Bug 1283 - winbindd crash when used by Squid for NTLM authentication
Summary: winbindd crash when used by Squid for NTLM authentication
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: winbind (show other bugs)
Version: 3.0.2a
Hardware: All Linux
: P3 critical
Target Milestone: none
Assignee: Samba Bugzilla Account
QA Contact:
Depends on:
Reported: 2004-04-22 08:09 UTC by Dan Moinescu
Modified: 2005-11-14 09:29 UTC (History)
0 users

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Dan Moinescu 2004-04-22 08:09:09 UTC
Samba and Squid are running on the same system, allowing Squid to authenticate
Internet accesses against a Windows PDC. Initially, only basic authentication
was used and the system worked fine for a few weeks. At some stage NTLM
authentication was enabled, and after about 3 hours winbindd crashed (see log
message below). The domain that the system is part of contains about 2000 users
and 100 groups, but at the moment only a few users are using it, so the system
was not under significant load.

The following is cut from log.winbindd (only entries around the crash moment
were kept).

[2004/04/21 17:26:18, 0] lib/util_sock.c:write_socket(413)
  write_socket: Error writing 478 bytes to socket 18: ERRNO = Connection reset
by peer
[2004/04/21 17:26:18, 0] libsmb/clientgen.c:cli_send_smb(155)
  Error writing 478 bytes to client. -1 (Connection reset by peer)
[2004/04/21 17:26:18, 0] rpc_client/cli_pipe.c:rpc_api_pipe(424)
  cli_pipe: return critical error. Error was Write error: Connection reset by peer
[2004/04/21 17:27:42, 0] lib/util_sock.c:write_socket_data(388)
  write_socket_data: write failure. Error = Connection reset by peer
[2004/04/21 17:27:42, 0] lib/util_sock.c:write_socket(413)
  write_socket: Error writing 45 bytes to socket 20: ERRNO = Connection reset by
[2004/04/21 17:27:42, 0] libsmb/clientgen.c:cli_send_smb(155)
  Error writing 45 bytes to client. -1 (Connection reset by peer)
[2004/04/21 17:27:42, 0] lib/fault.c:fault_report(36)

[2004/04/21 17:27:42, 0] lib/fault.c:fault_report(37)
  INTERNAL ERROR: Signal 11 in pid 953 (3.0.2a)
  Please read the appendix Bugs of the Samba HOWTO collection
[2004/04/21 17:27:42, 0] lib/fault.c:fault_report(39)
[2004/04/21 17:27:42, 0] lib/util.c:smb_panic(1400)
  PANIC: internal error
[2004/04/21 17:27:42, 0] lib/util.c:smb_panic(1408)
  BACKTRACE: 10 stack frames:
   #0 winbindd(smb_panic+0x11c) [0x80c06dc]
   #1 winbindd [0x80aee12]
   #2 /lib/libc.so.6 [0x4015e4f8]
   #3 winbindd(winbindd_pam_auth_crap+0x711) [0x8079ae1]
   #4 winbindd(strftime+0x139b) [0x806d1a3]
   #5 winbindd(winbind_process_packet+0x21) [0x806d491]
   #6 winbindd(strftime+0x1f2d) [0x806dd35]
   #7 winbindd(main+0x3f2) [0x806e292]
   #8 /lib/libc.so.6(__libc_start_main+0xc7) [0x4014b917]
   #9 winbindd(ldap_msgfree+0x79) [0x806c9c1]
[2004/04/21 17:38:57, 1] nsswitch/winbindd.c:main(843)
  winbindd version 3.0.2a started.
  Copyright The Samba Team 2000-2004

Following is a description of the setup.

System: Linux RedHat 9
Samba: 3.0.2a (samba-3.0.2a-1_rh9.i386.rpm)
Squid: 2.5 STABLE4

smb.conf (all of it):

# Global parameters
    workgroup = LOCALNET
    netbios name = Gateway
    server string = Samba
    password server = PDC2
    security = domain
    winbind uid = 10000-30000
    winbind gid = 10000-20000
    winbind cache time = 300
    winbind use default domain = yes
    client use spnego = yes
    client signing = enabled

The relevant parts of squid.conf:

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
auth_param ntlm max_challenge_reuses 50
auth_param ntlm max_challenge_lifetime 5 minutes

#auth_param basic program <uncomment and complete this line>
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 5 minutes

acl the_good_the_bad_and_the_ugly proxy_auth REQUIRED
http_access allow the_good_the_bad_and_the_ugly
http_access deny all
Comment 1 Gerald (Jerry) Carter (dead mail address) 2004-04-22 19:30:24 UTC
I think this is fixed in the latest 3.0 tree.  Please retest 3.0.3rc2
once it is released and reopen this bug if that is not the case.
Comment 2 Gerald (Jerry) Carter (dead mail address) 2005-08-24 10:19:10 UTC
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.
Comment 3 Gerald (Jerry) Carter (dead mail address) 2005-11-14 09:29:55 UTC
database cleanup