If configured as AD DC and aio_pthread appended into 'vfs objects'[1], run these commands would get segfault: 1. sudo samba-tool ntacl get . 2. sudo net vfs getntacl sysvol . gdb said it goes through aio_pthread_openat_fn() @ vfs_aio_pthread.c[2], and the fsp->conn->sconn->client is null (0x0). 'sconn->client' memory is allocated when a new connection is accpeted: smbd_accept_connection > smbd_process > smbXsrv_client_create While running local commands looks like it would not go through smbXsrv_client_create so the 'client' is null, segfault might happen. We should not dereference 'client->server_multi_channel_enabled', if 'client' is null. patch will follow. [1] smb.conf example, samba-4.18.5, ubuntu 22.04.2 [global] dns forwarder = 127.0.0.53 netbios name = U22-JONES-88X1 realm = U22-JONES-88X1.X88X1.JONES server role = active directory domain controller workgroup = X88X1 idmap_ldb:use rfc2307 = yes vfs objects = dfs_samba4 acl_xattr aio_pthread [sysvol] path = /var/lib/samba/sysvol read only = No [netlogon] path = /var/lib/samba/sysvol/u22-jones-88x1.x88x1.jones/scripts read only = No [2] gdb (gdb) run /usr/local/samba/bin/samba-tool ntacl get . Starting program: /usr/local/Python3/bin/python3 /usr/local/samba/bin/samba-tool ntacl get . [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. 0x00007fffd0eb809e in aio_pthread_openat_fn (handle=0x8d5cc0, dirfsp=0x8c3070, smb_fname=0x18ab4f0, fsp=0x1af3550, flags=196608, mode=0) at ../../source3/modules/vfs_aio_pthread.c:467 warning: Source file is more recent than executable. 467 if (fsp->conn->sconn->client->server_multi_channel_enabled) { (gdb) bt #0 0x00007fffd0eb809e in aio_pthread_openat_fn (handle=0x8d5cc0, dirfsp=0x8c3070, smb_fname=0x18ab4f0, fsp=0x1af3550, flags=196608, mode=0) at ../../source3/modules/vfs_aio_pthread.c:467 #1 0x00007fffe0497b79 in smb_vfs_call_openat (handle=0x8d5cc0, dirfsp=0x8c3070, smb_fname=0x18ab4f0, fsp=0x1af3550, flags=196608, mode=0) at ../../source3/smbd/vfs.c:1746 #2 0x00007fffe047f406 in non_widelink_open (dirfsp=0x8c3070, fsp=0x1af3550, smb_fname=0x10fe0c0, flags=196608, mode=0, link_depth=0) at ../../source3/smbd/open.c:810 #3 0x00007fffe047f90e in fd_openat (dirfsp=0x8c3070, smb_fname=0x10fe0c0, fsp=0x1af3550, flags=65536, mode=0) at ../../source3/smbd/open.c:954 #4 0x00007fffe04070ff in openat_pathref_fsp (dirfsp=0x8c3070, smb_fname=0x10fe0c0) at ../../source3/smbd/files.c:510 #5 0x00007fffe093cee3 in get_nt_acl_conn (mem_ctx=0x8c1550, fname=0x7ffff69517e0 ".", conn=0x742ed0, security_info_wanted=15, sd=0x7fffffffca50) at ../../source3/smbd/pysmbd.c:320 #6 0x00007fffe093e5e0 in py_smbd_get_nt_acl (self=0x7fffe3f13470, args=0x7fffd991fc80, kwargs=0x7fffda0cc550) at ../../source3/smbd/pysmbd.c:877 #7 0x00007ffff79107bf in _PyMethodDef_RawFastCallKeywords () from /usr/local/lib/libpython3.7m.so.1.0 #8 0x00007ffff7910a25 in _PyCFunction_FastCallKeywords () from /usr/local/lib/libpython3.7m.so.1.0 #9 0x00007ffff78eab02 in _PyEval_EvalFrameDefault () from /usr/local/lib/libpython3.7m.so.1.0 #10 0x00007ffff79f6c9e in _PyEval_EvalCodeWithName () from /usr/local/lib/libpython3.7m.so.1.0 #11 0x00007ffff7910485 in _PyFunction_FastCallKeywords () from /usr/local/lib/libpython3.7m.so.1.0 #12 0x00007ffff78ea798 in _PyEval_EvalFrameDefault () from /usr/local/lib/libpython3.7m.so.1.0 #13 0x00007ffff79f6c9e in _PyEval_EvalCodeWithName () from /usr/local/lib/libpython3.7m.so.1.0 #14 0x00007ffff7910307 in _PyFunction_FastCallDict () from /usr/local/lib/libpython3.7m.so.1.0 #15 0x00007ffff7911541 in _PyObject_Call_Prepend () from /usr/local/lib/libpython3.7m.so.1.0 #16 0x00007ffff7912a39 in PyObject_Call () from /usr/local/lib/libpython3.7m.so.1.0 #17 0x00007ffff78e56e0 in _PyEval_EvalFrameDefault () from /usr/local/lib/libpython3.7m.so.1.0 #18 0x00007ffff79f6c9e in _PyEval_EvalCodeWithName () from /usr/local/lib/libpython3.7m.so.1.0 #19 0x00007ffff7910221 in _PyFunction_FastCallDict () from /usr/local/lib/libpython3.7m.so.1.0 #20 0x00007ffff7911541 in _PyObject_Call_Prepend () from /usr/local/lib/libpython3.7m.so.1.0 #21 0x00007ffff7912a39 in PyObject_Call () from /usr/local/lib/libpython3.7m.so.1.0 #22 0x00007ffff78e56e0 in _PyEval_EvalFrameDefault () from /usr/local/lib/libpython3.7m.so.1.0 #23 0x00007ffff79f6c9e in _PyEval_EvalCodeWithName () from /usr/local/lib/libpython3.7m.so.1.0 #24 0x00007ffff7910221 in _PyFunction_FastCallDict () from /usr/local/lib/libpython3.7m.so.1.0 #25 0x00007ffff7911541 in _PyObject_Call_Prepend () from /usr/local/lib/libpython3.7m.so.1.0 #26 0x00007ffff7912a39 in PyObject_Call () from /usr/local/lib/libpython3.7m.so.1.0 #27 0x00007ffff78e56e0 in _PyEval_EvalFrameDefault () from /usr/local/lib/libpython3.7m.so.1.0 #28 0x00007ffff79f6c9e in _PyEval_EvalCodeWithName () from /usr/local/lib/libpython3.7m.so.1.0 #29 0x00007ffff7910221 in _PyFunction_FastCallDict () from /usr/local/lib/libpython3.7m.so.1.0 #30 0x00007ffff7911541 in _PyObject_Call_Prepend () from /usr/local/lib/libpython3.7m.so.1.0 #31 0x00007ffff7912a39 in PyObject_Call () from /usr/local/lib/libpython3.7m.so.1.0 #32 0x00007ffff78e56e0 in _PyEval_EvalFrameDefault () from /usr/local/lib/libpython3.7m.so.1.0 #33 0x00007ffff79f6c9e in _PyEval_EvalCodeWithName () from /usr/local/lib/libpython3.7m.so.1.0 #34 0x00007ffff79f6dbe in PyEval_EvalCodeEx () from /usr/local/lib/libpython3.7m.so.1.0 #35 0x00007ffff79f6deb in PyEval_EvalCode () from /usr/local/lib/libpython3.7m.so.1.0 ---Type <return> to continue, or q <return> to quit--- #36 0x00007ffff7a2ac8e in PyRun_FileExFlags () from /usr/local/lib/libpython3.7m.so.1.0 #37 0x00007ffff7a2ae06 in PyRun_SimpleFileExFlags () from /usr/local/lib/libpython3.7m.so.1.0 #38 0x00007ffff7a4e595 in ?? () from /usr/local/lib/libpython3.7m.so.1.0 #39 0x00007ffff7a4e81d in _Py_UnixMain () from /usr/local/lib/libpython3.7m.so.1.0 #40 0x00007ffff6995810 in __libc_start_main () from /lib/libc.so.6 #41 0x0000000000400729 in _start () (gdb) f #0 0x00007fffd0eb809e in aio_pthread_openat_fn (handle=0x8d5cc0, dirfsp=0x8c3070, smb_fname=0x18ab4f0, fsp=0x1af3550, flags=196608, mode=0) at ../../source3/modules/vfs_aio_pthread.c:467 467 if (fsp->conn->sconn->client->server_multi_channel_enabled) { (gdb) p fsp->conn->sconn->client $1 = (struct smbXsrv_client *) 0x0 (gdb)
patch against master: https://gitlab.com/samba-team/devel/samba/-/commit/af339c34 ci pipeline is passed: https://gitlab.com/samba-team/devel/samba/-/pipelines/952738219 merge request: https://gitlab.com/samba-team/samba/-/merge_requests/3205
This bug was referenced in samba master: 8f4c1c67b4f118a9a47b09ac7908cd3d969b19c2
Created attachment 18019 [details] Patch for v4-19-test Patch for 4.19 cherry-picked from master.
Do we also need the patch in 4.18 and 4.17? Does it apply cleanly or do we need seperate patches?
Created attachment 18020 [details] Patch for v4-18-test & v4-17-test backported from master Since this patch for 4.18 & 4.18 is not a clean cherry-pick from master, the commit logs is changed to: (backported from commit 8f4c1c67b4f118a9a47b09ac7908cd3d969b19c2) [jonessyue@qnap.com: 4.18/4.17 does not have 3694f2ce sconn->pool checks]
Reassigning to Jule for inclusion in 4.17, 4.18 and 4.19. Thanks for contributing!
Pushed to autobuild-v4-{19,18,17}-test.
This bug was referenced in samba v4-19-test: e7f91e1d22b60069af9081dedd1b244273322ea3
Comment on attachment 18020 [details] Patch for v4-18-test & v4-17-test backported from master I think this incomplete, the backport needs to contain 3694f2ce6205a647eb5dab2115785fb45decaf0b
Created attachment 18023 [details] Patch for v4-18-test & v4-17-test v2 (In reply to Stefan Metzmacher from comment #9) ohh my bad i forgot to pick 3694f2ce, this v2 patch for 4.18 & 4.17 is a cleanly cherry-picked from master, including 2 commits to make it more complete: 3694f2ce6205a647eb5dab2115785fb45decaf0b 8f4c1c67b4f118a9a47b09ac7908cd3d969b19c2 And 3694f2ce commit log is appended with tag to make it clear: BUG: https://bugzilla.samba.org/show_bug.cgi?id=15441
This bug was referenced in samba v4-19-stable (Release samba-4.19.0rc2): e7f91e1d22b60069af9081dedd1b244273322ea3
Pushed to autobuild-v4-{18,17}-test.
This bug was referenced in samba v4-18-test: cf7a0c9d754c0f5e0888fc9023e9a863e2f366a3 bace04c3c5c3bd3b345e2e5bf06f522745be2024
This bug was referenced in samba v4-17-test: 3a6964d02650ea123e36b639baaad89ffd4c79e3 f99fec49e25a1e54667286415c1a016c2116f42c
Closing out bug report. Thanks!
This bug was referenced in samba v4-18-stable (Release samba-4.18.6): cf7a0c9d754c0f5e0888fc9023e9a863e2f366a3 bace04c3c5c3bd3b345e2e5bf06f522745be2024
This bug was referenced in samba v4-17-stable (Release samba-4.17.11): 3a6964d02650ea123e36b639baaad89ffd4c79e3 f99fec49e25a1e54667286415c1a016c2116f42c