Bug 269 - winbindd crashes on challenge/response password authentication for user with umlaut character(s)
winbindd crashes on challenge/response password authentication for user with ...
Status: CLOSED FIXED
Product: Samba 3.0
Classification: Unclassified
Component: winbind
3.0.0preX
All Linux
: P3 critical
: none
Assigned To: Tim Potter
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2003-08-04 11:18 UTC by A. Steinmetz
Modified: 2005-11-14 09:24 UTC (History)
2 users (show)

See Also:


Attachments
fix character set conversion for winbindd_pam_auth_crap() (2.79 KB, patch)
2003-08-05 18:04 UTC, Tim Potter
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description A. Steinmetz 2003-08-04 11:18:56 UTC
Winbindd crashes when doing a challenge/response authentication for a user
with umlaut character(s).

Test Setup:

NT4 PDC (SP6a) german running under VMWare with DOMAIN as domain name
Samba 3.0.0 Beta 3 with the following smb.conf

interfaces = 172.16.172.1/255.255.255.0
password server = NT4PDCSP6IE6
workgroup = DOMAIN
netbios name = SAMBA
bind interfaces only = yes
winbind enable local accounts = no
winbind trusted domains only = yes
winbind use default domain = yes
security = domain
encrypt passwords = yes
debug level = 0
idmap uid = 10000-50000
idmap gid = 10000-50000
unix charset = iso-8859-1
display charset = iso-8859-1

Now join the domain with (replace <password> with the actual password):

net join member -S NT4PDCSP6IE6 -U Administrator%<password>

Then set the auth user with:

wbinfo --set-auth-user=Administrator%<password>

Create two users on the NT4 PDC, named "Meier" and "Möller", both with
a password of "12345" (users don't need to change password at next logon).

Now start winbindd as root:

winbindd -i

Then do in another shell (again as root) the following (and note that for
both users plaintext authentication does succeed):

# wbinfo --authenticate=Meier%12345
plaintext password authentication succeeded
challenge/response password authentication succeeded
# wbinfo --authenticate=Möller%12345
plaintext password authentication succeeded
challenge/response password authentication failed
Could not authenticate user Möller with challenge/response
#

Note that it may take a few repeated attempts to authenticate "Möller" with
wbinfo (as shown above) to crash winbindd.

The resulting crash of winbindd during processing of "Möller" then is:

winbindd version 3.0.0beta3 started.
Copyright The Samba Team 2000-2003
Conversion error: Illegal multibyte sequence()
winbindd_pam_auth_crap: pull_utf8_talloc failed!
===============================================================
INTERNAL ERROR: Signal 11 in pid 26320 (3.0.0beta3)
Please read the appendix Bugs of the Samba HOWTO collection
===============================================================
PANIC: internal error
BACKTRACE: 1 stack frames:
 #0 /tmp/samba3/sbin/winbindd(smb_panic+0x11c) [0x80cec4c]
Aborted


Note that there are different error messages returned during various
attempts to authenticate "Möller":

# wbinfo --authenticate=Möller%12345
plaintext password authentication succeeded
challenge/response password authentication failed
error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error messsage was: No such user

# wbinfo --authenticate=Möller%12345
plaintext password authentication succeeded
challenge/response password authentication failed
Could not authenticate user Möller with challenge/response

I'll provide a winbindd level 10 debug of the crash on request (email).
Comment 1 Tim Potter 2003-08-05 17:01:55 UTC
It's much better if you can attach any logs in Bugzilla rather than sending to
jerry by private email.

Thanks for the detailed problem description.
Comment 2 Tim Potter 2003-08-05 18:02:18 UTC
cc bartlett, reassign to me.
Comment 3 Tim Potter 2003-08-05 18:04:42 UTC
Created attachment 63 [details]
fix character set conversion for winbindd_pam_auth_crap()

I have attached a patch.  Can you test it out?	It seems to work for me.

Mr Bartlet, what do you think of this?	The bug was that we were assuming that
the user/domain/workstation name was in utf8 codepage when in fact it is in
unix codepage.	The fix is to not do any character conversion chicanery before
passing the parameters to cli_netlogon_sam_network_logon() where they are
converted from CH_UNIX to CH_UCS2.

The equivalent fix does not need to be applied to winbindd_pam_auth() as it
doesn't contain any character set conversion code at all!
Comment 4 Tim Potter 2003-08-05 18:06:46 UTC
This must be fixed before we release 3.0.
Comment 5 Andrew Bartlett 2003-08-06 21:52:53 UTC
The UTF8 stuff was added becouse I wanted external tools using the winbind pipe
to not have to figure out what charset 'unix' was.  However, as it only ever
applied to the challenge/response function, and we provide the helper for that
anyway, we can probably just drop it.

We should perhaps provide a function that returns the 'unix' charset name.

Make sure you 'fix' the various client tools while you are at it (ntlm_auth,
auth_winbindd in particular).

Andrew Bartlett
Comment 6 Tim Potter 2003-08-06 22:42:52 UTC
Having winbindd always use UTF8 sounds like a good solution.  I am not in favour
of adding another winbindd command to get the current character set - yuck.

wbinfo and smbd are also users of this particular function.
Comment 7 A. Steinmetz 2003-08-10 07:00:53 UTC
The attachment https://bugzilla.samba.org/attachment.cgi?id=63&action=view
doesn't fix the bug for me. Maybe it works with current CVS as it applied
with offsets but it does not wirk with 3.0.0beta3. The crash is still there:

wbinfo -a Möller%12345
plaintext password authentication succeeded
challenge/response password authentication failed
Could not authenticate user Möller with challenge/response

results in:

Conversion error: Illegal multibyte sequence()
winbindd_pam_auth_crap: pull_utf8_talloc failed!
[24513]: pam auth crap domain: DOMAIN user: (null)
===============================================================
INTERNAL ERROR: Signal 11 in pid 24511 (3.0.0beta3)
Please read the appendix Bugs of the Samba HOWTO collection
===============================================================
PANIC: internal error
BACKTRACE: 1 stack frames:
 #0 /tmp/samba3/sbin/winbindd(smb_panic+0x11c) [0x80cec4c]
Aborted


Just FYI:

# patch -p0 < /tmp/samba3.patch
patching file nsswitch/winbindd_pam.c
Hunk #1 succeeded at 257 (offset 49 lines).
Hunk #3 succeeded at 303 (offset 49 lines).
# make
Using FLAGS =  -O3 -fomit-frame-pointer -funroll-loops -fexpensive-optimizations
-fschedule-insns2 -fcse-follow-jumps -fcse-skip-blocks -frerun-cse-after-loop
-frerun-loop-opt -fgcse -fgcse-lm -fgcse-sm -fdelete-null-pointer-checks
-falign-loops -falign-jumps -falign-functions -mcpu=pentiumpro -march=pentiumpro
-mmmx -minline-all-stringops -I/usr/local/openldap/include  -Iinclude
-I/tmp/samba-3.0.0beta3/source/include -I/tmp/samba-3.0.0beta3/source/ubiqx
-I/tmp/samba-3.0.0beta3/source/smbwrapper  -I. -D_LARGEFILE64_SOURCE
-D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE -I/usr/local/openldap/include
-I/tmp/samba-3.0.0beta3/source
      LIBS = -lcrypt -lresolv -lnsl -ldl
      LDSHFLAGS = -shared  -s -L/usr/local/openldap/lib
      LDFLAGS = -s -L/usr/local/openldap/lib
Compiling nsswitch/winbindd_pam.c
Linking bin/winbindd
Comment 8 Tim Potter 2003-08-11 09:41:54 UTC
I haven't tried the patch against beta3, but it should work.  Did you restart
winbindd before rerunning wbinfo?  The code that produces the "pull_utf8_talloc
failed" message should have been removed by the patch.
Comment 9 A. Steinmetz 2003-08-11 11:57:59 UTC
Sorry,
your patch fixes the problem.
/me must remember to copy winbindd to the _correct_ directory
(/me ducks and looks for the brown paper bag).
Comment 10 Tim Potter 2003-08-11 16:46:13 UTC
No worries.  I am testing a more correct patch now.
Comment 11 Tim Potter 2003-08-11 17:50:23 UTC
I've applied the inverse patch to the one I submitted previously.  The fix turns
out to be to change wbinfo to convert arguments to utf8.  My previous patch
removed the utf8 support in the winbindd server.
Comment 12 Gerald (Jerry) Carter 2005-02-07 08:41:23 UTC
originally reported against 3.0.0beta3.  CLeaning out 
non-production release versions.
Comment 13 Gerald (Jerry) Carter 2005-08-24 10:20:38 UTC
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.
Comment 14 Gerald (Jerry) Carter 2005-11-14 09:24:15 UTC
database cleanup