Note - Server OS = FreeBSD 4.8 - Client OD = Windows Server 2003 I can't cenerate a crash dump, but I could verify it doesn't happen in 3.0.8 or 3.0.11. I'll commit this and then see about uploading the logs as attachments. I CAN connect with smbclient, but to do so I had to alter the users.map from what the earlier versions used: Old (3.0.8 / 3.0.10) users.map: u1005 = MY.FULL.DOMAIN\mitch NEW (3.0.11) users.map: u1005 = MY.FULL.DOMAIN\mitch MY\mitch ++++++++ This alias to the short form of the domain (or workgroup name) was required in 3.0.11 - is that a config error on my part? Here is the config file (stripped of a lot of stuff that wasn't needed to reproduce the bug): [global] realm = MY.FULL.DOMAIN workgroup = MY security = ADS netbios name = SLIM1 bind interfaces only = yes interfaces = 10.1.0.4/8 log level = 10 log file = /usr/local/samba/var/smbd-%G.log username map = /usr/local/samba/lib/users.map #add group shares include = /home/%G/shares.conf [homes] comment = %U's Documents valid users = %S read only = No browseable = No profile acls = Yes csc policy = disable create mask = 0711 directory mask = 0711 map archive = Yes map hidden = Yes map system = Yes #ADD THESE TWO LINES TO WORK WITH NORMAL PWD ENTRY # path = %H/vserver/home/%U/HTS_MyDocuments hide files = /RECYCLER/
Created attachment 983 [details] This is a log 10 of a Windows 2003 client connecting This log, which shows connection from the w2k3 server creates (as expected) three log files: log.smbd during startup smbd-%G.log after loading config and directing output to group based log files smbd-s100592.log log after authenticating the group
Created attachment 984 [details] This is a log of a sucessful connect from smbclient This log, which shows connection from the smbclient creates ONLY two log files: log.smbd during startup smbd-%G.log after loading config and directing output to group based log files THERE IS NO smbd-s100592.log log after authenticating the group Connection command was: smbclient -I 10.1.0.4 -U MY.FULL.DOMAIN\\admin-m \\\\slim1\\u100595
Log files were obfuscated by replacing the real domain with MY.FULL.DOMAIN - hopefuly that doesn't confuse anything - I just don't like leaving internal information on public posts - thanks! I now have a test server running so I can validate any fix or attempt to provide further information if required.
Created attachment 986 [details] capture of gdb output running with --enable-debug This is a capture of screen output during a gdb run of smbd. Steps: rebuilt samba with: ./configure --with-krb5=/usr/heimdal --with-mysql-prefix=/usr/local/db/mysql --with-expsam=mysql --enable-debug Not currently using the mysql mod in this config, but that's in the normal build - so for now I've kept the same config... will try removing it to see if it has any impact. gdb /usr/local/samba/sbin/smbd set args -i run The odd thing is that with --enable-debug, the connection just seems to hang with HUGE pauses between any indication of activity in the output - for a while, I was pasting "\n\nLONG PAUSE\n\n" into the debug output to make it oibvious where they occured, but eventually I gave up and exited gdb
Created attachment 988 [details] a log of an smbd -i run ran smbd -i (after enable-debug and recompile) added comments in log prefaced with MITCH2 seems to terminate "normally" but shouldn't be terminating at all
Created attachment 989 [details] finally a backtrace backtrace produced by adding: panic action = "/bin/sleep 90000" to my smb.conf - then, when making the connection that causes the crash, I did a ps, identified the new process, and attached to it: gdb ../sbin/smbd $PID saved this backtrace (bt) Just leaving these notes here in case they help someone else - would be good to update the samba bugs page with advice on this - thanks "vl"!
Created attachment 990 [details] ran a bt full as requested same procedure - this time a bt full
Created attachment 991 [details] Move to allocated passwd structures I suspect a use-after-free due to the way Get_Pwnam() works. smb_getpwnam() calls Get_Pwnam(). The attached patch moves to an allocated return structure.
can someone give me the one sentence summary on how to reproduce this crash?
I hope I'm not breaking any rules by posting to this bug. But I have a pretty easy way to reproduce this (I think) problem. I was going to post a new bug, but I was lucky enough to find this one posted, and it sounds strikingly similar. Here is how: 1) Put a "include = %G" in your smb.conf file. 2) Try making a connection to any share from an ADS member, ensuring that kerberos is in use. It may take a couple of tries making a connection before you get the sig 11. I'm building samba with Andrew's patch right now, but I have a feeling it will work. I have been trying to track this one down for a few days now, and I'm pretty sure it's the same place. Cheers!
patch applied
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.