15882 – NULL pointer idmap_child binding handle passed to new wbint_NormalizeNameUnmap() call

Bug 15882 - NULL pointer idmap_child binding handle passed to new wbint_NormalizeNameUnmap() call

Summary: NULL pointer idmap_child binding handle passed to new wbint_NormalizeNameUnma...

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	Winbind (show other bugs)
Version:	unspecified
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Samuel Cabrero
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2025-07-07 09:55 UTC by Guenther Deschner
Modified:	2025-07-08 07:31 UTC (History)
CC List:	3 users (show)

See Also:	https://gitlab.com/samba-team/samba/-/merge_requests/4100

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Guenther Deschner 2025-07-07 09:55:17 UTC

When starting winbind with idmap_ad configured there seems to be race condition when the getwnam call queries the idmapchild for the new NormalizeNameUnmap functionality:

(gdb) bt full
#0  0x00007fd6b4c6da06 in __internal_syscall_cancel () from /lib64/libc.so.6
No symbol table info available.
#1  0x00007fd6b4c6da24 in __syscall_cancel () from /lib64/libc.so.6
No symbol table info available.
#2  0x00007fd6b4cdd5af in wait4 () from /lib64/libc.so.6
No symbol table info available.
#3  0x00007fd6b4c2ea6d in do_system () from /lib64/libc.so.6
No symbol table info available.
#4  0x00007fd6b5e1cc2c in call_panic_action (why=0x7ffd235fbdd0 "Signal 11: Segmentation fault", as_root=false) at ../../source3/lib/util.c:713
        lp_sub = 0x7fd6b5e68f10 <s3_global_substitution>
        cmd = 0x8edebb0 "/bin/sleep 999999999"
        result = 32726
        __func__ = "call_panic_action"
#5  0x00007fd6b5e1cd82 in smb_panic_s3 (why=0x7ffd235fbdd0 "Signal 11: Segmentation fault") at ../../source3/lib/util.c:729
No locals.
#6  0x00007fd6b5860b29 in smb_panic (why=0x7ffd235fbdd0 "Signal 11: Segmentation fault") at ../../lib/util/fault.c:209
No locals.
#7  0x00007fd6b58605d8 in fault_report (sig=11) at ../../lib/util/fault.c:83
        counter = 1
        signal_string = "Signal 11: Segmentation fault\000\000\000\340\276_#\375\177\000\000<_w\266\326\177\000\000\305\000\000\000\000\000\000\000\030\350r\266\326\177\000\000`>v\266\326\177\000\000\250\276_#\375\177\000\000\244\276_#\375\177\000\000\234\243ߴ\326\177\000\000 \277_#\375\177\000\000<_w\266\326\177\000\000~\000\000\000\000\000\000\000\300\257ߴ\326\177\000"
#8  0x00007fd6b58605ed in sig_fault (sig=11) at ../../lib/util/fault.c:94
No locals.
#9  <signal handler called>
No symbol table info available.
#10 0x00007fd6b6537e3e in dcerpc_binding_handle_call_send (mem_ctx=0x8ee5520, ev=0x8ec4a00, h=0x0, object=0x0, table=0x7fd6b5d15b80 <ndr_table_winbind>, opnum=29, r_mem=0x8ed69c0, 
    r_ptr=0x8edc4d8) at ../../librpc/rpc/binding_handle.c:420
        req = 0x8ee56a0
        state = 0x8ee5880
        subreq = 0x7fd6b67a3000 <_rtld_local>
        ndr_err = 32765
        __func__ = "dcerpc_binding_handle_call_send"
#11 0x00007fd6b6501906 in dcerpc_wbint_NormalizeNameUnmap_r_send (mem_ctx=0x8edc4c0, ev=0x8ec4a00, h=0x0, r=0x8edc4d8) at librpc/gen_ndr/ndr_winbind_c.c:6622
        req = 0x8ee5340
        state = 0x8ee5520
        subreq = 0x8ed68f0
        __func__ = "dcerpc_wbint_NormalizeNameUnmap_r_send"
#12 0x00007fd6b6501c29 in dcerpc_wbint_NormalizeNameUnmap_send (mem_ctx=0x8ee4c50, ev=0x8ec4a00, h=0x0, _name=0x8ece960 "W2K25DOM\\gd", _unmapped_name=0x8ee4c60)
    at librpc/gen_ndr/ndr_winbind_c.c:6721
        req = 0x8edc2e0
        state = 0x8edc4c0
        subreq = 0x8ece900
        __func__ = "dcerpc_wbint_NormalizeNameUnmap_send"
#13 0x0000000000486d2a in winbindd_getpwnam_send (mem_ctx=0x8edc960, ev=0x8ec4a00, cli=0x8ed58b0, request=0x8edece0) at ../../source3/winbindd/winbindd_getpwnam.c:71
        req = 0x8ee4a70
        subreq = 0x8edd230
--Type <RET> for more, q to quit, c to continue without paging--
        state = 0x8ee4c50
        __func__ = "winbindd_getpwnam_send"
        __FUNCTION__ = "winbindd_getpwnam_send"
#14 0x000000000049b71d in process_request_send (mem_ctx=0x8ed58b0, ev=0x8ec4a00, cli_state=0x8ed58b0) at ../../source3/winbindd/winbindd.c:503
        req = 0x8edc780
        subreq = 0x8ed58b0
        state = 0x8edc960
        atable = 0x4f00a0 <async_nonpriv_table+192>
        cmd = WINBINDD_GETPWNAM
        i = 4834458
        ok = true
        request_index = 3
        __func__ = "process_request_send"
        __FUNCTION__ = "process_request_send"
#15 0x000000000049c3dd in winbind_client_request_read (req=0x8edcf50) at ../../source3/winbindd/winbindd.c:747
        state = 0x8ed58b0
        ret = 2136
        err = 0
        __FUNCTION__ = "winbind_client_request_read"
        __func__ = "winbind_client_request_read"
#16 0x00007fd6b6737356 in _tevent_req_notify_callback (req=0x8ee0ab0, location=0x7fd6b5819b60 "../../nsswitch/wb_reqtrans.c:126") at ../../lib/tevent/tevent_req.c:177
        new_depth = 0
#17 0x00007fd6b67374e7 in tevent_req_finish (req=0x8ee0ab0, state=TEVENT_REQ_DONE, location=0x7fd6b5819b60 "../../nsswitch/wb_reqtrans.c:126") at ../../lib/tevent/tevent_req.c:234
        p = 0x0
#18 0x00007fd6b6737513 in _tevent_req_done (req=0x8ee0ab0, location=0x7fd6b5819b60 "../../nsswitch/wb_reqtrans.c:126") at ../../lib/tevent/tevent_req.c:240
No locals.
#19 0x00007fd6b5818681 in wb_req_read_done (subreq=0x0) at ../../nsswitch/wb_reqtrans.c:126
        req = 0x8ee0ab0
        state = 0x8ee0c90
        err = 4
        buf = 0x8edece0 "X\b"
#20 0x00007fd6b6737356 in _tevent_req_notify_callback (req=0x8ee0e20, location=0x7fd6b5e94b88 "../../lib/async_req/async_sock.c:713") at ../../lib/tevent/tevent_req.c:177
        new_depth = 0
#21 0x00007fd6b67374e7 in tevent_req_finish (req=0x8ee0e20, state=TEVENT_REQ_DONE, location=0x7fd6b5e94b88 "../../lib/async_req/async_sock.c:713") at ../../lib/tevent/tevent_req.c:234
        p = 0x0
#22 0x00007fd6b6737513 in _tevent_req_done (req=0x8ee0e20, location=0x7fd6b5e94b88 "../../lib/async_req/async_sock.c:713") at ../../lib/tevent/tevent_req.c:240
No locals.
#23 0x00007fd6b5e88a49 in read_packet_do (req=0x8ee0e20, ready_flags=0) at ../../lib/async_req/async_sock.c:713
        state = 0x8ee1000
        total = 2136
        nread = 2132
        more = 0
        tmp = 0x8edece0 "X\b"
#24 0x00007fd6b5e88b3f in read_packet_handler (ev=0x8ec4a00, fde=0x8edcac0, flags=1, private_data=0x8ee0e20) at ../../lib/async_req/async_sock.c:747
        req = 0x8ee0e20
#25 0x00007fd6b67351f2 in tevent_common_invoke_fd_handler (fde=0x8edcac0, flags=1, removed=0x0) at ../../lib/tevent/tevent_fd.c:174
--Type <RET> for more, q to quit, c to continue without paging--
        handler_ev = 0x8ec4a00
#26 0x00007fd6b674189b in epoll_event_loop (epoll_ev=0x8ec4c40, tvalp=0x7ffd235fcae0) at ../../lib/tevent/tevent_epoll.c:699
        fde = 0x8edcac0
        effective_flags = 1
        flags = 1
        got_error = false
        selected = 0x8edcac0
        ret = 1
        i = 0
        events = {{events = 1, data = {ptr = 0x8edcac0, fd = 149801664, u32 = 149801664, u64 = 149801664}}}
        timeout = 867
        wait_errno = 11
#27 0x00007fd6b6741f88 in epoll_event_loop_once (ev=0x8ec4a00, location=0x4e04e0 "../../source3/winbindd/winbindd.c:1738") at ../../lib/tevent/tevent_epoll.c:929
        epoll_ev = 0x8ec4c40
        tval = {tv_sec = 0, tv_usec = 866734}
        panic_triggered = false
#28 0x00007fd6b673d603 in std_event_loop_once (ev=0x8ec4a00, location=0x4e04e0 "../../source3/winbindd/winbindd.c:1738") at ../../lib/tevent/tevent_standard.c:110
        glue_ptr = 0x8ec4bb0
        glue = 0x8ec4bb0
        ret = 32726
#29 0x00007fd6b6733baa in _tevent_loop_once (ev=0x8ec4a00, location=0x4e04e0 "../../source3/winbindd/winbindd.c:1738") at ../../lib/tevent/tevent.c:860
        ret = 0
        nesting_stack_ptr = 0x0
        __func__ = "_tevent_loop_once"
#30 0x000000000049f675 in main (argc=1, argv=0x7ffd235fcf38) at ../../source3/winbindd/winbindd.c:1738
        log_stdout = false
        cmdline_daemon_cfg = 0x7fd6b659c060 <cmdline_daemon_cfg>
        long_options = {{longName = 0x0, shortName = 0 '\000', argInfo = 4, arg = 0x7fd6b508e160 <poptHelpOptions>, val = 0, descrip = 0x4df857 "Help options:", argDescrip = 0x0}, {
            longName = 0x4df865 "no-caching", shortName = 110 'n', argInfo = 0, arg = 0x0, val = 110, descrip = 0x4df870 "Disable caching", argDescrip = 0x0}, {longName = 0x0, 
            shortName = 0 '\000', argInfo = 4, arg = 0x7fd6b659b4a0 <popt_common_samba>, val = 0, descrip = 0x4df880 "Common Samba options:", argDescrip = 0x0}, {longName = 0x0, 
            shortName = 0 '\000', argInfo = 4, arg = 0x7fd6b659bd00 <popt_common_daemon>, val = 0, descrip = 0x4df896 "Daemon options:", argDescrip = 0x0}, {longName = 0x0, 
            shortName = 0 '\000', argInfo = 4, arg = 0x7fd6b659bc60 <popt_common_version>, val = 0, descrip = 0x4df8a6 "Version options:", argDescrip = 0x0}, {longName = 0x0, 
            shortName = 0 '\000', argInfo = 0, arg = 0x0, val = 0, descrip = 0x0, argDescrip = 0x0}}
        lp_sub = 0x7fd6b5e68f10 <s3_global_substitution>
        pc = 0x8eadb00
        opt = -1
        frame = 0x8ecf4d0
        status = {v = 0}
        ok = true
        ep_server = 0x4ed780 <winbind_ep_server>
        dce_ctx = 0x8ed5700
        winbindd_socket_dir_len = 23
        winbindd_priv_socket_dir = 0x0
        winbindd_priv_socket_dir_len = 34
        __func__ = "main"
        __FUNCTION__ = "main"
(gdb) 

This is my config:
[global]
        realm = W2K25DOM.BER.REDHAT.COM
        security = ADS
        workgroup = W2K25DOM
        idmap config w2k25dom : unix_primary_group = yes
        idmap config w2k25dom : schema_mode = rfc2307
        idmap config w2k25dom : range = 1000-999999
        idmap config w2k25dom : backend = ad
        idmap config * : rangesize = 1000000
        idmap config * : range = 10000000-19999999
        idmap config * : backend = autorid

Comment 1 Guenther Deschner 2025-07-07 09:56:28 UTC

To reproduce, I start winbindd and simply call "wbinfo -i W2K25DOM\\gd"

Comment 2 Ralph Böhme 2025-07-07 10:00:57 UTC

Afair you just have to call wb_parent_idmap_setup_send() in winbindd_getpwnam_send() before calling dcerpc_wbint_NormalizeNameUnmap_send().

Comment 3 Guenther Deschner 2025-07-07 12:44:51 UTC

Apparently in master only...

Comment 4 Samba QA Contact 2025-07-08 07:22:03 UTC

This bug was referenced in samba master:

96ff066980649c5a7ec549983232a574d437eb71
0c4b632310b6e946d8493735b8cdeeb0d2cc39fe

Comment 5 Samuel Cabrero 2025-07-08 07:31:32 UTC

Patches are in master, no backports needed.