15897 – Assert failed: (dirfd != -1) || (smb_fname->base_name[0] == '/') in vfswrap_openat

Bug 15897 - Assert failed: (dirfd != -1) || (smb_fname->base_name[0] == '/') in vfswrap_openat

Summary: Assert failed: (dirfd != -1) || (smb_fname->base_name[0] == '/') in vfswrap_o...

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	File services (show other bugs)
Version:	4.23.0rc3
Hardware:	All FreeBSD

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Jule Anger
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2025-08-21 07:34 UTC by Peter Eriksson
Modified:	2025-12-18 16:13 UTC (History)
CC List:	4 users (show)

See Also:

Attachments
Patch (5.86 KB, text/plain) 2025-09-08 08:05 UTC, Volker Lendecke	no flags	Details
Patch from master (6.19 KB, patch) 2025-09-10 10:01 UTC, Volker Lendecke	no flags	Details
patch from master for v4-23-test (7.78 KB, patch) 2025-09-15 16:30 UTC, Anoop C S	slow: review+	Details
patch from master for v4-22-test (3.07 KB, patch) 2025-10-15 11:28 UTC, Anoop C S	no flags	Details
patch from master for v4-22-test (7.78 KB, patch) 2025-10-15 11:30 UTC, Anoop C S	slow: review+	Details
Show Obsolete (3) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Peter Eriksson 2025-08-21 07:34:41 UTC

Just upgraded one of our production file servers to Samba 4.22.3 (with the fix for chown/acl) and got a spat of coredumps yesterday. The stack backtrace looks like this:

5  0x000021159df409bf in smb_panic (
    why=why@entry=0x2115954f4e58 "assert failed: (dirfd != -1) || (smb_fname->base_name[0] == '/')") at ../../lib/util/fault.c:209
#6  0x00002115953f8070 in vfswrap_openat (handle=<optimized out>, 
    dirfsp=<optimized out>, smb_fname=0x2115df1c4a80, fsp=0x2115df0ba020, 
    how=0x21159287d2a0) at ../../source3/modules/vfs_default.c:619
#7  0x000021159543941c in smb_vfs_call_openat (handle=<optimized out>, 
    dirfsp=<optimized out>, smb_fname=<optimized out>, 
    fsp=fsp@entry=0x2115df0ba020, how=how@entry=0x21159287d2a0)
    at ../../source3/smbd/vfs.c:1588
#8  0x00002115e179008e in smb_full_audit_openat (handle=0x2115df0a8e40, 
    dirfsp=<optimized out>, smb_fname=<optimized out>, fsp=0x2115df0ba020, 
    how=0x21159287d2a0) at ../../source3/modules/vfs_full_audit.c:1092
#9  0x000021159543941c in smb_vfs_call_openat (handle=<optimized out>, 
    dirfsp=dirfsp@entry=0x2115df0b9e60, 
    smb_fname=smb_fname@entry=0x2115df1c4a80, fsp=fsp@entry=0x2115df0ba020, 
    how=how@entry=0x21159287d2a0) at ../../source3/smbd/vfs.c:1588
--Type <RET> for more, q to quit, c to continue without paging--
#10 0x00002115e1d03ed1 in streams_xattr_openat (handle=0x2115df0a8f80, dirfsp=0x2115df0b9e60, smb_fname=0x2115df1c4a80, 
    fsp=0x2115df0ba020, how=0x21159287d2a0) at ../../source3/modules/vfs_streams_xattr.c:412
#11 0x000021159543941c in smb_vfs_call_openat (handle=<optimized out>, dirfsp=dirfsp@entry=0x2115df0b9e60, 
    smb_fname=smb_fname@entry=0x2115df1c4a80, fsp=fsp@entry=0x2115df0ba020, how=how@entry=0x21159287d2a0) at ../../source3/smbd/vfs.c:1588
#12 0x00002115e298dc7f in shadow_copy2_openat (handle=0x2115df0a9020, dirfsp=0x2115df0b9e60, smb_fname_in=0x2115df1c4a80, 
    fsp=0x2115df0ba020, _how=<optimized out>) at ../../source3/modules/vfs_shadow_copy2.c:1600
#13 0x000021159543941c in smb_vfs_call_openat (handle=<optimized out>, dirfsp=dirfsp@entry=0x2115df0b9e60, 
    smb_fname=smb_fname@entry=0x2115df1c4a80, fsp=fsp@entry=0x2115df0ba020, how=how@entry=0x21159287d410) at ../../source3/smbd/vfs.c:1588
#14 0x0000211595400875 in smb_vfs_openat_ci (mem_ctx=mem_ctx@entry=0x2115df1c4a80, case_sensitive=true, conn=conn@entry=0x2115df0b6c60, 
    dirfsp=dirfsp@entry=0x2115df0b9e60, smb_fname_rel=smb_fname_rel@entry=0x2115df1c4a80, fsp=0x2115df0ba020, how=0x21159287d410)
    at ../../source3/smbd/files.c:929
#15 0x0000211595404a80 in openat_pathref_fsp_lcomp (dirfsp=0x2115df0b9e60, smb_fname_rel=smb_fname_rel@entry=0x2115df1c4a80, 
    ucf_flags=ucf_flags@entry=8) at ../../source3/smbd/files.c:1577
#16 0x000021159542336a in filename_convert_dirfsp_nosymlink (mem_ctx=mem_ctx@entry=0x2115df0f1080, conn=conn@entry=0x2115df0b6c60, 
    basedir=basedir@entry=0x2115df0b9ae0, name_in=name_in@entry=0x2115df1c4420 "desktop.ini", ucf_flags=ucf_flags@entry=8, 
    twrp=twrp@entry=0, _dirfsp=<optimized out>, _smb_fname=<optimized out>, _smb_fname_rel=<optimized out>, _symlink_err=<optimized out>)
    at ../../source3/smbd/filename.c:890
#17 0x000021159542443f in filename_convert_dirfsp_rel (mem_ctx=0x2115df0f1080, conn=conn@entry=0x2115df0b6c60, 
    basedir=basedir@entry=0x2115df0b9ae0, name_in=name_in@entry=0x2115df1c4420 "desktop.ini", ucf_flags=ucf_flags@entry=8, 
    twrp=twrp@entry=0, _dirfsp=0x21159287d6f0, _smb_fname=0x21159287d6f8, _smb_fname_rel=0x21159287d700)
    at ../../source3/smbd/filename.c:1093
#18 0x00002115954274b8 in fd_openat (dirfsp=dirfsp@entry=0x2115df0b9ae0, smb_fname=smb_fname@entry=0x2115df1c4300, 
    fsp=fsp@entry=0x2115df0b9ca0, _how=_how@entry=0x21159287d790) at ../../source3/smbd/open.c:549
#19 0x0000211595427d0a in fd_open_atomic (file_created=0x21159287da87, _how=0x21159287d920, fsp=0x2115df0b9ca0, smb_fname=0x2115df1c4300, 
    dirfsp=0x2115df0b9ae0) at ../../source3/smbd/open.c:775
#20 reopen_from_fsp (dirfsp=dirfsp@entry=0x2115df0b9ae0, smb_fname=smb_fname@entry=0x2115df1c4300, fsp=fsp@entry=0x2115df0b9ca0, 
    how=how@entry=0x21159287d920, p_file_created=p_file_created@entry=0x21159287da87) at ../../source3/smbd/open.c:933
#21 0x0000211595428230 in open_file (req=req@entry=0x2115df0e29c0, dirfsp=0x2115df0b9ae0, 
    smb_fname_atname=smb_fname_atname@entry=0x2115df1c4300, fsp=fsp@entry=0x2115df0b9ca0, _how=_how@entry=0x21159287dac0, 
    access_mask=1179785, open_access_mask=1179785, private_flags=0, p_file_created=0x21159287da87) at ../../source3/smbd/open.c:1122
#22 0x000021159543009e in open_file_ntcreate (fsp=<optimized out>, pinfo=0x21159287da88, smb_fname_atname=<optimized out>, 
    parent_dir_fname=<optimized out>, private_flags=<optimized out>, lease=<optimized out>, oplock_request=<optimized out>, 
    new_dos_attributes=<optimized out>, create_options=<optimized out>, create_disposition=<optimized out>, share_access=<optimized out>, 
    access_mask=<optimized out>, req=<optimized out>, conn=0x2115df0b6c60) at ../../source3/smbd/open.c:3962
#23 create_file_unixpath (conn=conn@entry=0x2115df0b6c60, req=req@entry=0x2115df0e29c0, dirfsp=<optimized out>, 
    dirfsp@entry=0x2115df0b9ae0, smb_fname=smb_fname@entry=0x2115df0e2ff0, access_mask=access_mask@entry=1179785, 
    share_access=share_access@entry=7, create_disposition=<optimized out>, create_options=<optimized out>, file_attributes=<optimized out>, 
    oplock_request=<optimized out>, lease=<optimized out>, allocation_size=<optimized out>, private_flags=<optimized out>, 
    sd=<optimized out>, ea_list=<optimized out>, result=<optimized out>, pinfo=<optimized out>) at ../../source3/smbd/open.c:6554
#24 0x0000211595431e7d in create_file_default (conn=0x2115df0b6c60, req=0x2115df0e29c0, dirfsp=0x2115df0b9ae0, smb_fname=0x2115df0e2ff0, 
    access_mask=1179785, share_access=7, create_disposition=1, create_options=68, file_attributes=0, oplock_request=2, lease=0x0, 
    allocation_size=0, private_flags=0, sd=0x0, ea_list=0x0, result=0x2115df0e2698, pinfo=0x2115df0e26b0, in_context_blobs=0x21159287e170, 
    out_context_blobs=0x2115df116090) at ../../source3/smbd/open.c:6871
#25 0x00002115953f7f69 in vfswrap_create_file (handle=<optimized out>, req=<optimized out>, dirfsp=<optimized out>, 
    smb_fname=<optimized out>, access_mask=<optimized out>, share_access=<optimized out>, create_disposition=1, create_options=68, 
    file_attributes=0, oplock_request=2, lease=0x0, allocation_size=0, private_flags=0, sd=0x0, ea_list=0x0, result=0x2115df0e2698, 
    pinfo=0x2115df0e26b0, in_context_blobs=0x21159287e170, out_context_blobs=0x2115df116090) at ../../source3/modules/vfs_default.c:736
#26 0x0000211595439500 in smb_vfs_call_create_file (handle=<optimized out>, req=<optimized out>, dirfsp=<optimized out>, 
    smb_fname=smb_fname@entry=0x2115df0e2ff0, access_mask=access_mask@entry=1179785, share_access=<optimized out>, create_disposition=1, 
    create_options=68, file_attributes=0, oplock_request=2, lease=0x0, allocation_size=0, private_flags=0, sd=0x0, ea_list=0x0, 
    result=0x2115df0e2698, pinfo=0x2115df0e26b0, in_context_blobs=0x21159287e170, out_context_blobs=0x2115df116090)
    at ../../source3/smbd/vfs.c:1616
#27 0x00002115e178ffc5 in smb_full_audit_create_file (handle=0x2115df0a8e40, req=<optimized out>, dirfsp=<optimized out>, 
    smb_fname=0x2115df0e2ff0, access_mask=1179785, share_access=<optimized out>, create_disposition=1, create_options=68, 
    file_attributes=0, oplock_request=2, lease=0x0, allocation_size=0, private_flags=0, sd=0x0, ea_list=0x0, result_fsp=0x2115df0e2698, 
    pinfo=0x2115df0e26b0, in_context_blobs=0x21159287e170, out_context_blobs=0x2115df116090) at ../../source3/modules/vfs_full_audit.c:1147
#28 0x0000211595439500 in smb_vfs_call_create_file (handle=<optimized out>, req=req@entry=0x2115df0e29c0, dirfsp=<optimized out>, 
    smb_fname=<optimized out>, access_mask=access_mask@entry=1179785, share_access=share_access@entry=7, create_disposition=1, 
    create_options=68, file_attributes=0, oplock_request=2, lease=0x0, allocation_size=0, private_flags=0, sd=0x0, ea_list=0x0, 
    result=0x2115df0e2698, pinfo=0x2115df0e26b0, in_context_blobs=0x21159287e170, out_context_blobs=0x2115df116090)
    at ../../source3/smbd/vfs.c:1616
#29 0x000021159546a1d3 in smbd_smb2_create_send (in_context_blobs=..., in_name=<optimized out>, _in_create_options=<optimized out>, 
    in_create_disposition=<optimized out>, in_share_access=7, in_file_attributes=0, in_desired_access=1179785, in_impersonation_level=2, 
    in_oplock_level=9 '\t', smb2req=0x2115df0e18e0, ev=0x2115df0b6060, mem_ctx=0x2115df0e18e0) at ../../source3/smbd/smb2_create.c:1276
#30 smbd_smb2_request_process_create (smb2req=smb2req@entry=0x2115df0e18e0) at ../../source3/smbd/smb2_create.c:295
#31 0x000021159545e67b in smbd_smb2_request_dispatch (req=req@entry=0x2115df0e18e0) at ../../source3/smbd/smb2_server.c:3521
#32 0x000021159545efa2 in smbd_smb2_advance_incoming (n=<optimized out>, xconn=0x2115df0c3560) at ../../source3/smbd/smb2_server.c:5144
#33 smbd_smb2_io_handler (fde_flags=<optimized out>, xconn=0x2115df0c3560) at ../../source3/smbd/smb2_server.c:5259
#34 smbd_smb2_connection_handler (ev=<optimized out>, fde=<optimized out>, flags=<optimized out>, private_data=<optimized out>)
    at ../../source3/smbd/smb2_server.c:5289
#35 0x000021159c494710 in tevent_common_invoke_fd_handler (fde=fde@entry=0x2115df135d60, flags=<optimized out>, removed=removed@entry=0x0)
    at ../../lib/tevent/tevent_fd.c:174
#36 0x000021159c4974c7 in poll_event_loop_poll (tvalp=0x21159287e300, ev=0x2115df0b6060) at ../../lib/tevent/tevent_poll.c:603
#37 poll_event_loop_once (ev=0x2115df0b6060, location=<optimized out>) at ../../lib/tevent/tevent_poll.c:658
#38 0x000021159c493a5d in _tevent_loop_once (ev=ev@entry=0x2115df0b6060, 
    location=location@entry=0x21159550ccf8 "../../source3/smbd/smb2_process.c:2163") at ../../lib/tevent/tevent.c:820
#39 0x000021159c493ca0 in tevent_common_loop_wait (ev=0x2115df0b6060, location=0x21159550ccf8 "../../source3/smbd/smb2_process.c:2163")
    at ../../lib/tevent/tevent.c:949
#40 0x000021159c493d02 in _tevent_loop_wait (ev=ev@entry=0x2115df0b6060, 
    location=location@entry=0x21159550ccf8 "../../source3/smbd/smb2_process.c:2163") at ../../lib/tevent/tevent.c:968
#41 0x000021159544c738 in smbd_process (ev_ctx=ev_ctx@entry=0x2115df0b6060, msg_ctx=msg_ctx@entry=0x2115df0aa140, sock_fd=sock_fd@entry=32, 
    interactive=interactive@entry=false) at ../../source3/smbd/smb2_process.c:2163
#42 0x0000210d721d64c5 in smbd_accept_connection (ev=0x2115df0b6060, fde=<optimized out>, flags=<optimized out>, 
    private_data=<optimized out>) at ../../source3/smbd/server.c:1039
#43 0x000021159c494710 in tevent_common_invoke_fd_handler (fde=fde@entry=0x2115df135860, flags=<optimized out>, removed=removed@entry=0x0)
...

(gdb) frame 6

q
 
f
(gdb) print *smb_fname
$2 = {base_name = 0x2115df1c4ba0 "desktop.ini", stream_name = 0x0, flags = 1, st = {st_ex_dev = 0, st_ex_ino = 0, st_ex_mode = 0, 
    st_ex_nlink = 0, st_ex_uid = 0, st_ex_gid = 0, st_ex_rdev = 0, st_ex_size = 0, st_ex_atime = {tv_sec = 0, tv_nsec = 0}, st_ex_mtime = {
      tv_sec = 0, tv_nsec = 0}, st_ex_ctime = {tv_sec = 0, tv_nsec = 0}, st_ex_btime = {tv_sec = 0, tv_nsec = 0}, 
    cached_dos_attributes = 0, st_ex_blksize = 0, st_ex_blocks = 0, st_ex_flags = 0, st_ex_iflags = 0}, twrp = 0, fsp = 0x0, fsp_link = 0x0}


(gdb) print *fsp
$3 = {next = 0x2115df0b9e60, prev = 0x2115df0b9ae0, fnum = 0, op = 0x0, conn = 0x2115df0b6c60, fh = 0x2115df0a97a0, num_smb_operations = 0, 
  file_id = {devid = 0, inode = 0, extid = 0}, initial_allocation_size = 0, file_pid = 0, vuid = 0, open_time = {tv_sec = 1755690855, 
    tv_usec = 923717}, access_mask = 0, fsp_flags = {is_pathref = true, is_fsa = false, have_proc_fds = false, 
    kernel_share_modes_taken = false, update_write_time_triggered = false, update_write_time_on_close = false, write_time_forced = false, 
    can_lock = false, can_read = false, can_write = false, modified = false, is_directory = false, is_dirfsp = false, 
    aio_write_behind = false, initial_delete_on_close = false, delete_on_close = false, is_sparse = false, backup_intent = false, 
    use_ofd_locks = false, closing = false, lock_failure_seen = false, encryption_required = false, fstat_before_close = false, 
    posix_open = false, posix_append = false}, update_write_time_event = 0x0, close_write_time = {tv_sec = 0, tv_nsec = -2}, 
  oplock_type = 0, leases_db_seqnum = 0, lease_type = 0, lease = 0x0, sent_oplock_break = 0, oplock_timeout = 0x0, current_lock_count = 0, 
  fsp_name = 0x2115df1c4d00, name_hash = 1655811084, mid = 0, vfs_extension = 0x0, fake_file_handle = 0x0, notify = 0x0, base_fsp = 0x0, 
  stream_fsp = 0x0, share_mode_flags_seqnum = 0, share_mode_flags = 0, brlock_seqnum = 0, brlock_rec = 0x0, dptr = 0x0, print_file = 0x0, 
  num_aio_requests = 0, aio_requests = 0x0, blocked_smb1_lock_reqs = 0x0, lock_failure_offset = 0}

Comment 1 Peter Eriksson 2025-08-21 07:37:28 UTC

(gdb) frame 6
#6  0x00002115953f8070 in vfswrap_openat (handle=<optimized out>, dirfsp=<optimized out>, smb_fname=0x2115df1c4a80, fsp=0x2115df0ba020, 
    how=0x21159287d2a0) at ../../source3/modules/vfs_default.c:619
619	in ../../source3/modules/vfs_default.c
(gdb) print dirfd
$14 = -1
(gdb) print smb_fname->base_name
$15 = 0x2115df1c4ba0 "desktop.ini"

Comment 2 Peter Eriksson 2025-08-21 09:24:20 UTC

It's a bit strange because it looks like the access was done for a user which doesn't have access to that directory...

# getfacl _HU_Integration_old/
# file: _HU_Integration_old/
# owner: <hidden admin user>
# group: fillager-nobody
group:fillager-admins:rwxpDdaARWcCo-:fd-----:allow


(gdb) frame 6
(gdb) print *fsp->conn->session_info->unix_info
$4 = {unix_name = 0x2115df137b60 "<hidden normal user>", sanitized_username = 0x2115df137c60 "<hidden normal user>"}


The <hidden normal user> is not a member of the group "fillager-admins" so it should never even try to access "_HU_Integration_old/./desktop.ini".

Comment 3 Peter Eriksson 2025-08-21 11:40:45 UTC

Looks like it's something happening in the zfsacl vfs module. If I disable that one then I don't see any core dumps. 

One way to force a core is if a Windows user tries to "click" on a folder where the permssions deny access. 


smbclient:
Core dumps doesn't seem to happen if I try to access it via smbclient (with zfsacl enabled)

With "zfsacl" enabled I see all folders, even those that I'm not supposed to. 
Without "zfsacl" enabled I only see folders I have access to.

Comment 4 Peter Eriksson 2025-08-22 17:38:17 UTC

Ways to reproduce:

1. Create a directory "noaccess" in a folder.
2. Set the permissions of "noaccess" so that the user doesn't have access.
3. Create a file "desktop.ini" inside "noaccess" (ACL doesn't matter but it must exist)
4. Connect to the share with smbclient and try "get noaccess/desktop.ini"

To get coredumps of smbd on FreeBSD you need to do this:

1. mkdir /var/cores
2. sysctl 'kern.corefile=/var/cores/%N.%P.core'
3. sysctl 'kern.sugid_coredump=1'


ACL I use on noaccess:

/export/test # getfacl noaccess
# file: noaccess
# owner: root
# group: nobody
            owner@:rwxpDdaARWcCos:-------:allow

/export/test # ls -ld noaccess
drwx------+ 2 root nobody 3 Aug 22 19:21 noaccess


smb.conf:

bind interfaces only = yes
workgroup = GREBO
netbios name = KATLA
security = user
passdb backend = tdbsam

vfs objects = zfsacl

[test]
path = /export/test
browsable = yes



$ smbclient -W GREBO //katla/test
Password for [GREBO\peter]:
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Thu Aug 21 22:17:07 2025
  ..                                  D        0  Thu Aug 21 22:17:07 2025
  noaccess                            D        0  Fri Aug 22 19:21:21 2025
  s                                   D        0  Fri May 31 20:03:41 2024
  d                                   D        0  Sat Jun 22 16:20:39 2024

		1737041884 blocks of size 1024. 1737041748 blocks available
smb: \> get noaccess/desktop.ini
NT_STATUS_CONNECTION_DISCONNECTED opening remote file \noaccess\desktop.ini
smb: \> SMBecho failed (NT_STATUS_CONNECTION_DISCONNECTED). The connection is disconnected now

Comment 5 Peter Eriksson 2025-08-25 11:15:42 UTC

Samba 4.21.7 seems to work better (no assert-fail-coredump)

Comment 6 Peter Eriksson 2025-09-02 14:34:17 UTC

Same problem with Samba 4.23.0rc3 - still assert-fails and core dumps if the VFS module "zfsacl" is enabled and a client tries to access a file inside a directory with permissions that denies access to anything inside that directory.

Comment 7 Volker Lendecke 2025-09-02 14:39:35 UTC

Just to let you know: I've tried to get my normal build environment up and running with Samba master on latest FreeBSD, but I failed miserably after a few hours on my weekend. I would think that once I have this problem under my fingers with a debugger and the ability to rebuild, this should be simple to solve. Any BSD, as worthwhile as it might be to have, is not part of our daily routine, so unfortunately it bit-rots. Because there is nobody with budget behind it to get a FreeBSD runner in Samba's gitlab CI, it will always remain a catch-up game. Sincere apologies, but that's what it is.

Comment 8 Peter Eriksson 2025-09-02 14:48:08 UTC

Yes, I understand the problem with the normal build testing.

Something changed between 4.21.7 and 4.22 that causes this to happen. I've tried reading the new code/changes but so far I've not really found why this happens. 

There is something that the zfsacl code does that causes the crash later on (the crash doesn't happen inside the zfsacl vfs module, and I've not found any other module that causes it either. And the zfsacl module code seems pretty straightforward too...

If someone wants it I've got a "BUILD" script that I normally use to build my Sambas. It downloads, unpacks, applies some patches normally and then builds and installs it. 

(This bug happens also without my patches)

To build Samba 4.19-4.23 I minimally need this patch on my FreeBSD systems:

--- samba-4.22.0/lib/util/util_crypt.c.ORIG     2025-04-10 09:40:34.264785000 +0200
+++ samba-4.22.0/lib/util/util_crypt.c  2025-04-10 09:40:51.310543000 +0200
@@ -2,7 +2,9 @@
 #include "data_blob.h"
 #include "discard.h"
 #include <talloc.h>
+#ifdef HAVE_CRYPT_H
 #include <crypt.h>
+#endif
 #include "util_crypt.h"

Comment 9 Volker Lendecke 2025-09-02 15:00:37 UTC

No promises, but if you could upload your steps from a plain FreeBSD 14.3 install to a Samba build with debug symbols, it would greatly help. I'm not familiar enough with the FreeBSD ports system so that this would be an easy excercise for me.

Comment 10 Peter Eriksson 2025-09-02 20:28:47 UTC

Sure thing, here is what works for me to build Samba 4.23.0rc3 in a barebones FreeBSD 14.3 (in a jail):

export CC=gcc
export MAKE=gmake
export CFLAGS=-g
export PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin

pkg install -y wget gmake python3 pkgconf bison flex p5-Parse-Yapp libxslt ncurses libarchive icu gcc gdb docbook-xsl libinotify libsunacl gnutls openldap26-client lmdb jansson fam

wget wget -N -q --show-progress https://download.samba.org/pub/samba/rc/samba-4.23.0rc3.tar.gz
tar zxf samba-4.23.0rc3.tar.gz
cd samba-4.23.0rc3 || exit 1

patch -p1 -s </tmp/util_crypt.patch
patch -p1 -s </tmp/dev_fds.patch

./configure --sysconfdir=/etc/samba --localstatedir=/var/samba --without-ad-dc --without-gettext --disable-cups --disable-iprint --with-shared-modules=nfs4_acls,vfs_zfsacl,vfs_dfs_samba4 --with-privatedir=/etc/samba/private --with-configdir=/etc/samba --with-logfilebase=/var/samba/logs --enable-debug

gmake



The patches (it would be great if we could get those into the normal source :-)


The "util_crypt.patch":

# more util_crypt.c.patch 
--- samba-4.22.0/lib/util/util_crypt.c.ORIG     2025-04-10 09:40:34.264785000 +0200
+++ samba-4.22.0/lib/util/util_crypt.c  2025-04-10 09:40:51.310543000 +0200
@@ -2,7 +2,9 @@
 #include "data_blob.h"
 #include "discard.h"
 #include <talloc.h>
+#ifdef HAVE_CRYPT_H
 #include <crypt.h>
+#endif
 #include "util_crypt.h"
 

The "dev_fds.patch" (not strictly necessary, but without it Samba falls back to the non-O_PATH codepath), to use it you also need to mount /var/samba/fd using: "mkdir -p /var/samba/fd ; mount -t fdescfs -o nodup fdesc /var/samba/fd":

# more dev_fds.patch 
--- samba-4.21.3/source3/lib/system.c   2024-07-29 11:03:15.334630500 +0200
+++ samba-4.21.3-proc_fds-fix/source3/lib/system.c      2025-01-10 14:30:05.235895000 +0100
@@ -1067,6 +1067,12 @@
 }
 #endif
 
+#ifdef __FreeBSD__
+#define PATH_PROC_FDS "/var/samba/fd"
+#elif __linux__
+#define PATH_PROC_FDS "/proc/self/fd"
+#endif
+
 bool sys_have_proc_fds(void)
 {
        static bool checked = false;
@@ -1078,9 +1084,13 @@
                return have_proc_fds;
        }
 
-       ret = stat("/proc/self/fd/0", &sb);
+#ifdef PATH_PROC_FDS
+       ret = stat(PATH_PROC_FDS "/0", &sb);
        have_proc_fds = (ret == 0);
+#else
+       have_proc_fds = 0;
        checked = true;
+#endif
 
        return have_proc_fds;
 }
@@ -1088,7 +1098,11 @@
 char *sys_proc_fd_path(int fd, struct sys_proc_fd_path_buf *buf)
 {
        int written =
-               snprintf(buf->buf, sizeof(buf->buf), "/proc/self/fd/%d", fd);
+#ifdef PATH_PROC_FDS
+               snprintf(buf->buf, sizeof(buf->buf), PATH_PROC_FDS "/%d", fd);
+#else
+               -1;
+#endif
 
        SMB_ASSERT(sys_have_proc_fds() && (written >= 0));

Comment 11 Volker Lendecke 2025-09-07 16:31:18 UTC

Got it reproduced, and I have a patch that fixes this panic. Running an autobuild now to see what the patch breaks...

Comment 12 Volker Lendecke 2025-09-08 08:05:45 UTC

Created attachment 18708 [details]
Patch

Can you try the attached patch?

Comment 13 Peter Eriksson 2025-09-08 11:14:57 UTC

A quick first test with that patch om 4.23.0rc4 indicates that it works fine. No core dumps atleast... Will do some more testing.

Comment 14 Samba QA Contact 2025-09-10 09:38:02 UTC

This bug was referenced in samba master:

83ece80ecc2baa52a3caa0ee3b0f954b005b2268
7143caeecc856d3326fdc3eb466ef1f37bc564b5

Comment 15 Volker Lendecke 2025-09-10 10:01:18 UTC

Created attachment 18714 [details]
Patch from master

Comment 16 Samba QA Contact 2025-09-15 15:45:03 UTC

This bug was referenced in samba master:

1ec54347acac241f900b52c16c2dcba04164e898

Comment 17 Anoop C S 2025-09-15 16:30:33 UTC

Created attachment 18727 [details]
patch from master for v4-23-test

Comment 18 Anoop C S 2025-09-24 10:09:29 UTC

Don't we need a backport for v4.22?

Comment 19 Anoop C S 2025-10-15 11:28:15 UTC

Created attachment 18758 [details]
patch from master for v4-22-test

Comment 20 Anoop C S 2025-10-15 11:30:50 UTC

Created attachment 18759 [details]
patch from master for v4-22-test

Comment 21 Ralph Böhme 2025-11-13 15:24:12 UTC

Reassigning to Jule for inclusion in 4.22 and 4.23.

Comment 22 Jule Anger 2025-11-14 07:51:33 UTC

Pushed to autobuild-v4-{23,22}-test.

Comment 23 Samba QA Contact 2025-11-14 08:59:02 UTC

This bug was referenced in samba v4-23-test:

0d94edcb98b4c04e8a56be3ca1fd60f0f89fa505
ecbfd23640bbb56306362b6fac0b511961220cce
15875ce6f0ce377e1d111a8a0c6d3eace246e315

Comment 24 Samba QA Contact 2025-11-14 14:00:03 UTC

This bug was referenced in samba v4-22-test:

fd9de4bd525de4a0934399a42de818f07b616c35
b42548e5f7073f8b08bba8415ba8462ab60ec946
593b3a43369546b95a31e924d51028a894f24171

Comment 25 Jule Anger 2025-11-14 15:08:21 UTC

Closing out bug report.

Thanks!

Comment 26 Samba QA Contact 2025-12-12 13:56:40 UTC

This bug was referenced in samba v4-23-stable (Release samba-4.23.4):

0d94edcb98b4c04e8a56be3ca1fd60f0f89fa505
ecbfd23640bbb56306362b6fac0b511961220cce
15875ce6f0ce377e1d111a8a0c6d3eace246e315

Comment 27 Samba QA Contact 2025-12-18 16:13:55 UTC

This bug was referenced in samba v4-22-stable (Release samba-4.22.7):

fd9de4bd525de4a0934399a42de818f07b616c35
b42548e5f7073f8b08bba8415ba8462ab60ec946
593b3a43369546b95a31e924d51028a894f24171