5747 – winbind segfaults

Bug 5747 - winbind segfaults

Summary: winbind segfaults

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 3.2
Classification:	Unclassified
Component:	Winbind (show other bugs)
Version:	3.2.2
Hardware:	x86 Linux

Importance:	P3 normal
Target Milestone:	---
Assignee:	Guenther Deschner
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2008-09-09 14:04 UTC by Jason Gunthorpe
Modified:	2008-10-27 17:53 UTC (History)
CC List:	0 users

See Also:

Attachments
use the new created ad connection (1.20 KB, patch) 2008-09-10 05:33 UTC, Guenther Deschner	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jason Gunthorpe 2008-09-09 14:04:04 UTC

Haven't quite figured out what causes this, but it happens alot.. Here is the output from log.wb-ORCORP:

[2008/09/09 11:44:54,  3] winbindd/winbindd_rpc.c:msrpc_name_to_sid(299)
  name_to_sid [rpc] ORCORP\mvoth for domain ORCORP
[2008/09/09 11:44:54,  3] winbindd/winbindd_user.c:winbindd_dual_userinfo(139)
  [ 6057]: lookupsid S-1-5-21-3359403674-27046192-2187186990-1163
[2008/09/09 11:44:54,  3] winbindd/winbindd_ads.c:query_user(426)
  ads: query_user
[2008/09/09 11:44:54,  2] lib/module.c:do_smb_load_module(64)
  Module '/usr/lib/samba/nss_info/rfc2307.so' loaded
[2008/09/09 11:44:54,  3] libsmb/namequery.c:get_dc_list(1909)
  get_dc_list: preferred server list: "10.0.0.6, ads0.ads.orcorp.ca"
[2008/09/09 11:44:54,  3] libads/ldap.c:ads_connect(430)
  Successfully contacted LDAP server 10.0.0.6
[2008/09/09 11:44:54,  3] libsmb/namequery.c:get_dc_list(1909)
  get_dc_list: preferred server list: "10.0.0.6, ads0.ads.orcorp.ca"
[2008/09/09 11:44:54,  3] libads/ldap.c:ads_connect(430)
  Successfully contacted LDAP server 10.0.0.6
[2008/09/09 11:44:54,  3] libads/ldap.c:ads_connect(480)
  Connected to LDAP server ads0.ads.orcorp.ca
[2008/09/09 11:44:54,  3] libads/sasl.c:ads_sasl_spnego_bind(780)
  ads_sasl_spnego_bind: got OID=1 2 840 48018 1 2 2
[2008/09/09 11:44:54,  3] libads/sasl.c:ads_sasl_spnego_bind(780)
  ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2
[2008/09/09 11:44:54,  3] libads/sasl.c:ads_sasl_spnego_bind(780)
  ads_sasl_spnego_bind: got OID=1 2 840 113554 1 2 2 3
[2008/09/09 11:44:54,  3] libads/sasl.c:ads_sasl_spnego_bind(780)
  ads_sasl_spnego_bind: got OID=1 3 6 1 4 1 311 2 2 10
[2008/09/09 11:44:54,  3] libads/sasl.c:ads_sasl_spnego_bind(789)
  ads_sasl_spnego_bind: got server principal name = ads0$@ADS.ORCORP.CA
[2008/09/09 11:44:54,  3] libsmb/clikrb5.c:ads_cleanup_expired_creds(604)
  ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache] expiration Tue, 09 Sep 2008 21:44:58 PDT
[2008/09/09 11:44:54,  3] libsmb/clikrb5.c:ads_krb5_mk_req(713)
  ads_krb5_mk_req: server marked as OK to delegate to, building forwardable TGT
[2008/09/09 11:44:54,  0] lib/fault.c:fault_report(40)
  ===============================================================
[2008/09/09 11:44:54,  0] lib/fault.c:fault_report(41)
  INTERNAL ERROR: Signal 11 in pid 7716 (3.2.3)
  Please read the Trouble-Shooting section of the Samba3-HOWTO
[2008/09/09 11:44:54,  0] lib/fault.c:fault_report(43)
  
  From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf
[2008/09/09 11:44:54,  0] lib/fault.c:fault_report(44)
  ===============================================================
[2008/09/09 11:44:54,  0] lib/util.c:smb_panic(1663)
  PANIC (pid 7716): internal error
[2008/09/09 11:44:54,  0] lib/util.c:log_stack_trace(1767)
  BACKTRACE: 18 stack frames:
   #0 /usr/sbin/winbindd(log_stack_trace+0x2d) [0x800f483e]
   #1 /usr/sbin/winbindd(smb_panic+0x84) [0x800f4980]
   #2 /usr/sbin/winbindd [0x800e1faa]
   #3 [0xffffe420]
   #4 /usr/lib/samba/nss_info/rfc2307.so [0xb77958f9]
   #5 /usr/sbin/winbindd(nss_get_info+0x193) [0x80257f70]
   #6 /usr/sbin/winbindd(nss_get_info_cached+0x210) [0x8005f0ec]
   #7 /usr/sbin/winbindd [0x8007ae3a]
   #8 /usr/sbin/winbindd [0x80060eba]
   #9 /usr/sbin/winbindd(winbindd_dual_userinfo+0x183) [0x80050858]
   #10 /usr/sbin/winbindd [0x8007fafe]
   #11 /usr/sbin/winbindd(async_request+0x1b9) [0x800810e1]
   #12 /usr/sbin/winbindd(async_domain_request+0x57) [0x80081292]
   #13 /usr/sbin/winbindd [0x800583db]
   #14 /usr/sbin/winbindd(rescan_trusted_domains+0x49) [0x800587d3]
   #15 /usr/sbin/winbindd(main+0xe4f) [0x8004db6c]
   #16 /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe0) [0xb7c1a050]
   #17 /usr/sbin/winbindd [0x8004b451]
[2008/09/09 11:44:54,  0] lib/util.c:smb_panic(1668)
  smb_panic(): calling panic action [/usr/share/samba/panic-action 7716]
[2008/09/09 11:44:54,  0] lib/util.c:smb_panic(1676)
  smb_panic(): action returned status 0
[2008/09/09 11:44:54,  0] lib/fault.c:dump_core(201)
  dumping core in /var/log/samba/cores/winbindd

gdb says:
(gdb) bt
#0  0xffffe410 in __kernel_vsyscall ()
#1  0xb7c31875 in raise () from /lib/tls/i686/cmov/libc.so.6
#2  0xb7c33201 in abort () from /lib/tls/i686/cmov/libc.so.6
#3  0x800e1ac7 in dump_core () from /opt/samba/samba-3.2.3/source/bin/winbindd
#4  0x800f4abf in smb_panic () from /opt/samba/samba-3.2.3/source/bin/winbindd
#5  0x800e1faa in sig_fault () from /opt/samba/samba-3.2.3/source/bin/winbindd
#6  <signal handler called>
#7  0x80231604 in ads_pull_string () from /opt/samba/samba-3.2.3/source/bin/winbindd
#8  0xb76538f9 in nss_ad_get_info () from /usr/lib/samba/nss_info/rfc2307.so
#9  0x80257f70 in nss_get_info () from /opt/samba/samba-3.2.3/source/bin/winbindd
#10 0x8005f0ec in nss_get_info_cached () from /opt/samba/samba-3.2.3/source/bin/winbindd
#11 0x8007ae3a in query_user () from /opt/samba/samba-3.2.3/source/bin/winbindd
#12 0x80060eba in query_user () from /opt/samba/samba-3.2.3/source/bin/winbindd
#13 0x80050858 in winbindd_dual_userinfo () from /opt/samba/samba-3.2.3/source/bin/winbindd
#14 0x8007fafe in schedule_async_request () from /opt/samba/samba-3.2.3/source/bin/winbindd
#15 0x800810e1 in async_request () from /opt/samba/samba-3.2.3/source/bin/winbindd
#16 0x80058165 in init_child_connection () from /opt/samba/samba-3.2.3/source/bin/winbindd
#17 0x80081374 in async_domain_request () from /opt/samba/samba-3.2.3/source/bin/winbindd
#18 0x800583db in add_trusted_domains () from /opt/samba/samba-3.2.3/source/bin/winbindd
#19 0x800587d3 in rescan_trusted_domains () from /opt/samba/samba-3.2.3/source/bin/winbindd
#20 0x8004db6c in main () from /opt/samba/samba-3.2.3/source/bin/winbindd

Fussing to get symbols.. And gdb says this:
(gdb) frame 8
#8  0xb76538f9 in nss_ad_get_info (e=0x803a1138, sid=0xbfdfdd68, ctx=0x80342d08, ads=0x0, 
    msg=0x0, homedir=0xbfdfdcd4, shell=0xbfdfdcd8, gecos=0xbfdfdcd0, gid=0xbfdfdcdc)
    at winbindd/idmap_ad.c:768
768             *homedir = ads_pull_string( ads, ctx, msg, ad_schema->posix_homedir_attr );

(gdb) p homedir
$1 = (char **) 0xbfdfdcd4
(gdb) p *homedir
$2 = 0x0
(gdb) p ads
$3 = (ADS_STRUCT *) 0x0
(gdb) p ctx
$4 = (TALLOC_CTX *) 0x80342d08
(gdb) p msg
$5 = (LDAPMessage *) 0x0
(gdb) p ad_schema->posix_homedir_attr
$6 = 0x803a6440 "unixHomeDirectory"

Looks like ads being 0 is the fatal thing here since ads_pull_string immediately does ads->ldap.id

This seems to happen sometimes with a 'wbinfo -i mvoth' command, but also things like gdm causes it.

smb.conf has:

[global]
workgroup = ORCORP
realm = ADS.ORCORP.CA
os level = 0
log level = 3

security = ads
password server = ads0.ads.orcorp.ca
use kerberos keytab = true

idmap domains = ORCORP
idmap config ORCORP:backend = ad
idmap config ORCORP:readonly = yes
idmap config ORCORP:default = yes
idmap config ORCORP:range = 1000-11000
idmap config ORCORP:schema_mode = rfc2307

idmap alloc backend = tdb
idmap alloc config:range        = 300000000 - 310000000

winbind nss info = rfc2307
winbind use default domain = yes
winbind offline logon = yes
winbind refresh tickets = yes
winbind normalize names = yes

encrypt passwords = true
dns proxy = no
log file = /var/log/samba/log.%m
panic action = /usr/share/samba/panic-action %d
obey pam restrictions = yes
guest account = nobody
invalid users = root
unix charset = "UTF8"

name resolve order = lmhosts host wins bcast

Machine is ubuntu gutsy, built from source using the ibex packaging of 3.2.2

Comment 1 Guenther Deschner 2008-09-10 05:33:36 UTC

Created attachment 3548 [details]
use the new created ad connection

Can you try this patch, please ?

Comment 2 Karolin Seeger 2008-09-21 22:28:34 UTC

Does the patch fix your issue?

Comment 3 Jason Gunthorpe 2008-09-26 16:15:37 UTC

Karolin,

I have been unable to try the patch yet, the laptop that had this problem has left the building.. I'll let you know when I'm able to try it again.

Comment 4 Guenther Deschner 2008-09-26 17:03:22 UTC

Have you thrown it out of the window?? :-)

That patch is not not needed any more, Jerry Carter has checked in a similar fix into the 3-2/3-3-test branch, so it will be part of the next releases.

Comment 5 Jason Gunthorpe 2008-09-26 18:57:21 UTC

Just shipped across the country to the intended user.. I had hoped to use winbind to have an offline caching 'roaming' NSS setup for it, but I was not able to get it to work reliably. I'll try again on a later release.

I'm quite excited about this entire winbind configuration using idmap backend = ad/etc, it seems to be by far the best solution I've seen for NSS/PAM against AD..

Comment 6 Guenther Deschner 2008-10-27 17:53:45 UTC

Glad to hear that :)

Please re-open, if this is still a bug for you then.

Thanks for the report.