I'm using Gentoo (the stable tree) and Debian Etch. The recent update that fixes three security bugs has broken my samba domain. I'm able to login in the domain but when accessing the share of a machine which is not the PDC, the sharing machine denies my access. "smbclient -L with my user" against that sharig machine returns me NT_STATUS_NO_LOGON_SERVERS. If I try smbclient against the PDC, the PDC returns me the list of shares. The problem seems to be the fix for CVE-2007-2446. If I recompile the samba package without that fix in my Gentoo boxes, the whole domain works perfectly. The same goes for the Debian machines, if I downgrade the version to the non fixed. Gentoo: Samba 3.0.24-r2 Debian: 3.0.24-6etch1 The log on the sharing machine: [2007/05/18 11:29:36, 0] auth/auth_domain.c:domain_client_validate(246) domain_client_validate: unable to validate password for user rafa in domain CRIPTODOMINIO to Domain controller DILMUN. Error was NT_STATUS_UNSUCCESSFUL.
I also seeing this problem. PDC and local server have both openSUSE 10.2. w2k and winxp workstations are not able to connect to the local server, but are able to connect to the PDC. I also found: # net rpc share -U marc Password: Could not connect to server 127.0.0.1 Connection failed: NT_STATUS_NO_LOGON_SERVERS # net rpc share -U marc/JLU13IAPKRYO Password: print$ mnt IPC$ LaserJet6P LaserJet2100 HP4050N Somehow the domain is no longer added to the username?
Please attach a full level 10 debug log (gzipped) from the server. Thanks.
May the log contain sensitive data? If the answer is yes, could I e-mail it to someone?
(In reply to comment #2) ok. w2k machine (pc13messknecht1) tries to connect to server mostly-harmless, which authenticates with pdc fb07-iapwap1. I also find it irritating, that mostly-harmless seem not to be able to find a master browser. So I also attached log.nmbd. Hope this helps.
Created attachment 2706 [details] serverlog
Created attachment 2707 [details] server's nmbd log
Is the local or non PDC server a member of the same domain? Is a force user or group parameter used for the non working share?
(In reply to comment #7) > Is the local or non PDC server a member of the same domain? yes > Is a force user or group parameter used for the non working share? no attached are the local server's smb.conf and the pdc smb.conf
Created attachment 2710 [details] configuration of the local server
Created attachment 2711 [details] smb.conf of the pdc
(In reply to comment #7) > Is the local or non PDC server a member of the same domain? The sharing server and the PDC are on the same domain. > Is a force user or group parameter used for the non working share? Neither "force user" nor "force group" parameters used.
Created attachment 2712 [details] smb.conf for the PDC
Created attachment 2713 [details] smb.conf for the sharing server
I debugged this problem a little bit further and found out, that this hunk causes the problem: --- source/rpc_parse/parse_prs.c 2007-05-10 09:47:19.000000000 -0500 +++ source/rpc_parse/parse_prs.c 2007-05-10 09:48:03.000000000 -0500 @@ -156,7 +156,7 @@ { char *ret = NULL; - if (size) { + if (size && count) { /* We can't call the type-safe version here. */ ret = _talloc_zero_array(ps->mem_ctx, size, count, "parse_prs"); } I don't know what this code is doing, but it may help ...
This code is part of the security fix. You must not remove it. What I need to know is the call stack above this - ie. what call is being made that triggers this code ? Jeremy.
(In reply to comment #15) > This code is part of the security fix. You must not remove it. > > What I need to know is the call stack above this - ie. what call is being > made that triggers this code ? something like this? Breakpoint 1, prs_alloc_mem (ps=0xbfce6fd4, size=2, count=4) at rpc_parse/parse_prs.c:156 156 { (gdb) bt #0 prs_alloc_mem (ps=0xbfce6fd4, size=2, count=4) at rpc_parse/parse_prs.c:156 #1 0x800e8fb7 in prs_unistr2 (charmode=1, name=0x802df59f "buffer ", ps=0xbfce6fd4, depth=3, str=0xbfce71cc) at rpc_parse/parse_prs.c:1130 #2 0x800eb390 in smb_io_unistr2 (desc=0x80301212 "uni_user_name", uni2=0xbfce71cc, buffer=1, ps=0xbfce6fd4, depth=3) at rpc_parse/parse_misc.c:1040 #3 0x80176675 in net_io_user_info3 (desc=0x802fceb8 "", usr=0xbfce70f0, ps=0xbfce6fd4, depth=2, validation_level=3, kerb_validation_level=0) at rpc_parse/parse_net.c:1782 #4 0x80176e4e in net_io_r_sam_logon (desc=0x802fceb8 "", r_l=0xbfce7024, ps=0xbfce6fd4, depth=1) at rpc_parse/parse_net.c:1934 #5 0x8027663a in rpccli_netlogon_sam_network_logon (cli=0x8040f0e0, mem_ctx=0x80369348, logon_parameters=2080, server=0xbfce7308 "FB07-IAPWAP1", username=0x80380ff8 "marc", domain=0x8036a058 "JLU13IAPKRYO", workstation=0x80369780 "FEM1", chal=0x803893a0 "��<ʪnQ�@", lm_response={data = 0x0, length = 0, free = 0}, nt_response= {data = 0x80381248 "\231\035�\220\223\226��AS����\034\223ɻ;a\214��8 ", length = 24, free = 0x80213e20 <free_data_blob>}, info3=0xbfce70f0) at rpc_client/cli_netlogon.c:906 #6 0x8025946a in domain_client_validate (mem_ctx=0x80369348, user_info=0x8040d978, domain=0x803698d8 "JLU13IAPKRYO", chal=0x803893a0 "��<ʪnQ�@", server_info=0x803c5b70, dc_name=0xbfce7308 "FB07-IAPWAP1", dc_ip={s_addr = 2031333510}) at auth/auth_domain.c:224 #7 0x80259c13 in check_ntdomain_security (auth_context=0x80369738, my_private_data=0x0, mem_ctx=0x80369348, user_info=0x8040d978, server_info=0x803c5b70) at auth/auth_domain.c:319 #8 0x802579bc in check_winbind_security (auth_context=0x80369738, my_private_data=0x80399660, mem_ctx=0x80369348, user_info=0x8040d978, server_info=0x803c5b70) at auth/auth_winbind.c:118 #9 0x802546ab in check_ntlm_password (auth_context=0x80369738, user_info=0x8040d978, server_info=0x803c5b70) at auth/auth.c:257 #10 0x8025fa10 in auth_ntlmssp_check_password (ntlmssp_state=0x80466850, user_session_key=0xbfce8ce4, lm_session_key=0xbfce8cd8) at auth/auth_ntlmssp.c:111 #11 0x800f407f in ntlmssp_server_auth (ntlmssp_state=0x80466850, request= {data = 0x803b22f8 "NTLMSSP", length = 176, free = 0x80213e20 <free_data_blob>}, reply=0xbfce9ca0) at libsmb/ntlmssp.c:790 #12 0x800f2672 in ntlmssp_update (ntlmssp_state=0x80466850, in= {data = 0x803b22f8 "NTLMSSP", length = 176, free = 0x80213e20 <free_data_blob>}, out=0xbfce9ca0) at libsmb/ntlmssp.c:341 #13 0x8025f6eb in auth_ntlmssp_update (auth_ntlmssp_state=0x803c5b68, request= {data = 0x803b22f8 "NTLMSSP", length = 176, free = 0x80213e20 <free_data_blob>}, reply=0xbfce9ca0) at auth/auth_ntlmssp.c:204 #14 0x8008734c in reply_sesssetup_and_X (conn=0x0, inbuf=0x804120b8 "", outbuf=0x80432500 "", length=324, bufsize=131072) at smbd/sesssetup.c:625 #15 0x800b3d40 in switch_message (type=115, inbuf=0x804120b8 "", outbuf=0x80432500 "", size=324, bufsize=131072) at smbd/process.c:991 #16 0x800b4e3b in smbd_process () at smbd/process.c:1018 #17 0x802bf020 in main (argc=Cannot access memory at address 0x1 ) at smbd/server.c:1024 in this case the client is FEM1.
ohh - I guess you wanted a trace with count=0. Sorry. (gdb) set follow-fork-mode child (gdb) break prs_alloc_mem if count=0 Breakpoint 1 at 0x800e89e7: file rpc_parse/parse_prs.c, line 159. (gdb) cont Continuing. Program received signal SIGABRT, Aborted. [Switching to process 6456] 0xb7f85410 in ?? () (gdb) bt #0 0xb7f85410 in ?? () #1 0xbfeea5d0 in ?? () #2 0x00000006 in ?? () #3 0x00001938 in ?? () #4 0xb7ae0060 in raise () from /lib/libc.so.6 #5 0xb7ae1801 in abort () from /lib/libc.so.6 #6 0xb7b15abb in __libc_message () from /lib/libc.so.6 #7 0xb7b1b6e1 in malloc_printerr () from /lib/libc.so.6 #8 0xb7b1d671 in _int_malloc () from /lib/libc.so.6 #9 0xb7b1f0c5 in malloc () from /lib/libc.so.6 #10 0x8021de53 in _talloc (context=0xb7be2140, size=0) at lib/talloc.c:183 #11 0x8021e119 in talloc_named_const (context=0x80411ce0, size=0, name=0x802def13 "parse_prs") at lib/talloc.c:425 #12 0x8021e2f3 in _talloc_zero (ctx=0x80411ce0, size=0, name=0x802def13 "parse_prs") at lib/talloc.c:1002 #13 0x8021e355 in _talloc_zero_array (ctx=0x80411ce0, el_size=6456, count=0, name=0x802def13 "parse_prs") at lib/talloc.c:1213 #14 0x800e8a0e in prs_alloc_mem (ps=0xbfeeb124, size=6, count=0) at rpc_parse/parse_prs.c:161 #15 0x800e8fb7 in prs_unistr2 (charmode=1, name=0x802df59f "buffer ", ps=0xbfeeb124, depth=3, str=0xbfeeb34c) at rpc_parse/parse_prs.c:1130 #16 0x800eb390 in smb_io_unistr2 (desc=0x80301220 "uni_profile_path", uni2=0xbfeeb34c, buffer=1, ps=0xbfeeb124, depth=3) at rpc_parse/parse_misc.c:1040 #17 0x8017670e in net_io_user_info3 (desc=0x802fceb8 "", usr=0xbfeeb240, ps=0xbfeeb124, depth=2, validation_level=3, kerb_validation_level=0) at rpc_parse/parse_net.c:1788 #18 0x80176e4e in net_io_r_sam_logon (desc=0x802fceb8 "", r_l=0xbfeeb174, ps=0xbfeeb124, depth=1) at rpc_parse/parse_net.c:1934 #19 0x8027663a in rpccli_netlogon_sam_network_logon (cli=0x8040e3f8, mem_ctx=0x80411ce0, logon_parameters=2080, server=0xbfeeb458 "FB07-IAPWAP1", username=0x80369778 "marc", domain=0x803b3c10 "JLU13IAPKRYO", workstation=0x80380fe0 "FB07-FEM4", chal=0x803dd380 "�2��\022��\202@", lm_response={data = 0x0, length = 0, free = 0}, nt_response= {data = 0x804116b8 "�J\022�\030��\205bz\025��\b��\231\217�\227�6\006\207 ", length = 24, free = 0x80213e20 <free_data_blob>}, info3=0xbfeeb240) at rpc_client/cli_netlogon.c:906 #20 0x8025946a in domain_client_validate (mem_ctx=0x80411ce0, user_info=0x8040d2a8, domain=0x803693a0 "JLU13IAPKRYO", chal=0x803dd380 "�2��\022��\202@", server_info=0x803c5920, dc_name=0xbfeeb458 "FB07-IAPWAP1", dc_ip= {s_addr = 2031333510}) at auth/auth_domain.c:224 #21 0x80259c13 in check_ntdomain_security (auth_context=0x8040f0c8, my_private_data=0x0, mem_ctx=0x80411ce0, user_info=0x8040d2a8, server_info=0x803c5920) at auth/auth_domain.c:319 #22 0x802579bc in check_winbind_security (auth_context=0x8040f0c8, my_private_data=0x80399648, mem_ctx=0x80411ce0, user_info=0x8040d2a8, server_info=0x803c5920) at auth/auth_winbind.c:118 #23 0x802546ab in check_ntlm_password (auth_context=0x8040f0c8, user_info=0x8040d2a8, server_info=0x803c5920) at auth/auth.c:257 #24 0x8025fa10 in auth_ntlmssp_check_password (ntlmssp_state=0x8040dfb0, user_session_key=0xbfeece34, lm_session_key=0xbfeece28) at auth/auth_ntlmssp.c:111 #25 0x800f407f in ntlmssp_server_auth (ntlmssp_state=0x8040dfb0, request= {data = 0x8040f7a8 "NTLMSSP", length = 170, free = 0x80213e20 <free_data_blob>}, reply=0xbfeeddf0) at libsmb/ntlmssp.c:790 #26 0x800f2672 in ntlmssp_update (ntlmssp_state=0x8040dfb0, in= {data = 0x8040f7a8 "NTLMSSP", length = 170, free = 0x80213e20 <free_data_blob>}, out=0xbfeeddf0) at libsmb/ntlmssp.c:341 #27 0x8025f6eb in auth_ntlmssp_update (auth_ntlmssp_state=0x803c5918, request= {data = 0x8040f7a8 "NTLMSSP", length = 170, free = 0x80213e20 <free_data_blob>}, reply=0xbfeeddf0) at auth/auth_ntlmssp.c:204 #28 0x8008734c in reply_sesssetup_and_X (conn=0x0, inbuf=0x80412040 "", outbuf=0x80432488 "", length=348, bufsize=131072) at smbd/sesssetup.c:625 #29 0x800b3d40 in switch_message (type=115, inbuf=0x80412040 "", outbuf=0x80432488 "", size=348, bufsize=131072) at smbd/process.c:991 #30 0x800b4e3b in smbd_process () at smbd/process.c:1018 #31 0x802bf020 in main (argc=0, argv=0xbfeee274) at smbd/server.c:1024 (gdb)
I would like to see the content of this frame : #2 0x800eb390 in smb_io_unistr2 (desc=0x80301212 "uni_user_name", uni2=0xbfce71cc, buffer=1, ps=0xbfce6fd4, depth=3) - specifically the content of the uni2 variable. Also a debug level 10 would really help also. Thanks, Jeremy.
Created attachment 2722 [details] Patch We missed some cases of requesting a zero-malloc. Here is the fix (will be in 3.0.25a). Jeremy.
Please reopen if the patch doesn't not fix the problem for you.
I can confirm, that this patch fixes the problem. thanks!
The patch doesn't work for me because I'm using Samba 3.0.24 with security fixes. Are you going to fix this in the 3.0.24 branch?
Created attachment 2724 [details] parse_prs.c patch for 3.0.24 Backport of rpc_parse/parse_prs.c patch for 3.0.24.
Rafael, Please test the backported patch for 3.0.24. This is not a complete backport but on the changes to parse_prs.c which should be enough.
Created attachment 2725 [details] Patch for 3.0.25 backported to 3.0.24 I've tried to backport the first patch published because the needed changes to make it work seemed too obvious. I've patched my Samba 3.0.24 with the security fixes and then with this patch. Now, the problem seems solved.
Patches have been updated and posted to samba.org/samba/security/
(In reply to comment #26) > Patches have been updated and posted to samba.org/samba/security/ > Hi, I can't find that patch on samba.org/samba/security/ - Mark