Bug 12708 - winbindd 4.6.0: child process crashes when kerberos-authenticating a user with wrong password
winbindd 4.6.0: child process crashes when kerberos-authenticating a user wit...
Status: RESOLVED FIXED
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind
4.6.0
All All
: P5 normal
: ---
Assigned To: Karolin Seeger
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-03-22 06:03 UTC by Uri Simchoni
Modified: 2017-03-29 08:17 UTC (History)
2 users (show)

See Also:


Attachments
Fix for 4.6.next (6.54 KB, patch)
2017-03-22 10:37 UTC, Uri Simchoni
asn: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Uri Simchoni 2017-03-22 06:03:54 UTC
To reproduce:
1. build a regular selftest build with bundled Heimdal and autobuild
configuration flags.
2. spin up the ad_dc testenv
3. in the env, type:
./bin/wbinfo -K 'Administrator%1locDCpass1'
(that's a good user and wrong password)

The winbindd child process for the domain crashes.

I got the following stack trace (frames 0-5 are the fault handler):

/home/uri/s2/bin/winbindd: #6  <signal handler called>
/home/uri/s2/bin/winbindd: No symbol table info available.
/home/uri/s2/bin/winbindd: #7  0x00007fa37b264fe6 in strlen () from
/lib64/libc.so.6
/home/uri/s2/bin/winbindd: No symbol table info available.
/home/uri/s2/bin/winbindd: #8  0x00007fa37b264d1e in strdup () from
/lib64/libc.so.6
/home/uri/s2/bin/winbindd: No symbol table info available.
/home/uri/s2/bin/winbindd: #9  0x00007fa37736593e in
der_copy_general_string (from=0x5590345ee930, to=0x7ffc704c7a98) at
../source4/heimdal/lib/asn1/der_copy.c:44
/home/uri/s2/bin/winbindd: No locals.
/home/uri/s2/bin/winbindd: #10 0x00007fa377377f2b in copy_Realm
(from=0x5590345ee930, to=0x7ffc704c7a98) at
default/source4/heimdal/lib/asn1/asn1_krb5_asn1.c:793
/home/uri/s2/bin/winbindd: No locals.
/home/uri/s2/bin/winbindd: #11 0x00007fa3773a09ec in copy_KRB_ERROR
(from=0x5590345ee8f8, to=0x7ffc704c7a60) at
default/source4/heimdal/lib/asn1/asn1_krb5_asn1.c:12899
/home/uri/s2/bin/winbindd: No locals.
/home/uri/s2/bin/winbindd: #12 0x00007fa3801684ea in
krb5_init_creds_get_error (context=0x559034aec5b0, ctx=0x5590345ee760,
error=0x7ffc704c7a60) at ../source4/heimdal/lib/krb5/init_creds_pw.c:1899
/home/uri/s2/bin/winbindd:         ret = 32675
/home/uri/s2/bin/winbindd: #13 0x00007fa37c463884 in
smb_krb5_get_ntstatus_from_init_creds (ctx=0x559034aec5b0,
client=0x559033929730, opt=0x559033c60710, nt_status=0x7ffc704c7b30) at
../source3/libads/kerberos.c:229
/home/uri/s2/bin/winbindd:         icc = 0x5590345ee760
/home/uri/s2/bin/winbindd:         code = 0
/home/uri/s2/bin/winbindd:         error = {pvno = 0, msg_type = 0,
ctime = 0x0, cusec = 0x0, stime = 0, susec = 0, error_code = 0, crealm =
0x0, cname = 0x0, realm = 0x0, sname = {name_type = KRB5_NT_UNKNOWN,
name_string = {len = 0, val = 0x0}}, e_text = 0x0, e_data = 0x0}
/home/uri/s2/bin/winbindd:         ok = false
/home/uri/s2/bin/winbindd:         __func__ =
"smb_krb5_get_ntstatus_from_init_creds"
/home/uri/s2/bin/winbindd: #14 0x00007fa37c463dba in
kerberos_kinit_password_ext (principal=0x559033e51a00
"Administrator@ADDOM.SAMBA.EXAMPLE.COM", password=0x7ffc704c8ca8
"1locDCpass1", time_offset=0, expire_time=0x7ffc704c7dd8,
renew_till_time=0x7ffc704c7de0, cache_name=0x559034523110
"FILE:/tmp/krb5cc_1000", request_pac=true, add_netbios_addr=true,
renewable_time=2592000, ntstatus=0x7ffc704c7c80) at
../source3/libads/kerberos.c:374
/home/uri/s2/bin/winbindd:         ok = false
/home/uri/s2/bin/winbindd:         status = {v = 1884060560}
/home/uri/s2/bin/winbindd:         ctx = 0x559034aec5b0
/home/uri/s2/bin/winbindd:         code = -1765328360
/home/uri/s2/bin/winbindd:         cc = 0x55903453e7f0
/home/uri/s2/bin/winbindd:         me = 0x559033929730
/home/uri/s2/bin/winbindd:         canon_princ = 0x0
/home/uri/s2/bin/winbindd:         my_creds = {client = 0x0, server =
0x0, session = {keytype = 0, keyvalue = {length = 0, data = 0x0}}, times
= {authtime = 0, starttime = 0, endtime = 0, renew_till = 0}, ticket =
{length = 0, data = 0x0}, second_ticket = {length = 0, data = 0x0},
authdata = {len = 0, val = 0x0}, addresses = {len = 0, val = 0x0}, flags
= {b = {reserved = 0, forwardable = 0, forwarded = 0, proxiable = 0,
proxy = 0, may_postdate = 0, postdated = 0, invalid = 0, renewable = 0,
initial = 0, pre_authent = 0, hw_authent = 0, transited_policy_checked =
0, ok_as_delegate = 0, anonymous = 0, enc_pa_rep = 0, _unused16 = 0,
_unused17 = 0, _unused18 = 0, _unused19 = 0, _unused20 = 0, _unused21 =
0, _unused22 = 0, _unused23 = 0, _unused24 = 0, _unused25 = 0, _unused26
= 0, _unused27 = 0, _unused28 = 0, _unused29 = 0, _unused30 = 0,
_unused31 = 0}, i = 0}}
/home/uri/s2/bin/winbindd:         opt = 0x559033c60710
/home/uri/s2/bin/winbindd:         addr = 0x5590338ee260
/home/uri/s2/bin/winbindd:         __FUNCTION__ =
"kerberos_kinit_password_ext"
/home/uri/s2/bin/winbindd: #15 0x0000559032b045eb in kerberos_return_pac
(mem_ctx=0x5590344aed80, name=0x559033e51a00
"Administrator@ADDOM.SAMBA.EXAMPLE.COM", pass=0x7ffc704c8ca8
"1locDCpass1", time_offset=0, expire_time=0x7ffc704c7dd8,
renew_till_time=0x7ffc704c7de0, cache_name=0x559034523110
"FILE:/tmp/krb5cc_1000", requ


It reportedly happens also with MIT Kerberos.
Comment 1 Uri Simchoni 2017-03-22 10:37:25 UTC
Created attachment 13102 [details]
Fix for 4.6.next
Comment 2 Andreas Schneider 2017-03-27 10:21:07 UTC
Comment on attachment 13102 [details]
Fix for 4.6.next

LGTM
Comment 3 Andreas Schneider 2017-03-27 10:21:43 UTC
Karolin, please add to Samba 4.6. Thanks.
Comment 4 Karolin Seeger 2017-03-28 10:16:12 UTC
(In reply to Andreas Schneider from comment #3)
Pushed to autobuild-v4-6-test.
Comment 5 Karolin Seeger 2017-03-29 08:17:25 UTC
(In reply to Karolin Seeger from comment #4)
Pushed to v4-6-test.
Closing out bug report.

Thanks!