Hello, I am using idmap_tdb2 with a script to do mappings. After running winbind 2 or 3 days, new mappings no longer work. Restarting winbind resolves this. Samba log shows strange messages: sh: $'\001': command not found sh: al/bin/sfsh: No such file or directory sh: /local/bin/sfsh: No such file or directory sh: al/bin/sfsh: No such file or directory sh: SIDTOID: command not found sh: al/bin/sfsh: No such file or directory sh: IDTOSID: command not found sh: SIDTOID: command not found sh: @�^: command not found sh: $'\337U': command not found sh: IDTOSID: command not found Looking into idmap_tdb2.c I see, that a pointer to the script's path is stored in the private data during init. This pointer points into the currently loaded config. I could not prove or force this, but i assume, reloading the config makes this pointer invalid. Eventually the freed memory gets overwritten leading to the messages above. This may even be a security issue, since when a valid command is found at this location, it gets executed as root. Additional note: return value of pclose should be checked. Cheers Heinrich
I don't see where this memory should be freed or reloaded. It's on a talloc context stored off the vector table for the methods along with other idmap data. Can you catch this under valgrind to see where it might be being corrupted ?
My config (idmap2.conf): [global] security = domain workgroup = share netbios name = share2 wins server = 131.130.1.111 client ipc signing = auto idmap config * : backend = tdb2 idmap config * : range = 200-20000000 idmap config * : script = echo XXXXXXXXXXXXXXX 1>&2 idmap config * : read only = yes log file = /tmp/samba lock directory = /tmp private dir = /tmp pid directory = /tmp cache directory = /tmp state directory = /tmp Doesn't do any useful mappings, but sufficient to prove memory corruption. Commands: valgrind winbindd -d 5 -is idmap2.conf >/tmp/winbind_valgrind.log 2>&1 & wbinfo -U 1000 kill -HUP -$(</tmp/winbindd.pid) wbinfo -U 1000 Logfile attached. Search for "Invalid read". Cheers Heinrich
Created attachment 15179 [details] log of winbindd under valgrind
Helpful backtrace thanks ! Can you get me one with symbols loaded, as that would make it a little easier to track down ?
Never mind, I see the problem. I think the correct thing to do is to keep the script cache from the initial config by doing a talloc_strdup() instead of keeping a reference to the string, so any changes to the script are ignored on config file reload. Restarting winbind will reload the script path.
Created attachment 15187 [details] git-am fix for master. Heinrich, can you confirm this fixes your problem ? Thanks ! Jeremy.
Problem fixed. Thanks! Heinrich
Created attachment 15196 [details] git-am fix for 4.10.next, 4.9.next. Cherry-picked from master, applies cleanly to 4.10.next, 4.9.next.
Reassigning to Karolin for inclusion in 4.9 and 4.10.
(In reply to Ralph Böhme from comment #9) Pushed to autobuild-v4-{10,9}-test.
(In reply to Karolin Seeger from comment #10) Pushed to both branches. Closing out bug report. Thanks!