Bug 11914 - NTLM Authentication issue with squid
Summary: NTLM Authentication issue with squid
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 4.3.9
Hardware: All Linux
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on: 11912
Blocks:
  Show dependency treegraph
 
Reported: 2016-05-10 14:36 UTC by Stefan Metzmacher
Modified: 2016-06-01 07:37 UTC (History)
8 users (show)

See Also:


Attachments
valgrind ntlm_auth (4.23 KB, text/plain)
2016-05-11 11:06 UTC, Konstantin Belov
no flags Details
valgrind ntlm_auth (4.23 KB, text/plain)
2016-05-11 11:06 UTC, Konstantin Belov
no flags Details
Possible patch for master (3.11 KB, text/plain)
2016-05-11 21:17 UTC, Stefan Metzmacher
no flags Details
Patch for v4-4-test (3.35 KB, patch)
2016-05-19 11:43 UTC, Stefan Metzmacher
asn: review+
metze: review? (gd)
Details
Patch for v4-3-test (3.35 KB, patch)
2016-05-19 11:44 UTC, Stefan Metzmacher
asn: review+
metze: review? (gd)
Details
Patch for v4-2-test (3.35 KB, patch)
2016-05-19 11:45 UTC, Stefan Metzmacher
asn: review+
metze: review? (gd)
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Metzmacher 2016-05-10 14:36:50 UTC
+++ This bug was initially created as a clone of Bug #11912 +++

Following a recent upgrade, I'm getting NTLM Authentication issues on my Squid proxy server (has been running fine for the last 18 months):

Am running:

Ubuntu Server 14.04.1 LTS
 Winbind: 2:4.3.9+dfsg-0ubuntu0.14.04.1
 Samba: 2:4.3.9+dfsg-0ubuntu0.14.04.1
 Squid3: 3.3.8-1ubuntu6.6

Authenticating against Active Directory - has been working really well for the last 18 months, then stopped working about a week ago.

Errors in cache.log:
 2016/05/09 06:20:07| Too few ntlmauthenticator processes are running (need 1/10)
 2016/05/09 06:20:07| Starting new helpers
 2016/05/09 06:20:07| helperOpenServers: Starting 1/10 'ntlm_auth' processes
 2016/05/09 06:20:07| ERROR: NTLM Authentication Helper '0x7f313ea68318' crashed!.
 2016/05/09 06:20:07| ERROR: NTLM Authentication validating user. Error returned 'BH Internal error'
 2016/05/09 06:20:08| WARNING: ntlmauthenticator #1 exited

Errors in syslog:
 May 9 06:20:09 optsquidproxy kernel: [228590.127125] ntlm_auth[8850]: segfault at 8 ip 00007f201ec729b0 sp 00007ffda249aae8 error 4 in libsamba-security.so.0[7f201ec67000+1b000]

Squid is using pure NTLM authentication (taken from squid.conf):
 ### pure ntlm authentication
 auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=MYDOMAIN
 auth_param ntlm children 10
 auth_param ntlm keep_alive off
Comment 1 Stefan Metzmacher 2016-05-10 14:40:38 UTC
From https://bugzilla.samba.org/show_bug.cgi?id=11912#c10

Just tried pulling the update from Marc Deslaurs' PPA (ppa:mdeslaur/testing) but still getting the same problem. 

After adding the PPA:

sudo apt-get update
sudo apt-get upgrade samba (which brought in all dependencies)

Then rebooted the server for good measure :)

The following error messages were from after the reboot, and I'm still getting issues when trying to authenticate via the squid proxy.


samba:
   Installed: 2:4.3.9+dfsg-0ubuntu0.14.04.2~ppa1
   Candidate: 2:4.3.9+dfsg-0ubuntu0.14.04.2~ppa1
   Version table:
  *** 2:4.3.9+dfsg-0ubuntu0.14.04.2~ppa1 0
         500 http://ppa.launchpad.net/mdeslaur/testing/ubuntu/ trusty/main amd64 Packages
         100 /var/lib/dpkg/status
      2:4.3.9+dfsg-0ubuntu0.14.04.1 0
         500 http://optubunturepository.MYDOMAIN.net/ubuntu/ trusty-updates/main amd64 Packages
         500 http://optubunturepository.MYDOMAIN.net/ubuntu/ trusty-security/main amd64 Packages
      2:4.1.6+dfsg-1ubuntu2 0
         500 http://optubunturepository.MYDOMAIN.net/ubuntu/ trusty/main amd64 Packages

syslog:
 May 10 14:31:11 optsquidproxy kernel: [ 206.928248] ntlm_auth[2264]: segfault at 8 ip 00007f68e2aba9b0 sp 00007fff384ec2c8 error 4 in libsamba-security.so.0[7f68e2aaf000+1b000]

cache.log:
 2016/05/10 14:32:42| WARNING: ntlmauthenticator #1 exited
 2016/05/10 14:32:42| Too few ntlmauthenticator processes are running (need 1/10)
 2016/05/10 14:32:42| Starting new helpers
 2016/05/10 14:32:42| helperOpenServers: Starting 1/10 'ntlm_auth' processes
 2016/05/10 14:32:42| ERROR: NTLM Authentication Helper '0x7f8368efb268' crashed!.
 2016/05/10 14:32:42| ERROR: NTLM Authentication validating user. Error returned 'BH Internal error'
Comment 2 Stefan Metzmacher 2016-05-10 15:14:17 UTC
Can you prefix the "auth_param ntlm program" parameter with

"valgrind --num-callers=30 --track-origins=yes --log-file=/tmp/valgrind.ntlm_auth.%p"

And submit the valgrind.ntlm_auth.* files.

Please also make sure you install all samba related debug packages.

Thanks!
Comment 3 Paul Strinati 2016-05-11 05:34:28 UTC
Okay - this is weird.

I was getting the authentication issue this morning - saw this post, so installed both the valgrind and samba_dbg packages.

Then, updated /etc/samba/smb.conf to prefix the "auth_param ntlm program" parameter with:

valgrind --num-callers=30 --track-origins=yes --log-file=/tmp/valgrind.ntlm_auth.%p

Restarted the squid3 service - and I'm no longer getting the authentication issue!

Could something in the Samba debug package have 'fixed' the problem?
Comment 4 Paul Strinati 2016-05-11 05:49:40 UTC
Ah - looks like Squid is no longer happy. I've not used valgrind before, and it seems to be upsetting Squid! You can see from the below that I restart squid around 06:30:43

/var/log/squid3/cache.log:

2016/05/11 06:29:55| Starting new helpers
2016/05/11 06:29:55| helperOpenServers: Starting 1/10 'ntlm_auth' processes
2016/05/11 06:29:55| ERROR: NTLM Authentication Helper '0x7f8368f3cdd8' crashed!.
2016/05/11 06:29:55| ERROR: NTLM Authentication validating user. Error returned 'BH Internal error'
2016/05/11 06:30:38| WARNING: ntlmauthenticator #1 exited
2016/05/11 06:30:38| Too few ntlmauthenticator processes are running (need 1/10)
2016/05/11 06:30:38| Starting new helpers
2016/05/11 06:30:38| helperOpenServers: Starting 1/10 'ntlm_auth' processes
2016/05/11 06:30:38| ERROR: NTLM Authentication Helper '0x7f8368f010a8' crashed!.
2016/05/11 06:30:38| ERROR: NTLM Authentication validating user. Error returned 'BH Internal error'
2016/05/11 06:30:43| Preparing for shutdown after 6682 requests
2016/05/11 06:30:43| Waiting 0 seconds for active connections to finish
2016/05/11 06:30:43| Closing HTTP port [::]:3128
2016/05/11 06:30:43| Closing Pinger socket on FD 11
2016/05/11 06:30:43| Shutdown: NTLM authentication.
2016/05/11 06:30:43| Shutdown: Negotiate authentication.
2016/05/11 06:30:43| Shutdown: Digest authentication.
2016/05/11 06:30:43| Shutdown: Basic authentication.
2016/05/11 06:30:44| Shutting down...
2016/05/11 06:30:44| storeDirWriteCleanLogs: Starting...
2016/05/11 06:30:44|   Finished.  Wrote 0 entries.
2016/05/11 06:30:44|   Took 0.00 seconds (  0.00 entries/sec).
CPU Usage: 18.820 seconds = 6.621 user + 12.199 sys
Maximum Resident Size: 88144 KB
Page faults with physical i/o: 44
Memory usage for squid via mallinfo():
        total space in arena:    5244 KB
        Ordinary blocks:         5136 KB     72 blks
        Small blocks:               0 KB     19 blks
        Holding blocks:         36892 KB      8 blks
        Free Small blocks:          0 KB
        Free Ordinary blocks:     107 KB
        Total in use:           42028 KB 801%
        Total free:               108 KB 2%
2016/05/11 06:30:44| Logfile: closing log daemon:/var/log/squid3/access.log
2016/05/11 06:30:44| Logfile Daemon: closing log daemon:/var/log/squid3/access.log
2016/05/11 06:30:44| Open FD UNSTARTED     5 DNS Socket IPv6
2016/05/11 06:30:44| Open FD UNSTARTED     6 DNS Socket IPv4
2016/05/11 06:30:44| Open FD UNSTARTED     7 IPC UNIX STREAM Parent
2016/05/11 06:30:44| Open FD UNSTARTED    10 ntlm_auth #1
2016/05/11 06:30:44| Open FD UNSTARTED    12 ntlm_auth #1
2016/05/11 06:30:44| Open FD UNSTARTED    13 ntlm_auth #1
2016/05/11 06:30:44| Open FD UNSTARTED    14 ntlm_auth #1
2016/05/11 06:30:44| Open FD UNSTARTED    15 ntlm_auth #1
2016/05/11 06:30:44| Open FD UNSTARTED    16 ntlm_auth #1
2016/05/11 06:30:44| Open FD UNSTARTED    17 ntlm_auth #1
2016/05/11 06:30:44| Open FD UNSTARTED    18 ntlm_auth #1
2016/05/11 06:30:44| Open FD UNSTARTED    19 ntlm_auth #1
2016/05/11 06:30:44| Open FD UNSTARTED    20 ntlm_auth #1
2016/05/11 06:30:44| Squid Cache (Version 3.3.8): Exiting normally.
2016/05/11 06:30:56| Pinger exiting.

syslog:
May 11 06:28:01 optsquidproxy puppet-agent[22444]: Finished catalog run in 1.79 seconds
May 11 06:28:28 optsquidproxy kernel: [57636.712487] ntlm_auth[21745]: segfault at 8 ip 00007fd95d39d9b0 sp 00007ffecc66b688 error 4 in libsamba-security.so.0[7fd95d392000+1b000]
May 11 06:28:29 optsquidproxy kernel: [57637.897348] ntlm_auth[21791]: segfault at 8 ip 00007fccdc5af9b0 sp 00007fffee4a2c18 error 4 in libsamba-security.so.0[7fccdc5a4000+1b000]
May 11 06:29:55 optsquidproxy kernel: [57723.983868] ntlm_auth[21793]: segfault at 8 ip 00007f7defb339b0 sp 00007fffd7c08d48 error 4 in libsamba-security.so.0[7f7defb28000+1b000]
May 11 06:30:01 optsquidproxy CRON[22777]: (root) CMD (/root/scripts/ClientRebootChecker.sh >/dev/null 2>&1)
May 11 06:30:37 optsquidproxy kernel: [57766.362221] ntlm_auth[22427]: segfault at 8 ip 00007f400944d9b0 sp 00007ffe1ce8ad28 error 4 in libsamba-security.so.0[7f4009442000+1b000]
May 11 06:30:44 optsquidproxy squid3: ERROR: Invalid ACL: acl auth proxy_auth REQUIRED
May 11 06:30:44 optsquidproxy kernel: [57772.817590] init: squid3 main process (22824) terminated with status 1
May 11 06:30:44 optsquidproxy kernel: [57772.817616] init: squid3 main process ended, respawning
May 11 06:30:44 optsquidproxy squid3: ERROR: Invalid ACL: acl auth proxy_auth REQUIRED
May 11 06:30:44 optsquidproxy kernel: [57772.895664] init: squid3 main process (22836) terminated with status 1
May 11 06:30:44 optsquidproxy kernel: [57772.895689] init: squid3 main process ended, respawning
May 11 06:30:44 optsquidproxy squid3: ERROR: Invalid ACL: acl auth proxy_auth REQUIRED
May 11 06:30:44 optsquidproxy kernel: [57772.971701] init: squid3 main process (22848) terminated with status 1
May 11 06:30:44 optsquidproxy kernel: [57772.971726] init: squid3 main process ended, respawning
May 11 06:30:44 optsquidproxy squid3: ERROR: Invalid ACL: acl auth proxy_auth REQUIRED
May 11 06:30:44 optsquidproxy kernel: [57773.047014] init: squid3 main process (22860) terminated with status 1
May 11 06:30:44 optsquidproxy kernel: [57773.047038] init: squid3 main process ended, respawning
May 11 06:30:44 optsquidproxy squid3: ERROR: Invalid ACL: acl auth proxy_auth REQUIRED
May 11 06:30:44 optsquidproxy kernel: [57773.120507] init: squid3 main process (22872) terminated with status 1
May 11 06:30:44 optsquidproxy kernel: [57773.120536] init: squid3 main process ended, respawning
May 11 06:30:44 optsquidproxy squid3: ERROR: Invalid ACL: acl auth proxy_auth REQUIRED
May 11 06:30:44 optsquidproxy kernel: [57773.195645] init: squid3 main process (22884) terminated with status 1
May 11 06:30:44 optsquidproxy kernel: [57773.195671] init: squid3 main process ended, respawning
May 11 06:30:44 optsquidproxy squid3: ERROR: Invalid ACL: acl auth proxy_auth REQUIRED
May 11 06:30:44 optsquidproxy kernel: [57773.273215] init: squid3 main process (22896) terminated with status 1
May 11 06:30:44 optsquidproxy kernel: [57773.273239] init: squid3 main process ended, respawning
May 11 06:30:44 optsquidproxy squid3: ERROR: Invalid ACL: acl auth proxy_auth REQUIRED
May 11 06:30:44 optsquidproxy kernel: [57773.349107] init: squid3 main process (22908) terminated with status 1
May 11 06:30:44 optsquidproxy kernel: [57773.349132] init: squid3 main process ended, respawning
May 11 06:30:44 optsquidproxy squid3: ERROR: Invalid ACL: acl auth proxy_auth REQUIRED
May 11 06:30:44 optsquidproxy kernel: [57773.424162] init: squid3 main process (22920) terminated with status 1
May 11 06:30:44 optsquidproxy kernel: [57773.424188] init: squid3 main process ended, respawning
May 11 06:30:44 optsquidproxy squid3: ERROR: Invalid ACL: acl auth proxy_auth REQUIRED
May 11 06:30:44 optsquidproxy kernel: [57773.501800] init: squid3 main process (22932) terminated with status 1
May 11 06:30:44 optsquidproxy kernel: [57773.501825] init: squid3 main process ended, respawning
May 11 06:30:45 optsquidproxy squid3: ERROR: Invalid ACL: acl auth proxy_auth REQUIRED
May 11 06:30:45 optsquidproxy kernel: [57773.577021] init: squid3 main process (22944) terminated with status 1
May 11 06:30:45 optsquidproxy kernel: [57773.577044] init: squid3 respawning too fast, stopped

Have I made the change correctly to enable valgrind debugging?

squid.conf:
### /etc/squid3/squid.conf Configuration File ####
cache_mgr support@MYDOMAIN.co.uk

### pure ntlm authentication
valgrind --num-callers=30 --track-origins=yes --log-file=/tmp/valgrind.ntlm_auth.%p auth_param ntlm program /usr/bin$
auth_param ntlm children 10
auth_param ntlm keep_alive off

### acl for proxy auth and ldap authorizations
acl auth proxy_auth REQUIRED
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
#acl direct dstdomain "/etc/squid3/domains.txt" # exceptions handled via .pac file
acl CONNECT method CONNECT

### enforce authentication
http_access deny !Safe_ports
http_access deny !auth
http_access allow auth
http_access allow localhost manager
#http_access allow direct       # exceptions handled via .pac file
#http_access allow redbox       # exceptions handled via .pac file
#http_access allow mitel        # exceptions handled via .pac file
http_access deny manager
http_access deny all

When I remove the valgrind prefix from the "auth_param ntlm program" directive, squid starts without any problems - and I have the segfault again in syslog:

May 11 06:45:20 optsquidproxy kernel: [58649.143109] ntlm_auth[23333]: segfault at 8 ip 00007fd13252e9b0 sp 00007ffc1949e018 error 4 in libsamba-security.so.0[7fd132523000+1b000]

And the same errors in cache.log:

2016/05/11 06:48:00| WARNING: ntlmauthenticator #1 exited
2016/05/11 06:48:00| Too few ntlmauthenticator processes are running (need 1/10)
2016/05/11 06:48:00| Starting new helpers
2016/05/11 06:48:00| helperOpenServers: Starting 1/10 'ntlm_auth' processes
2016/05/11 06:48:00| ERROR: NTLM Authentication Helper '0x7fba97ca1578' crashed!.
2016/05/11 06:48:00| ERROR: NTLM Authentication validating user. Error returned 'BH Internal error'
Comment 5 Marc Deslauriers 2016-05-11 10:55:18 UTC
Paul, you have an error in your squid.conf file. The section should look like this:

### pure ntlm authentication
auth_param ntlm program valgrind --num-callers=30 --track-origins=yes --log-file=/tmp/valgrind.ntlm_auth.%p /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
auth_param ntlm keep_alive off

The first part should be all on the same line, ie: three lines that start with "auth_param".
Comment 6 Paul Strinati 2016-05-11 11:03:49 UTC
Okay - I've tried that but Squid still fails to start. My smb.conf now has:

### pure ntlm authentication
auth_param ntlm program valgrind --num-callers=30 --track-origins=yes --log-file=/tmp/valgrind.ntlm_auth.%p /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=MYDOMAIN
#auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=MYDOMAIN
auth_param ntlm children 10
auth_param ntlm keep_alive off

Are the otherstrinati@optsquidproxy:/etc/squid3$ sudo tail /var/log/squid3/cache.log
2016/05/11 07:26:40| Logfile Daemon: closing log daemon:/var/log/squid3/access.log
2016/05/11 07:26:40| Open FD UNSTARTED     6 DNS Socket IPv6
2016/05/11 07:26:40| Open FD UNSTARTED     7 DNS Socket IPv4
2016/05/11 07:26:40| Open FD UNSTARTED     8 IPC UNIX STREAM Parent
2016/05/11 07:26:40| Open FD UNSTARTED    11 ntlm_auth #1
2016/05/11 07:26:40| Open FD UNSTARTED    13 ntlm_auth #1
2016/05/11 07:26:40| Open FD UNSTARTED    15 ntlm_auth #1
2016/05/11 07:26:40| Open FD UNSTARTED    16 ntlm_auth #1
2016/05/11 07:26:40| Squid Cache (Version 3.3.8): Exiting normally.
2016/05/11 07:26:44| Pinger exiting.
pstrinati@optsquidproxy:/etc/squid3$ sudo tail /var/log/syslog
May 11 11:59:03 optsquidproxy kernel: [77471.694682] init: squid3 main process ended, respawning
May 11 11:59:03 optsquidproxy squid3: auth_param ntlm program valgrind: (2) No such file or directory
May 11 11:59:03 optsquidproxy kernel: [77471.751033] init: squid3 main process (29704) terminated with status 1
May 11 11:59:03 optsquidproxy kernel: [77471.751057] init: squid3 main process ended, respawning
May 11 11:59:03 optsquidproxy squid3: auth_param ntlm program valgrind: (2) No such file or directory
May 11 11:59:03 optsquidproxy kernel: [77471.807452] init: squid3 main process (29716) terminated with status 1
May 11 11:59:03 optsquidproxy kernel: [77471.807476] init: squid3 main process ended, respawning
May 11 11:59:03 optsquidproxy squid3: auth_param ntlm program valgrind: (2) No such file or directory
May 11 11:59:03 optsquidproxy kernel: [77471.863984] init: squid3 main process (29728) terminated with status 1
May 11 11:59:03 optsquidproxy kernel: [77471.864054] init: squid3 respawning too fast, stopped
pstrinati@optsquidproxy:/etc/squid3$
Comment 7 Konstantin Belov 2016-05-11 11:06:31 UTC
Created attachment 12097 [details]
valgrind ntlm_auth
Comment 8 Konstantin Belov 2016-05-11 11:06:56 UTC
Created attachment 12098 [details]
valgrind ntlm_auth
Comment 9 Marc Deslauriers 2016-05-11 11:09:30 UTC
Paul, you need to install valgrind, with the following command:

sudo apt-get install valgrind
Comment 10 Paul Strinati 2016-05-11 11:43:35 UTC
Hi Marc - it is installed:

pstrinati@optsquidproxy:/etc/squid3$ sudo apt-cache policy valgrind
[sudo] password for pstrinati:
valgrind:
  Installed: 1:3.10.1-1ubuntu3~14.04
  Candidate: 1:3.10.1-1ubuntu3~14.04
  Version table:
 *** 1:3.10.1-1ubuntu3~14.04 0
        500 http://optubunturepository.optimumcredit.net/ubuntu/ trusty-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     1:3.10~20140411-0ubuntu1 0
        500 http://optubunturepository.optimumcredit.net/ubuntu/ trusty/main amd64 Packages
pstrinati@optsquidproxy:/etc/squid3$

But for some reason Squid doesn't start when I update the smb.conf to use valgrind on the auth_param ntlm program parameter.
Comment 11 Marc Deslauriers 2016-05-11 11:52:52 UTC
Try specifying the full path to the valgrind binary:

auth_param ntlm program /usr/bin/valgrind --num-callers=30 --track-origins=yes --log-file=/tmp/valgrind.ntlm_auth.%p /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
Comment 12 Paul Strinati 2016-05-11 11:59:12 UTC
(In reply to Marc Deslauriers from comment #11)
That works:

==30931== Memcheck, a memory error detector
==30931== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==30931== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info
==30931== Command: /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
==30931== Parent PID: 30914
==30931==
==30931== Invalid read of size 8
==30931==    at 0xA81F9B0: security_token_is_sid (in /usr/lib/x86_64-linux-gnu/samba/libsamba-security.so.0)
==30931==    by 0xA821908: security_session_user_level (in /usr/lib/x86_64-linux-gnu/samba/libsamba-security.so.0)
==30931==    by 0x54936AA: gensec_ntlmssp_server_auth (in /usr/lib/x86_64-linux-gnu/libgensec.so.0.0.1)
==30931==    by 0x548EE92: gensec_ntlmssp_update (in /usr/lib/x86_64-linux-gnu/libgensec.so.0.0.1)
==30931==    by 0x5499A91: gensec_update_ev (in /usr/lib/x86_64-linux-gnu/libgensec.so.0.0.1)
==30931==    by 0x5499AD6: gensec_update (in /usr/lib/x86_64-linux-gnu/libgensec.so.0.0.1)
==30931==    by 0x10FBAD: manage_gensec_request.isra.5 (in /usr/bin/ntlm_auth)
==30931==    by 0x10D3CE: manage_squid_request (in /usr/bin/ntlm_auth)
==30931==    by 0x10CDAA: main (in /usr/bin/ntlm_auth)
==30931==  Address 0x8 is not stack'd, malloc'd or (recently) free'd
==30931==
==30931==
==30931== Process terminating with default action of signal 11 (SIGSEGV)
==30931==  Access not within mapped region at address 0x8
==30931==    at 0xA81F9B0: security_token_is_sid (in /usr/lib/x86_64-linux-gnu/samba/libsamba-security.so.0)
==30931==    by 0xA821908: security_session_user_level (in /usr/lib/x86_64-linux-gnu/samba/libsamba-security.so.0)
==30931==    by 0x54936AA: gensec_ntlmssp_server_auth (in /usr/lib/x86_64-linux-gnu/libgensec.so.0.0.1)
==30931==    by 0x548EE92: gensec_ntlmssp_update (in /usr/lib/x86_64-linux-gnu/libgensec.so.0.0.1)
==30931==    by 0x5499A91: gensec_update_ev (in /usr/lib/x86_64-linux-gnu/libgensec.so.0.0.1)
==30931==    by 0x5499AD6: gensec_update (in /usr/lib/x86_64-linux-gnu/libgensec.so.0.0.1)
==30931==    by 0x10FBAD: manage_gensec_request.isra.5 (in /usr/bin/ntlm_auth)
==30931==    by 0x10D3CE: manage_squid_request (in /usr/bin/ntlm_auth)
==30931==    by 0x10CDAA: main (in /usr/bin/ntlm_auth)
==30931==  If you believe this happened as a result of a stack
==30931==  overflow in your program's main thread (unlikely but
==30931==  possible), you can try to increase the size of the
==30931==  main thread stack using the --main-stacksize= flag.
==30931==  The main thread stack size used in this run was 8388608.
==30931==
==30931== HEAP SUMMARY:
==30931==     in use at exit: 70,980 bytes in 183 blocks
==30931==   total heap usage: 530 allocs, 347 frees, 186,474 bytes allocated
==30931==
==30931== LEAK SUMMARY:
==30931==    definitely lost: 1,077 bytes in 5 blocks
==30931==    indirectly lost: 264 bytes in 7 blocks
==30931==      possibly lost: 67,928 bytes in 164 blocks
==30931==    still reachable: 1,711 bytes in 7 blocks
==30931==         suppressed: 0 bytes in 0 blocks
==30931== Rerun with --leak-check=full to see details of leaked memory
==30931==
==30931== For counts of detected and suppressed errors, rerun with: -v
==30931== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Comment 13 Stefan Metzmacher 2016-05-11 19:04:20 UTC
(In reply to Paul Strinati from comment #12)

Thanks! I think I mostly understand what's happening.

Do you have the "map to guest" option set in your smb.conf?
I guess yes, if so can you do a short test to see if removing this option
avoids this segfault?
Comment 14 Stefan Metzmacher 2016-05-11 21:17:20 UTC
Created attachment 12100 [details]
Possible patch for master

This patch works for me, but we need a regression test...
Comment 15 Paul Strinati 2016-05-12 07:27:00 UTC
(In reply to Stefan Metzmacher from comment #13)
Yes - I am using

  map to guest = bad user

in my smb.conf

Once I comment this out squid restarts without issues, and no segfaults :)

I'm still using the patched version of Samba provided by Marc D via his testing PPA
Comment 16 Stefan Metzmacher 2016-05-12 12:20:50 UTC
(In reply to Paul Strinati from comment #15)

using "map to guest" together with squid authentication, just means the authentication is competely pointless, as a client can just use a random
username/password and be authenticated as guest, unless you limit
the access to a group by passing --require-membership-of to ntlm_auth
Comment 17 Paul Strinati 2016-05-13 05:31:04 UTC
(In reply to Stefan Metzmacher from comment #16)

Thanks Stefan - will read up on it, I thought that's what the directives below did, but will check!!

  acl auth proxy_auth REQUIRED

and

  http_access deny !auth
Comment 18 Paul Strinati 2016-05-13 07:47:49 UTC
(In reply to Paul Strinati from comment #17)
Sorry - scratch that, was confusing conf files for Samba & Squid!

I'll remove from my smb.conf going forward - however, added it back in to test the updated patch from Marc, restarted all services (samba, winbind, squid3) and it seems to have resolved the issue for me.

Thanks all!
Comment 19 Marc Deslauriers 2016-05-18 13:06:33 UTC
The patch in comment 14 seems to have worked to resolve the issue. Can we expect it to be committed soon? Thanks!
Comment 20 Stefan Metzmacher 2016-05-19 11:43:57 UTC
Created attachment 12114 [details]
Patch for v4-4-test
Comment 21 Stefan Metzmacher 2016-05-19 11:44:29 UTC
Created attachment 12115 [details]
Patch for v4-3-test
Comment 22 Stefan Metzmacher 2016-05-19 11:45:04 UTC
Created attachment 12116 [details]
Patch for v4-2-test
Comment 23 Andreas Schneider 2016-05-20 08:26:25 UTC
Karolin, please push the patches to the relevant branches, thanks!
Comment 24 Karolin Seeger 2016-05-30 09:43:28 UTC
(In reply to Andreas Schneider from comment #23)
Pushed to v4-[4|3|2]-test.
Comment 25 Karolin Seeger 2016-06-01 07:37:35 UTC
(In reply to Karolin Seeger from comment #24)
Pushed to all branches.
Closing out bug report.

Thanks!