Bug 15533 - winbindd crashes when listing trusted domains that contain an NT domain without DNS name
Summary: winbindd crashes when listing trusted domains that contain an NT domain witho...
Status: ASSIGNED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Ralph Böhme
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-12-08 14:20 UTC by Ralph Böhme
Modified: 2024-01-22 07:25 UTC (History)
1 user (show)

See Also:


Attachments
Patch for 4.19 cherry-picked from master (42.94 KB, patch)
2024-01-22 07:24 UTC, Ralph Böhme
slow: review? (metze)
Details
Patch for 4.18 backported from master (48.14 KB, patch)
2024-01-22 07:25 UTC, Ralph Böhme
slow: review? (metze)
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Ralph Böhme 2023-12-08 14:20:45 UTC
Commit e07f8901ec95aab8c36965000de185d99e642644 removed the required handling for empty DNS domain names.
                                                                                                                                                                                                          
As for NT domains the dns_name will be NULL, causing the talloc_steal() to also return NULL, which causes _wbint_ListTrustedDomains return NT_STATUS_NO_MEMORY with an only partially initialized struct netr_DomainTrust: as out->array[n].sid is not yet initialized correctly, when NDR-pushing the result, the ndr_push() can crash.

To reproduce I used the following hack on master:

diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index f5ca2ee37a32..09962c8b8738 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -775,7 +775,7 @@ sub provision_ad_member
        template homedir = /home/%D/%G/%U
        auth event notification = true
        password server = $dcvars->{SERVER}
-       winbind scan trusted domains = no
+       winbind scan trusted domains = yes
        winbind offline logon = $option_offline_logon
 
        allow dcerpc auth level connect:lsarpc = yes
diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
index d7a665abbc6d..4922a0e61d24 100644
--- a/source3/winbindd/winbindd_ads.c
+++ b/source3/winbindd/winbindd_ads.c
@@ -1493,6 +1493,11 @@ static NTSTATUS trusted_domains(struct winbindd_domain *domain,
                        continue;
                }
 
+               if (strequal("SAMBA2003", trust->netbios_name)) {
+                       DBG_ERR("XXXXXXX HACK!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n");
+                       trust->dns_name = NULL;
+               }
+
                /* add to the trusted domain cache */

Then:

$ make -j testenv SELFTEST_TESTENV=ad_member SCREEN=1

This results in an an reliable error to list trusted domains, so wbinfo -m doesn't list them, and sometimes it crashes when eg the domain sid pointer is garbage:

    2023-12-08T14:07:42.759416+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: trusted_domains: XXXXXXX HACK!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    2023-12-08T14:07:42.759691+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: ===============================================================
    2023-12-08T14:07:42.759702+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: INTERNAL ERROR: Signal 11: Segmentation fault in winbindd (wb[ADDOMAIN]) (domain child [ADDOMAIN]) pid 157227 (4.20.0pre1-DEVELOPERBUILD)
    2023-12-08T14:07:42.759712+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: If you are running a recent Samba version, and if you think this problem is not yet fixed in the latest versions, please consider reporting this bug, see https://wiki.samba.org/index.php/Bug_Reporting
    2023-12-08T14:07:42.759723+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: ===============================================================
    2023-12-08T14:07:42.759730+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: PANIC (pid 157227): Signal 11: Segmentation fault in 4.20.0pre1-DEVELOPERBUILD
    2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: BACKTRACE: 36 stack frames:
    2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #0 bin/shared/private/libgenrand-samba4.so(log_stack_trace+0x1f) [0x7f1396acd441]
    2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #1 bin/shared/private/libgenrand-samba4.so(smb_panic_log+0x20f) [0x7f1396acd3d5]
    2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #2 bin/shared/private/libgenrand-samba4.so(smb_panic+0x18) [0x7f1396acd3f0]
    2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #3 bin/shared/private/libgenrand-samba4.so(+0x2eb5) [0x7f1396acceb5]
    2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #4 bin/shared/private/libgenrand-samba4.so(+0x2eca) [0x7f1396acceca]
    2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #5 /lib64/libc.so.6(+0x3dbb0) [0x7f139687abb0]
    2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #6 bin/shared/private/libsamba-security-samba4.so(ndr_push_dom_sid2+0x2a) [0x7f13977e5437]
    2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #7 bin/shared/libndr-standard.so.0(ndr_push_netr_DomainTrust+0x4ad) [0x7f1396deb64c]
    2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #8 bin/shared/libndr-standard.so.0(ndr_push_netr_DomainTrustList+0x204) [0x7f1396dec7a9]
    2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #9 bin/shared/private/libndr-samba4.so(+0x239bf9) [0x7f1397639bf9]
    2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]:  #10 winbindd: domain child [ADDOMAIN](winbind__op_ndr_push+0x5a) [0x55741e6857a8]

Have patches, need bugnumber.
Comment 1 Samba QA Contact 2024-01-20 14:24:13 UTC
This bug was referenced in samba master:

340753a2554ce9a842a6c90d684fb0510def81a1
15c07723765c6863a0ada9dfbaaa204604500907
449a968d3d18633e05db7d00ab76c7a52b04a54c
9b2920fd367d26cfbf6f6f442a5c01fae4734abd
95bb2acbf066049f92c16836a2cdaea3aae829cc
60ac5b03ef15de73744e0f86507849fb4b55d96f
9d933abd9e578de74bd4c5a8bcfcf6924262a8e2
d0cdc81aa99031b0c067c7f8cf2ec0dc99d57da5
5420af6942307e045be1317edc323ee3ff9f379b
9725aa932e24622566baf208586d1fe03885da9f
645a725603ca03f27c1347b1e2ed9fea94a6319d
3a95e135472a495a90637e5dc0f9e3c8de052ff9
53ca19851dbfc3cab7345424c029a7c90745e24a
000bbede59e4ca78427fa57b56fa251d4d779adb
201edcb5c6138488959e54e7df88007d010f1cfb
Comment 2 Ralph Böhme 2024-01-22 07:24:17 UTC
Created attachment 18231 [details]
Patch for 4.19 cherry-picked from master
Comment 3 Ralph Böhme 2024-01-22 07:25:03 UTC
Created attachment 18232 [details]
Patch for 4.18 backported from master