15973 – smbpasswd can crash winbindd on an AD DC

Bug 15973 - smbpasswd can crash winbindd on an AD DC

Summary: smbpasswd can crash winbindd on an AD DC

Status:	NEW

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	Winbind (show other bugs)
Version:	4.23.3
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Samba QA Contact
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2026-01-20 10:11 UTC by Ralph Böhme
Modified:	2026-01-28 19:49 UTC (History)
CC List:	1 user (show)

See Also:	https://lists.samba.org/archive/samba-technical/2026-January/140590.html

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ralph Böhme 2026-01-20 10:11:43 UTC

#7  <signal handler called>
No symbol table info available.
#8  0x000000000043f47c in cm_connect_netlogon_transport (domain=domain@entry=0x17cd180, transport=transport@entry=NCACN_IP_TCP, cli=cli@entry=0x7ffccd40ed00) at ../../source3/winbindd/winbindd_cm.c:3216
        msg_ctx = 0x171a7a0
        conn = 0x17cd2d8
        result = {v = 0}
        sec_chan_type = <optimized out>
        creds = 0x0
        remote_name = 0x0
        remote_sockaddr = 0x0
        __func__ = "cm_connect_netlogon_transport"
        __FUNCTION__ = "cm_connect_netlogon_transport"

That is in

    remote_name = smbXcli_conn_remote_name(conn->cli->conn);

For some reason conn->cli is NULL.

Problem is triggered by the client sending the DC name as domain and the DC password check code then forwards the request to winbindd.