5415 – pam_smbpass.so(LDAP Backend) causes a segfault on Solaris 10

Bug 5415 - pam_smbpass.so(LDAP Backend) causes a segfault on Solaris 10

Summary: pam_smbpass.so(LDAP Backend) causes a segfault on Solaris 10

Status:	RESOLVED WONTFIX

Alias:	None

Product:	Samba 3.0
Classification:	Unclassified
Component:	User/Group Accounts (show other bugs)
Version:	3.0.28a
Hardware:	x86 Solaris

Importance:	P3 major
Target Milestone:	none
Assignee:	Samba Bugzilla Account
QA Contact:	Samba QA Contact

URL:	h
Keywords:

Depends on:
Blocks:

Reported:	2008-04-24 18:33 UTC by David Markey
Modified:	2008-04-28 08:50 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
Truss output (16.22 KB, text/plain) 2008-04-24 18:34 UTC, David Markey	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description David Markey 2008-04-24 18:33:31 UTC

I'm not sure if this is a bug with samba, a bug with the openldap libs or a bug with solaris PAM. Hopefully someone will be able to shed some light on the issue.


Pam_smbpass compiled with either gcc or sun cc with freshly compiled openldap libs.
pam.conf:

other auth requisite          pam_authtok_get.so.1
other auth required           pam_unix_cred.so.1
other auth sufficient           pam_unix_auth.so.1
other auth sufficient         pam_krb5.so.1
other   account requisite       pam_roles.so.1
other   account required        pam_unix_account.so.1
other   account required        pam_krb5.so.1
other   password required       pam_dhkeys.so.1
other   password requisite      pam_authtok_get.so.1
other   password requisite      pam_authtok_check.so.1
other   password optional       pam_smbpass.so use_first_pass
other   password sufficient     pam_krb5.so.1
other   password required       pam_authtok_store.so.1
other   session required        pam_unix_session.so.1

Error:
-bash-3.00$ passwd david.markey
Password:
Segmentation Fault

Truss Attached.

LDD of pam_smbpass:
# ldd /usr/lib/security/pam_smbpass.so
        libthread.so.1 =>        /lib/libthread.so.1
        libpam.so.1 =>   /lib/libpam.so.1
        libsendfile.so.1 =>      /lib/libsendfile.so.1
        libresolv.so.2 =>        /lib/libresolv.so.2
        libnsl.so.1 =>   /lib/libnsl.so.1
        libsocket.so.1 =>        /lib/libsocket.so.1
        libldap-2.4.so.2 =>      /usr/local/lib/libldap-2.4.so.2
        liblber-2.4.so.2 =>      /usr/local/lib/liblber-2.4.so.2
        libc.so.1 =>     /lib/libc.so.1
        libcmd.so.1 =>   /lib/libcmd.so.1
        libmp.so.2 =>    /lib/libmp.so.2
        libmd.so.1 =>    /lib/libmd.so.1
        libscf.so.1 =>   /lib/libscf.so.1
        libgen.so.1 =>   /lib/libgen.so.1
        libsasl.so.1 =>  /usr/lib/libsasl.so.1
        libdoor.so.1 =>  /lib/libdoor.so.1
        libuutil.so.1 =>         /lib/libuutil.so.1
        libm.so.2 =>     /lib/libm.so.2


Snippet of smb.conf:
passdb backend = ldapsam:ldap://ldap.cs.dit.ie
#passdb backend = smbpasswd
username map = /usr/local/samba/lib/smbusers
unix password sync = yes
passwd chat = "Changing*\nNew password*" %n\n "*Retype new password*" %n\n"
passwd program = /usr/local/smbldap-tools/smbldap-passwd -u %u
#passwd program = /usr/bin/passwd %u
passwd chat debug = yes
passwd chat timeout = 20
#pam password change = yes
# Specifying printing subsystem

# Path to IDEALX scripts (we will get to that soon)
#

# if you want to add machines to domain automaticaly, add machine script is:
# add machine script = /usr/local/sbin/smbldap-useradd -w -i %u
# proved on SUSE 10.0
#
# Various other directives ( man smb.conf )
####################################################
#obey pam restrictions = Yes
logon script = scripts\logon.bat
logon path = \\%L\Profiles\%U
logon drive = H:
logon home = \\%L\%U
domain logons = Yes
os level = 128
preferred master = Yes
domain master = Yes
dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
show add printer wizard = yes

# OpenLDAP stuff is defined here
###################################################
ldap suffix = dc=cs,dc=dit,dc=ie
ldap machine suffix = ou=Computers
ldap user suffix = ou=People
ldap group suffix = ou=Group
ldap idmap suffix = ou=People
ldap admin dn = "cn=Directory Manager"
ldap ssl = start_tls
ldap passwd sync = Yes




If anyone could help me that would be great. It seems to behave when the backend is set to local database for some reason.

Comment 1 David Markey 2008-04-24 18:34:52 UTC

Created attachment 3269 [details]
Truss output

Comment 2 Björn Jacke 2008-04-28 07:50:40 UTC

is there a specific reason why you don't use the system LDAP libs? I fixed samba so that it works with the Solaris system libs quite a while ago. I guess your openldap libs clash with the system ldap libs at some point. Can you try not to use openldap?

Comment 3 David Markey 2008-04-28 08:40:36 UTC

(In reply to comment #2)
> is there a specific reason why you don't use the system LDAP libs? I fixed
> samba so that it works with the Solaris system libs quite a while ago. I guess
> your openldap libs clash with the system ldap libs at some point. Can you try
> not to use openldap?
> 


I am using the solaris ldap libs but a major problem is  that i cant get SSL/tls to work, and its pretty important to have ssl/tls with pam_smbpass.so!

If you know any way to get SSL to work  with the solaris libs plz let me know.

Comment 4 Björn Jacke 2008-04-28 08:50:12 UTC

see bug #3504 for that. You can find patches that add Solaris LDAP SSL support for older and newer Samba releases. You might try that. If you have problems with that patch please report them there :-).

As an openldap linked samba on solaris is a known problem I'll close this bug as wontfix now.