Bug 2391 - Signal 11's during connection to smbd w/ 3.0.11 - works in 3.0.8 & 3.0.10
Signal 11's during connection to smbd w/ 3.0.11 - works in 3.0.8 & 3.0.10
Status: CLOSED FIXED
Product: Samba 3.0
Classification: Unclassified
Component: File Services
3.0.11
x86 FreeBSD
: P1 major
: none
Assigned To: Gerald (Jerry) Carter
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2005-02-25 06:40 UTC by Mitch
Modified: 2005-08-24 10:16 UTC (History)
1 user (show)

See Also:


Attachments
This is a log 10 of a Windows 2003 client connecting (16.97 KB, application/octet-stream)
2005-02-25 07:05 UTC, Mitch
no flags Details
This is a log of a sucessful connect from smbclient (29.40 KB, application/octet-stream)
2005-02-25 07:07 UTC, Mitch
no flags Details
capture of gdb output running with --enable-debug (106.30 KB, application/octet-stream)
2005-02-25 11:05 UTC, Mitch
no flags Details
a log of an smbd -i run (18.12 KB, application/octet-stream)
2005-02-25 14:15 UTC, Mitch
no flags Details
finally a backtrace (3.79 KB, text/plain)
2005-02-25 16:44 UTC, Mitch
no flags Details
ran a bt full as requested (13.07 KB, text/plain)
2005-02-25 17:21 UTC, Mitch
no flags Details
Move to allocated passwd structures (4.47 KB, patch)
2005-02-25 18:13 UTC, Andrew Bartlett
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Mitch 2005-02-25 06:40:56 UTC
Note - Server OS = FreeBSD 4.8
     - Client OD = Windows Server 2003

I can't cenerate a crash dump, but I could verify it doesn't happen in 3.0.8 or 
3.0.11. I'll commit this and then see about uploading the logs as attachments.

I CAN connect with smbclient, but to do so I had to alter the users.map from 
what the earlier versions used:
Old (3.0.8 / 3.0.10) users.map:
u1005 = MY.FULL.DOMAIN\mitch
NEW (3.0.11) users.map:
u1005 = MY.FULL.DOMAIN\mitch MY\mitch
                             ++++++++
This alias to the short form of the domain (or workgroup name) was required in 
3.0.11 - is that a config error on my part?

Here is the config file (stripped of a lot of stuff that wasn't needed to 
reproduce the bug):

[global]
realm = MY.FULL.DOMAIN
workgroup = MY
security = ADS
netbios name = SLIM1
bind interfaces only = yes
interfaces = 10.1.0.4/8

log level = 10
log file = /usr/local/samba/var/smbd-%G.log

username map = /usr/local/samba/lib/users.map
#add group shares
include = /home/%G/shares.conf

[homes]
        comment = %U's Documents
        valid users = %S
        read only = No
        browseable = No
        profile acls = Yes
        csc policy = disable
        create mask = 0711
        directory mask = 0711
        map archive = Yes
        map hidden = Yes
        map system = Yes
#ADD THESE TWO LINES TO WORK WITH NORMAL PWD ENTRY
#        path = %H/vserver/home/%U/HTS_MyDocuments
        hide files = /RECYCLER/
Comment 1 Mitch 2005-02-25 07:05:49 UTC
Created attachment 983 [details]
This is a log 10 of a Windows 2003 client connecting

This log, which shows connection from the w2k3 server creates (as expected)
three log files:
log.smbd during startup
smbd-%G.log after loading config and directing output to group based log files
smbd-s100592.log log after authenticating the group
Comment 2 Mitch 2005-02-25 07:07:46 UTC
Created attachment 984 [details]
This is a log of a sucessful connect from smbclient

This log, which shows connection from the smbclient creates ONLY two log files:

log.smbd during startup
smbd-%G.log after loading config and directing output to group based log files
THERE IS NO smbd-s100592.log log after authenticating the group

Connection command was:
smbclient -I 10.1.0.4 -U MY.FULL.DOMAIN\\admin-m \\\\slim1\\u100595
Comment 3 Mitch 2005-02-25 07:10:24 UTC
Log files were obfuscated by replacing the real domain with MY.FULL.DOMAIN - 
hopefuly that doesn't confuse anything - I just don't like leaving internal 
information on public posts - thanks!

I now have a test server running so I can validate any fix or attempt to 
provide further information if required.
Comment 4 Mitch 2005-02-25 11:05:26 UTC
Created attachment 986 [details]
capture of gdb output running with --enable-debug

This is a capture of screen output during a gdb run of smbd.
Steps:
rebuilt samba with:
./configure --with-krb5=/usr/heimdal --with-mysql-prefix=/usr/local/db/mysql
--with-expsam=mysql --enable-debug
Not currently using the mysql mod in this config, but that's in the normal
build - so for now I've kept the same config... will try removing it to see if
it has any impact.

gdb /usr/local/samba/sbin/smbd
set args -i
run

The odd thing is that with --enable-debug, the connection just seems to hang
with HUGE pauses between any indication of activity in the output - for a
while, I was pasting "\n\nLONG PAUSE\n\n" into the debug output to make it
oibvious where they occured, but eventually I gave up and exited gdb
Comment 5 Mitch 2005-02-25 14:15:09 UTC
Created attachment 988 [details]
a log of an smbd -i run

ran smbd -i (after enable-debug and recompile)
added comments in log prefaced with MITCH2
seems to terminate "normally" but shouldn't be terminating at all
Comment 6 Mitch 2005-02-25 16:44:06 UTC
Created attachment 989 [details]
finally a backtrace

backtrace produced by adding:
panic action = "/bin/sleep 90000"
to my smb.conf - then, when making the connection that causes the crash, I did
a ps, identified the new process, and attached to it:
gdb ../sbin/smbd $PID
saved this backtrace (bt)
Just leaving these notes here in case they help someone else - would be good to
update the samba bugs page with advice on this - thanks "vl"!
Comment 7 Mitch 2005-02-25 17:21:58 UTC
Created attachment 990 [details]
ran a bt full as requested

same procedure - this time a bt full
Comment 8 Andrew Bartlett 2005-02-25 18:13:43 UTC
Created attachment 991 [details]
Move to allocated passwd structures

I suspect a use-after-free due to the way Get_Pwnam() works.  smb_getpwnam()
calls Get_Pwnam().

The attached patch moves to an allocated return structure.
Comment 9 Gerald (Jerry) Carter 2005-03-09 09:32:04 UTC
can someone give me the one sentence summary on 
how to reproduce this crash?
Comment 10 Justin Maggard 2005-03-15 20:47:13 UTC
I hope I'm not breaking any rules by posting to this bug.  But I have a pretty
easy way to reproduce this (I think) problem.  I was going to post a new bug,
but I was lucky enough to find this one posted, and it sounds strikingly
similar.  Here is how:

1) Put a "include = %G" in your smb.conf file.
2) Try making a connection to any share from an ADS member, ensuring that
kerberos is in use.

It may take a couple of tries making a connection before you get the sig 11. 
I'm building samba with Andrew's patch right now, but I have a feeling it will
work.  I have been trying to track this one down for a few days now, and I'm
pretty sure it's the same place.  Cheers!
Comment 11 Gerald (Jerry) Carter 2005-06-07 10:49:09 UTC
patch applied
Comment 12 Gerald (Jerry) Carter 2005-08-24 10:16:58 UTC
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.