samba 3.0.21c, 3.0.23c and even 3.0.24pre1-SVN-build-19601 seem to trash memory 'somewhere' when accessing shares. First I thought it has something to to with glibc 2.3.6 (as suspected in some other bugreports) but then I found this in my winxp-client-logfile on OSF samba: [2006/11/07 13:00:33, 0] lib/util_str.c:safe_strcat_fn(636) ERROR: string overflow by 1 in safe_strcat [-1] [2006/11/07 13:00:33, 0] lib/util_str.c:safe_strcat_fn(636) ERROR: string overflow by 10 in safe_strcat [-537783676] [2006/11/07 13:00:33, 0] lib/util_str.c:safe_strcat_fn(636) ERROR: string overflow by 2 in safe_strcat [-1] [2006/11/07 13:00:33, 0] lib/util_str.c:safe_strcat_fn(636) ERROR: string overflow by 2 in safe_strcat [-0] [2006/11/07 13:00:33, 0] lib/util_str.c:safe_strcat_fn(636) ERROR: string overflow by 2 in safe_strcat [-0] [2006/11/07 13:00:33, 0] lib/util_str.c:safe_strcat_fn(636) ERROR: string overflow by 11 in safe_strcat [-1076392016] [2006/11/07 13:00:33, 0] lib/util_str.c:safe_strcat_fn(636) [...] [2006/11/07 13:00:33, 0] lib/fault.c:fault_report(41) =============================================================== [2006/11/07 13:00:33, 0] lib/fault.c:fault_report(42) INTERNAL ERROR: Signal 11 in pid 32448 (3.0.23c) Please read the Trouble-Shooting section of the Samba3-HOWTO [2006/11/07 13:00:33, 0] lib/fault.c:fault_report(44) From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf [2006/11/07 13:00:33, 0] lib/fault.c:fault_report(45) =============================================================== [2006/11/07 13:00:33, 0] lib/util.c:smb_panic(1591) PANIC (pid 32448): internal error [2006/11/07 13:00:33, 0] lib/util.c:log_stack_trace(1749) unable to produce a stack trace on this platform [2006/11/07 13:00:33, 0] lib/fault.c:dump_core(173) dumping core in /var/samba/cores/smbd This is a Digital Unix OSF 4.0f box running definitly NO glibc 8-) root@warthole# gdb /usr/local/samba/bin/smbd core GNU gdb 5.2.1 This GDB was configured as "alpha-dec-osf4"... Core was generated by `smbd'. Program terminated with signal 6, Aborted. [...] #0 0x3ff800e9b78 in kill () from /usr/shlib/libc.so (gdb) bt #0 0x3ff800e9b78 in kill () from /usr/shlib/libc.so #1 0x3ff801a508c in tis_lock_global () from /usr/shlib/libc.so #2 0x3ff80112014 in tis_raise () from /usr/shlib/libc.so #3 0x3ff8015f6d4 in raise () from /usr/shlib/libc.so #4 0x3ff801766ec in abort () from /usr/shlib/libc.so #5 0x12024b18c in dump_core () at lib/fault.c:5 #6 0x120267058 in log_stack_trace () at lib/util.c:5 since I didn't expect it to crash I had no --enable-debug-version on osf. here is now a freshly built 3.0.23c with debug, no debuglevel: [2006/11/08 12:08:07, 0] lib/util_str.c:safe_strcat_fn(636) ERROR: string overflow by 8 in safe_strcat [-1650601842] [2006/11/08 12:08:10, 1] smbd/service.c:make_connection_snum(941) waldi (141.14.22.101) connect to service mamepimages initially as user imgdata (uid=1087, gid=372) (pid 506 I'll attach the corresponding level 10 logfile. On our linux-boxes it is even more mystical: [2006/11/07 17:20:08, 3] lib/privileges.c:get_privileges(261) get_privileges: No privileges assigned to SID [S-1-5-2] [2006/11/07 17:20:08, 3] lib/privileges.c:get_privileges(261) get_privileges: No privileges assigned to SID [S-1-5-11] [2006/11/07 17:20:08, 3] lib/privileges.c:get_privileges(261) get_privileges: No privileges assigned to SID [S-1-22-2-392] [2006/11/07 17:20:08, 11] passdb/lookup_sid.c:sid_to_gid(1347) sid_to_gid: no one knows the SID S-1-22-1-1087 (tried local, then winbind) [2006/11/07 17:20:08, 10] smbd/service.c:make_connection_snum(750) Could not convert SID S-1-22-1-1087 to gid, ignoring it [2006/11/07 17:20:08, 0] lib/fault.c:fault_report(41) =============================================================== [2006/11/07 17:20:08, 0] lib/fault.c:fault_report(42) INTERNAL ERROR: Signal 11 in pid 16945 (3.0.24pre1-SVN-build-19601) Please read the Trouble-Shooting section of the Samba3-HOWTO [2006/11/07 17:20:08, 0] lib/fault.c:fault_report(44) From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf [2006/11/07 17:20:08, 0] lib/fault.c:fault_report(45) =============================================================== [2006/11/07 17:20:08, 0] lib/util.c:smb_panic(1605) PANIC (pid 16945): internal error [2006/11/07 17:20:08, 0] lib/util.c:log_stack_trace(1709) BACKTRACE: 16 stack frames: #0 /usr/local/samba/bin/smbd(log_stack_trace+0x1c) [0x555555809058] #1 /usr/local/samba/bin/smbd(smb_panic+0x7e) [0x555555808eae] #2 /usr/local/samba/bin/smbd [0x5555557f10a3] #3 /usr/local/samba/bin/smbd [0x5555557f10b6] #4 /lib/libc.so.6 [0x2b0567c3d680] #5 /usr/local/samba/bin/smbd(Debug1+0x22c) [0x5555557f0a8e] #6 /usr/local/samba/bin/smbd(dbghdr+0x163) [0x5555557f0d63] #7 /usr/local/samba/bin/smbd(make_connection+0x856) [0x555555677e01] #8 /usr/local/samba/bin/smbd(reply_tcon_and_X+0x3fb) [0x555555623a1a] #9 /usr/local/samba/bin/smbd [0x555555672bc5] #10 /usr/local/samba/bin/smbd [0x555555672c83] #11 /usr/local/samba/bin/smbd [0x555555672eda] #12 /usr/local/samba/bin/smbd(smbd_process+0x144) [0x555555674193] #13 /usr/local/samba/bin/smbd(main+0x953) [0x5555559d8121] #14 /lib/libc.so.6(__libc_start_main+0xd3) [0x2b0567c2b493] #15 /usr/local/samba/bin/smbd [0x5555555e075a] here's another one: [2006/11/08 09:59:57, 5] auth/auth_util.c:debug_unix_user_token(474) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2006/11/08 09:59:57, 3] smbd/sec_ctx.c:pop_sec_ctx(356) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2006/11/08 09:59:57, 3] smbd/sec_ctx.c:push_sec_ctx(208) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2006/11/08 09:59:57, 3] smbd/uid.c:push_conn_ctx(350) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2006/11/08 09:59:57, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2006/11/08 09:59:57, 5] auth/auth_util.c:debug_nt_user_token(448) NT user token: (NULL) [2006/11/08 09:59:57, 5] auth/auth_util.c:debug_unix_user_token(474) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2006/11/08 09:59:57, 3] smbd/sec_ctx.c:pop_sec_ctx(356) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2006/11/08 09:59:57, 3] lib/privileges.c:get_privileges(261) get_privileges: No privileges assigned to SID [S-1-22-1-1087] [2006/11/08 09:59:57, 3] lib/privileges.c:get_privileges(261) get_privileges: No privileges assigned to SID [S-1-22-2-372] [2006/11/08 09:59:57, 5] lib/privileges.c:get_privileges_for_sids(459) get_privileges_for_sids: sid = S-1-1-0 Privilege set: SE_PRIV 0x0 0x0 0x0 0x0 [2006/11/08 09:59:57, 3] lib/privileges.c:get_privileges(261) get_privileges: No privileges assigned to SID [S-1-5-2] [2006/11/08 09:59:57, 3] lib/privileges.c:get_privileges(261) get_privileges: No privileges assigned to SID [S-1-5-11] [2006/11/08 09:59:57, 3] lib/privileges.c:get_privileges(261) get_privileges: No privileges assigned to SID [S-1-22-2-392] [2006/11/08 09:59:57, 0] lib/fault.c:fault_report(41) =============================================================== [2006/11/08 09:59:57, 0] lib/fault.c:fault_report(42) INTERNAL ERROR: Signal 11 in pid 22811 (3.0.24pre1-SVN-build-19601) Please read the Trouble-Shooting section of the Samba3-HOWTO [2006/11/08 09:59:57, 0] lib/fault.c:fault_report(44) From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf [2006/11/08 09:59:57, 0] lib/fault.c:fault_report(45) =============================================================== [2006/11/08 09:59:57, 0] lib/util.c:smb_panic(1605) PANIC (pid 22811): internal error [2006/11/08 09:59:57, 0] lib/util.c:log_stack_trace(1709) BACKTRACE: 16 stack frames: #0 /usr/local/samba/bin/smbd(log_stack_trace+0x1c) [0x555555809058] #1 /usr/local/samba/bin/smbd(smb_panic+0x7e) [0x555555808eae] #2 /usr/local/samba/bin/smbd [0x5555557f10a3] #3 /usr/local/samba/bin/smbd [0x5555557f10b6] #4 /lib/libc.so.6 [0x2b0567c3d680] #5 /usr/local/samba/bin/smbd(Debug1+0x22c) [0x5555557f0a8e] #6 /usr/local/samba/bin/smbd(dbghdr+0x163) [0x5555557f0d63] #7 /usr/local/samba/bin/smbd(make_connection+0x856) [0x555555677e01] #8 /usr/local/samba/bin/smbd(reply_tcon_and_X+0x3fb) [0x555555623a1a] #9 /usr/local/samba/bin/smbd [0x555555672bc5] #10 /usr/local/samba/bin/smbd [0x555555672c83] #11 /usr/local/samba/bin/smbd [0x555555672eda] #12 /usr/local/samba/bin/smbd(smbd_process+0x144) [0x555555674193] #13 /usr/local/samba/bin/smbd(main+0x953) [0x5555559d8121] #14 /lib/libc.so.6(__libc_start_main+0xd3) [0x2b0567c2b493] #15 /usr/local/samba/bin/smbd [0x5555555e075a] [2006/11/08 09:59:57, 0] lib/util.c:smb_panic(1610) smb_panic(): calling panic action [/bin/sleep 90000] The error messages differ.. on an x86_64 system, running 3.0.21c, 3.0.23c and even 3.0.24pre1-SVN we find this in the logs: [2006/11/07 11:51:51, 3] lib/privileges.c:get_privileges(261) get_privileges: No privileges assigned to SID [S-1-22-2-392] [2006/11/07 11:51:51, 11] passdb/lookup_sid.c:sid_to_gid(1347) *** glibc detected *** malloc(): memory corruption: 0x0000555555db12d0 *** sid_to_gid: no one knows the SID S-1-22-1-1087 (tried local, then winbind) [2006/11/07 12:47:56, 3] lib/privileges.c:get_privileges(261) get_privileges: No privileges assigned to SID [S-1-22-2-392] *** glibc detected *** malloc(): memory corruption: 0x0000555555dc7240 *** [2006/11/07 14:16:03, 3] lib/privileges.c:get_privileges(261) get_privileges: No privileges assigned to SID [S-1-22-2-392] [2006/11/07 14:16:03, 0] lib/fault.c:fault_report(41) *** glibc detected *** malloc(): memory corruption: 0x0000555555db12c0 *** [2006/11/07 14:37:25, 10] smbd/service.c:make_connection_snum(750) Could not convert SID S-1-22-1-1087 to gid, ignoring it [2006/11/07 14:37:25, 0] lib/fault.c:fault_report(41) =============================================================== [2006/11/07 14:37:25, 0] lib/fault.c:fault_report(42) INTERNAL ERROR: Signal 11 in pid 28350 (3.0.24pre1-SVN-build-19601) Please read the Trouble-Shooting section of the Samba3-HOWTO [2006/11/07 14:37:25, 0] lib/fault.c:fault_report(44) From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf [2006/11/07 14:37:25, 0] lib/fault.c:fault_report(45) =============================================================== [2006/11/07 14:37:25, 0] lib/util.c:smb_panic(1605) PANIC (pid 28350): internal error *** glibc detected *** corrupted double-linked list: 0x0000555555dcbed0 *** [2006/11/07 16:18:54, 11] passdb/lookup_sid.c:sid_to_gid(1347) sid_to_gid: no one knows the SID S-1-22-1-1087 (tried local, then winbind) [2006/11/07 16:18:54, 10] smbd/service.c:make_connection_snum(750) Could not convert SID S-1-22-1-1087 to gid, ignoring it [2006/11/07 16:18:54, 0] lib/fault.c:fault_report(41) =============================================================== [2006/11/07 16:18:54, 0] lib/fault.c:fault_report(42) INTERNAL ERROR: Signal 11 in pid 1924 (3.0.24pre1-SVN-build-19601) Please read the Trouble-Shooting section of the Samba3-HOWTO [2006/11/07 16:18:54, 0] lib/fault.c:fault_report(44) From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf [2006/11/07 16:18:54, 0] lib/fault.c:fault_report(45) =============================================================== [2006/11/07 16:18:54, 0] lib/util.c:smb_panic(1605) PANIC (pid 1924): internal error *** glibc detected *** corrupted double-linked list: 0x0000555555dc65d0 *** [2006/11/07 16:47:30, 3] lib/privileges.c:get_privileges(261) get_privileges: No privileges assigned to SID [S-1-5-2] [2006/11/07 16:47:30, 3] lib/privileges.c:get_privileges(261) get_privileges: No privileges assigned to SID [S-1-5-11] [2006/11/07 16:47:30, 3] lib/privileges.c:get_privileges(261) get_privileges: No privileges assigned to SID [S-1-22-2-392] [2006/11/07 16:47:30, 11] passdb/lookup_sid.c:sid_to_gid(1347) *** glibc detected *** malloc(): memory corruption: 0x0000555555db31f0 *** sid_to_gid: no one knows the SID S-1-22-1-1087 (tried local, then winbind) and so on and so on. facts: * we are using NIS * we have about 340 shares in smb.conf * we do not use netgroup BUT group for access * the share is defined like this: [prj_template] path = /tmp inherit permissions = yes delete readonly = yes writeable = yes [mamepimages] comment = blah bla path = /project/mamepimages copy = prj_template force user = imgdata force group = +abt_her * abt_her is a unix group, served by NIS (not NIS+) and has about 29 members (the idea is to have all members store data in this share which gets owned by user imgdata) possible dupes of this bug: https://bugzilla.samba.org/show_bug.cgi?id=4171
Created attachment 2202 [details] level 10 logile string overflow WinXP -> OSF smbd This is the level 10 debug log where we can find string overflow errors. These errors pop up when trying to access a share with group permissions. Interestingly enough they end with [2006/11/08 12:11:58, 10] smbd/service.c:make_connection_snum(736) Could not convert SID S-1-22-1-1087 to gid, ignoring it before crashing.
Created attachment 2203 [details] simple valgrind log this is a valgrind log created by starting smdb via valgrind on x86_64 platform reply_tcon_and_X() pops up here several times ... hmmm....
Created attachment 2204 [details] this is a tcpdump on the smbd-running machine while it crashed tcpdump -i eth0 host waldi # win-xp doing a "net use \\ex\mamepimages" and then this happens: [2006/11/09 16:06:05, 0] lib/fault.c:fault_report(41) =============================================================== [2006/11/09 16:06:05, 0] lib/fault.c:fault_report(42) INTERNAL ERROR: Signal 11 in pid 27981 (3.0.24pre1-SVN-build-19601) Please read the Trouble-Shooting section of the Samba3-HOWTO [2006/11/09 16:06:05, 0] lib/fault.c:fault_report(44) From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf [2006/11/09 16:06:05, 0] lib/fault.c:fault_report(45) =============================================================== [2006/11/09 16:06:05, 0] lib/util.c:smb_panic(1605) PANIC (pid 27981): internal error *** glibc detected *** corrupted double-linked list: 0x0000555555dbf450 *** [2006/11/09 16:06:05, 0] lib/fault.c:fault_report(41) =============================================================== [2006/11/09 16:06:05, 0] lib/fault.c:fault_report(42) INTERNAL ERROR: Signal 11 in pid 27982 (3.0.24pre1-SVN-build-19601) Please read the Trouble-Shooting section of the Samba3-HOWTO [2006/11/09 16:06:05, 0] lib/fault.c:fault_report(44) From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf [2006/11/09 16:06:05, 0] lib/fault.c:fault_report(45) =============================================================== [2006/11/09 16:06:05, 0] lib/util.c:smb_panic(1605) PANIC (pid 27982): internal error [2006/11/09 16:06:05, 0] lib/util.c:log_stack_trace(1709) BACKTRACE: 5 stack frames: #0 /usr/local/samba/bin/smbd(log_stack_trace+0x1c) [0x5555557ffd60] #1 /usr/local/samba/bin/smbd(smb_panic+0x7e) [0x5555557ffbb6] #2 /usr/local/samba/bin/smbd [0x5555557e8673] #3 /usr/local/samba/bin/smbd [0x5555557e8686] #4 /lib/libc.so.6 [0x2b6b4412a680] [2006/11/09 16:06:05, 0] lib/fault.c:dump_core(173) dumping core in /var/samba/cores/smbd
Ok, thanks to valgrind I found the first logical bug in smbd/service.c: At the end of function find_forced_group() if (force_user && user_must_be_member) { if (user_in_group_sid(username, &group_sid)) { sid_copy(pgroup_sid, &group_sid); *pgid = gid; } else { DEBUG(0,("XXX WEEEE !!! FALSE = user_in_group_sid(%s, &group_sid)\n",username)); } } else { sid_copy(pgroup_sid, &group_sid); *pgid = gid; } if "WEEE" happens... pgroup_sid doesn't get initialised. this is ... not good 8-)
Got it - thanks ! I'll make sure this gets fixed for 3.0.23d. Jeremy.
Created attachment 2219 [details] Patch Proposed patch.
Cool, fixed. This patch revealed a misconfiguration which triggered the bug: My smb.conf said force user = foo force group = +bar and user foo wasn't member of grou bar. So, in this case, now an error-message will be dropped: [2006/11/15 11:14:17, 0] smbd/service.c:find_forced_group(498) find_forced_group: forced user foo is not a member of forced group bar. Disallowing access. All valgrind hits related to this bug are gone now. Thanks!