alejandro Escanero Blanco 2015-04-07 10:40:12 UTC
A backtrace:
  backtrace() returned 43 addresses
  /usr/local/samba/lib/libndr.so.0(ndr_pull_error+0x186) [0x7f7543946cf4]
  /usr/local/samba/lib/libndr.so.0(ndr_pull_subcontext_start+0x189) [0x7f7543947102]
  /usr/local/samba/lib/libndr-standard.so.0(ndr_pull_spoolss_DevmodeContainer+0x284) [0x7f7546cd0ebc]
  /usr/local/samba/lib/libndr-standard.so.0(ndr_pull_spoolss_SetPrinter+0x52e) [0x7f7546d54b5a]
  /usr/local/samba/lib/samba/libsmbd-base-samba4.so(+0x2505b0) [0x7f75499fb5b0]
  /usr/local/samba/lib/samba/libsmbd-base-samba4.so(+0x232d9b) [0x7f75499ddd9b]
  /usr/local/samba/lib/samba/libsmbd-base-samba4.so(+0x23294d) [0x7f75499dd94d]
  /usr/local/samba/lib/samba/libsmbd-base-samba4.so(+0x233694) [0x7f75499de694]
  /usr/local/samba/lib/samba/libsmbd-base-samba4.so(process_complete_pdu+0xde) [0x7f75499de779]
  /usr/local/samba/lib/samba/libsmbd-base-samba4.so(named_pipe_packet_process+0x197) [0x7f7549831fb7]
  /usr/local/samba/lib/samba/libtevent.so.0(_tevent_req_notify_callback+0x6a) [0x7f7548f90fd8]
  /usr/local/samba/lib/samba/libtevent.so.0(+0x60ad) [0x7f7548f910ad]
  /usr/local/samba/lib/samba/libtevent.so.0(_tevent_req_done+0x25) [0x7f7548f910d4]
  /usr/local/samba/lib/libdcerpc-binding.so.0(+0x1bd2c) [0x7f7542233d2c]
  /usr/local/samba/lib/samba/libtevent.so.0(_tevent_req_notify_callback+0x6a) [0x7f7548f90fd8]
  /usr/local/samba/lib/samba/libtevent.so.0(+0x60ad) [0x7f7548f910ad]
  /usr/local/samba/lib/samba/libtevent.so.0(_tevent_req_done+0x25) [0x7f7548f910d4]
  /usr/local/samba/lib/samba/libsamba-sockets-samba4.so(+0xc167) [0x7f754756f167]
  /usr/local/samba/lib/samba/libsamba-sockets-samba4.so(+0xc399) [0x7f754756f399]
  /usr/local/samba/lib/samba/libtevent.so.0(_tevent_req_notify_callback+0x6a) [0x7f7548f90fd8]
  /usr/local/samba/lib/samba/libtevent.so.0(+0x60ad) [0x7f7548f910ad]
  /usr/local/samba/lib/samba/libtevent.so.0(_tevent_req_done+0x25) [0x7f7548f910d4]
  /usr/local/samba/lib/samba/libsamba-sockets-samba4.so(+0xb674) [0x7f754756e674]
  /usr/local/samba/lib/samba/libtevent.so.0(_tevent_req_notify_callback+0x6a) [0x7f7548f90fd8]
  /usr/local/samba/lib/samba/libtevent.so.0(+0x60ad) [0x7f7548f910ad]
  /usr/local/samba/lib/samba/libtevent.so.0(+0x61d2) [0x7f7548f911d2]
  /usr/local/samba/lib/samba/libtevent.so.0(tevent_common_loop_immediate+0x1f9) [0x7f7548f90364]
  /usr/local/samba/lib/libsmbconf.so.0(run_events_poll+0x57) [0x7f75479d429b]
  /usr/local/samba/lib/libsmbconf.so.0(+0x40948) [0x7f75479d4948]
  /usr/local/samba/lib/samba/libtevent.so.0(_tevent_loop_once+0xfc) [0x7f7548f8f429]
  /usr/local/samba/lib/samba/libtevent.so.0(tevent_common_loop_wait+0x25) [0x7f7548f8f6a1]
  /usr/local/samba/lib/samba/libtevent.so.0(_tevent_loop_wait+0x2b) [0x7f7548f8f76c]
  /usr/local/samba/lib/samba/libsmbd-base-samba4.so(smbd_process+0xbd1) [0x7f754991d03e]
  /usr/local/samba/sbin/smbd(+0xa98d) [0x7f754a3ef98d]
  /usr/local/samba/lib/libsmbconf.so.0(run_events_poll+0x544) [0x7f75479d4788]
  /usr/local/samba/lib/libsmbconf.so.0(+0x40a5e) [0x7f75479d4a5e]
  /usr/local/samba/lib/samba/libtevent.so.0(_tevent_loop_once+0xfc) [0x7f7548f8f429]
  /usr/local/samba/lib/samba/libtevent.so.0(tevent_common_loop_wait+0x25) [0x7f7548f8f6a1]
  /usr/local/samba/lib/samba/libtevent.so.0(_tevent_loop_wait+0x2b) [0x7f7548f8f76c]
  /usr/local/samba/sbin/smbd(+0xb713) [0x7f754a3f0713]
  /usr/local/samba/sbin/smbd(main+0x15e2) [0x7f754a3f1ea7]
  /lib64/libc.so.6(__libc_start_main+0xfd) [0x7f75462c2d5d]
  /usr/local/samba/sbin/smbd(+0x5de9) [0x7f754a3eade9]
Comment 2 Alejandro Escanero Blanco 2015-04-07 18:37:25 UTC
The message that appear in the windows machine is:
Status: 0x1C010002 nca_op_rng_error - The operation number passed in the request PDU is greater than or equal to the number of operations in the interface.
Comment 3 Alejandro Escanero Blanco 2015-04-09 12:13:15 UTC
The problem appear only when I try to modify security from WindowsXP and I haven't this problem with Windows 7 or newer versions.
Comment 4 David Disseldorp 2015-04-10 16:54:06 UTC
Thanks for the report Alejandro. Please provide a network trace covering the failed SPOOLSS_SETPRINTER operation.

See https://wiki.samba.org/index.php/Capture_Packets for details.
Comment 5 Alejandro Escanero Blanco 2015-04-13 13:07:03 UTC
Created attachment 10945 [details]
Network Trace

Network trace usign tcpdump.
The client is a Windows XP SP3 and the server is a Samba 4.2 over CentOS 6.6
Comment 6 Andreas Schneider 2016-11-14 13:39:16 UTC
Created attachment 12662 [details]
patch for 4.5
Comment 7 Andreas Schneider 2016-11-14 13:39:41 UTC
Created attachment 12663 [details]
patch for 4.4
Comment 8 Guenther Deschner 2016-11-14 13:45:59 UTC
Comment on attachment 12663 [details]
patch for 4.4

wrong patch I guess...
Comment 9 Jeremy Allison 2016-11-15 00:35:47 UTC
Comment on attachment 12663 [details]
patch for 4.4

Doesn't look spoolss related to me :-).
Comment 10 Jeremy Allison 2016-11-15 00:48:59 UTC
Comment on attachment 12662 [details]
patch for 4.5

Hmmm. On doing a git clean -d -f -x in 4.5.x and re-making I'm getting:

In file included from ../source4/torture/ndr/spoolss.c:23:0:
../source4/torture/ndr/spoolss.c: In function ‘ndr_spoolss_suite’:
../source4/torture/ndr/ndr.h:57:26: error: ‘ndr_pull_winspool_AsyncSetPrinter’ undeclared (first use in this function)
     (ndr_pull_flags_fn_t)ndr_pull_ ## name, \
                          ^
../source4/torture/ndr/spoolss.c:1890:2: note: in expansion of macro ‘torture_suite_add_ndr_pull_fn_test’
  torture_suite_add_ndr_pull_fn_test(suite, winspool_AsyncSetPrinter, setprinter_level_3_xpsp3_req_data, NDR_IN, NULL);
  ^
../source4/torture/ndr/ndr.h:57:26: note: each undeclared identifier is reported only once for each function it appears in
     (ndr_pull_flags_fn_t)ndr_pull_ ## name, \
                          ^
../source4/torture/ndr/spoolss.c:1890:2: note: in expansion of macro ‘torture_suite_add_ndr_pull_fn_test’
  torture_suite_add_ndr_pull_fn_test(suite, winspool_AsyncSetPrinter, setprinter_level_3_xpsp3_req_data, NDR_IN, NULL);
  ^
../source4/torture/ndr/ndr.h:60:12: error: invalid application of ‘sizeof’ to incomplete type ‘struct winspool_AsyncSetPrinter’
     sizeof(struct name), \
            ^
../source4/torture/ndr/spoolss.c:1890:2: note: in expansion of macro ‘torture_suite_add_ndr_pull_fn_test’
  torture_suite_add_ndr_pull_fn_test(suite, winspool_AsyncSetPrinter, setprinter_level_3_xpsp3_req_data, NDR_IN, NULL);

Is there a prerequisite patch missing here ?
Comment 11 Andreas Schneider 2016-11-17 08:10:17 UTC
Created attachment 12671 [details]
patch for 4.5 v2
Comment 12 Andreas Schneider 2016-11-17 08:11:18 UTC
Created attachment 12672 [details]
patch for 4.4 v2

Sorry, should be fixed now.
Comment 13 Jeremy Allison 2016-11-17 20:48:18 UTC
Re-assigning to Karolin for inclusion in 4.5.next, 4.4.next.
Comment 14 Karolin Seeger 2016-11-18 07:56:53 UTC
(In reply to Jeremy Allison from comment #13)
Pushed to autobuild-v4-{4,5}-test.
Comment 15 Karolin Seeger 2016-11-21 10:58:31 UTC
(In reply to Karolin Seeger from comment #14)
Pushed to both branches.
Closing out bug report.

Thanks!