Bug 12708 - winbindd 4.6.0: child process crashes when kerberos-authenticating a user with wrong password
Summary: winbindd 4.6.0: child process crashes when kerberos-authenticating a user wit...
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 4.6.0
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-03-22 06:03 UTC by Uri Simchoni
Modified: 2017-03-29 08:17 UTC (History)
2 users (show)

See Also:

Attachments
Fix for 4.6.next (6.54 KB, patch)
2017-03-22 10:37 UTC, Uri Simchoni 		asn: review+
Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Uri Simchoni 2017-03-22 06:03:54 UTC 
To reproduce:
1. build a regular selftest build with bundled Heimdal and autobuild
configuration flags.
2. spin up the ad_dc testenv
3. in the env, type:
./bin/wbinfo -K 'Administrator%1locDCpass1'
(that's a good user and wrong password)

The winbindd child process for the domain crashes.

I got the following stack trace (frames 0-5 are the fault handler):

/home/uri/s2/bin/winbindd: #6  <signal handler called>
/home/uri/s2/bin/winbindd: No symbol table info available.
/home/uri/s2/bin/winbindd: #7  0x00007fa37b264fe6 in strlen () from
/lib64/libc.so.6
/home/uri/s2/bin/winbindd: No symbol table info available.
/home/uri/s2/bin/winbindd: #8  0x00007fa37b264d1e in strdup () from
/lib64/libc.so.6
/home/uri/s2/bin/winbindd: No symbol table info available.
/home/uri/s2/bin/winbindd: #9  0x00007fa37736593e in
der_copy_general_string (from=0x5590345ee930, to=0x7ffc704c7a98) at
../source4/heimdal/lib/asn1/der_copy.c:44
/home/uri/s2/bin/winbindd: No locals.
/home/uri/s2/bin/winbindd: #10 0x00007fa377377f2b in copy_Realm
(from=0x5590345ee930, to=0x7ffc704c7a98) at
default/source4/heimdal/lib/asn1/asn1_krb5_asn1.c:793
/home/uri/s2/bin/winbindd: No locals.
/home/uri/s2/bin/winbindd: #11 0x00007fa3773a09ec in copy_KRB_ERROR
(from=0x5590345ee8f8, to=0x7ffc704c7a60) at
default/source4/heimdal/lib/asn1/asn1_krb5_asn1.c:12899
/home/uri/s2/bin/winbindd: No locals.
/home/uri/s2/bin/winbindd: #12 0x00007fa3801684ea in
krb5_init_creds_get_error (context=0x559034aec5b0, ctx=0x5590345ee760,
error=0x7ffc704c7a60) at ../source4/heimdal/lib/krb5/init_creds_pw.c:1899
/home/uri/s2/bin/winbindd:         ret = 32675
/home/uri/s2/bin/winbindd: #13 0x00007fa37c463884 in
smb_krb5_get_ntstatus_from_init_creds (ctx=0x559034aec5b0,
client=0x559033929730, opt=0x559033c60710, nt_status=0x7ffc704c7b30) at
../source3/libads/kerberos.c:229
/home/uri/s2/bin/winbindd:         icc = 0x5590345ee760
/home/uri/s2/bin/winbindd:         code = 0
/home/uri/s2/bin/winbindd:         error = {pvno = 0, msg_type = 0,
ctime = 0x0, cusec = 0x0, stime = 0, susec = 0, error_code = 0, crealm =
0x0, cname = 0x0, realm = 0x0, sname = {name_type = KRB5_NT_UNKNOWN,
name_string = {len = 0, val = 0x0}}, e_text = 0x0, e_data = 0x0}
/home/uri/s2/bin/winbindd:         ok = false
/home/uri/s2/bin/winbindd:         __func__ =
"smb_krb5_get_ntstatus_from_init_creds"
/home/uri/s2/bin/winbindd: #14 0x00007fa37c463dba in
kerberos_kinit_password_ext (principal=0x559033e51a00
"Administrator@ADDOM.SAMBA.EXAMPLE.COM", password=0x7ffc704c8ca8
"1locDCpass1", time_offset=0, expire_time=0x7ffc704c7dd8,
renew_till_time=0x7ffc704c7de0, cache_name=0x559034523110
"FILE:/tmp/krb5cc_1000", request_pac=true, add_netbios_addr=true,
renewable_time=2592000, ntstatus=0x7ffc704c7c80) at
../source3/libads/kerberos.c:374
/home/uri/s2/bin/winbindd:         ok = false
/home/uri/s2/bin/winbindd:         status = {v = 1884060560}
/home/uri/s2/bin/winbindd:         ctx = 0x559034aec5b0
/home/uri/s2/bin/winbindd:         code = -1765328360
/home/uri/s2/bin/winbindd:         cc = 0x55903453e7f0
/home/uri/s2/bin/winbindd:         me = 0x559033929730
/home/uri/s2/bin/winbindd:         canon_princ = 0x0
/home/uri/s2/bin/winbindd:         my_creds = {client = 0x0, server =
0x0, session = {keytype = 0, keyvalue = {length = 0, data = 0x0}}, times
= {authtime = 0, starttime = 0, endtime = 0, renew_till = 0}, ticket =
{length = 0, data = 0x0}, second_ticket = {length = 0, data = 0x0},
authdata = {len = 0, val = 0x0}, addresses = {len = 0, val = 0x0}, flags
= {b = {reserved = 0, forwardable = 0, forwarded = 0, proxiable = 0,
proxy = 0, may_postdate = 0, postdated = 0, invalid = 0, renewable = 0,
initial = 0, pre_authent = 0, hw_authent = 0, transited_policy_checked =
0, ok_as_delegate = 0, anonymous = 0, enc_pa_rep = 0, _unused16 = 0,
_unused17 = 0, _unused18 = 0, _unused19 = 0, _unused20 = 0, _unused21 =
0, _unused22 = 0, _unused23 = 0, _unused24 = 0, _unused25 = 0, _unused26
= 0, _unused27 = 0, _unused28 = 0, _unused29 = 0, _unused30 = 0,
_unused31 = 0}, i = 0}}
/home/uri/s2/bin/winbindd:         opt = 0x559033c60710
/home/uri/s2/bin/winbindd:         addr = 0x5590338ee260
/home/uri/s2/bin/winbindd:         __FUNCTION__ =
"kerberos_kinit_password_ext"
/home/uri/s2/bin/winbindd: #15 0x0000559032b045eb in kerberos_return_pac
(mem_ctx=0x5590344aed80, name=0x559033e51a00
"Administrator@ADDOM.SAMBA.EXAMPLE.COM", pass=0x7ffc704c8ca8
"1locDCpass1", time_offset=0, expire_time=0x7ffc704c7dd8,
renew_till_time=0x7ffc704c7de0, cache_name=0x559034523110
"FILE:/tmp/krb5cc_1000", requ


It reportedly happens also with MIT Kerberos.
Comment 1 Uri Simchoni 2017-03-22 10:37:25 UTC 
Created attachment 13102 [details]
Fix for 4.6.next
Comment 2 Andreas Schneider 2017-03-27 10:21:07 UTC 
Comment on attachment 13102 [details]
Fix for 4.6.next

LGTM
Comment 3 Andreas Schneider 2017-03-27 10:21:43 UTC 
Karolin, please add to Samba 4.6. Thanks.
Comment 4 Karolin Seeger 2017-03-28 10:16:12 UTC 
(In reply to Andreas Schneider from comment #3)
Pushed to autobuild-v4-6-test.
Comment 5 Karolin Seeger 2017-03-29 08:17:25 UTC 
(In reply to Karolin Seeger from comment #4)
Pushed to v4-6-test.
Closing out bug report.

Thanks!