The Samba-Bugzilla – Bug 11462
pam_winbind segfaults when incorrectly configured
Last modified: 2015-08-25 02:21:05 UTC
If you mistakenly configure your pam stack to have 'minimum_uid=1000' (in my case, as a cut and paste error) as an option to the pam_winbind.so module, some things segfault instead of giving you an error message or log:
geoffc@test-files02: ~/debs/samba-4.1.17+dfsg/nsswitch 2015-08-24 11:35:33
$ sudo ls
I think this is because on line 2905 of nsswitch/pam_winbind.c the call to _PAM_LOG_FUNCTION_LEAVE passes in an un-initialised ctx variable. It looks like _pam_winbind_init_context is returning PAM_SYSTEM_ERR correctly, but pam_sm_open_session() doesn't check for that return code.
I found this in the Debian Wheezy backport of 4.1.17, but looking at git.samba.org suggests this is still the case in more recent versions of samba.
I'm not much of a C coder, but I imagine adding a comparison of ret to PAM_SYSTEM_ERR in pam_sm_open_session() just after the 'out' label would probably fix this.
This really looks like to be fixed with 6f4ec0c041677204, dated 2013. I don't really get why 4.1.17 does not have it.
Is there a way that you can test the mentioned patch from master?
(In reply to Volker Lendecke from comment #1)
I've got the source code of 4.1.17 from the debian source package, and I've refreshed the 6f4ec0c041677204 diff against it. I've built it, and installed it.
I can confirm this patch does remove the segfault with 4.1.17. It looks like this fix is not present in the v4-1-stable head.