When use pam_winbind.so at /etc/pam.d/system to use domain names (i.e. to consoile login with it), when logoff: - login process failed with signal 6 - at secuity log appears these lines Mar 31 18:21:18 glance login: login on ttyv4 as achilov-rn Mar 31 18:21:20 glance login: pam_winbind(login): [pamh: 0x2820a040] ENTER: pam_sm_setcred (flags: 0x0001) Mar 31 18:21:20 glance login: pam_winbind(login): PAM_ESTABLISH_CRED not implemented Mar 31 18:21:20 glance login: pam_winbind(login): [pamh: 0x2820a040] LEAVE: pam_sm_setcred returning 0 (PAM_SUCCESS) Mar 31 18:21:21 glance login: pam_winbind(login): [pamh: 0x2820a040] ENTER: pam_sm_setcred (flags: 0x0002) Mar 31 18:21:21 glance login: pam_winbind(login): [pamh: 0x2820a040] ENTER: _pam_delete_cred (flags: 0x0002) Mar 31 18:21:21 glance login: pam_winbind(login): username [achilov-rn] obtained Mar 31 18:21:21 glance login: pam_winbind(login): user has no KRB5CCNAME environment Mar 31 18:21:21 glance login: pam_winbind(login): request wbcLogoffUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (13), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was: No such user Mar 31 18:21:21 glance login: pam_winbind(login): user 'achilov-rn' not found Mar 31 18:21:21 glance login: pam_winbind(login): failed to logoff user achilov-rn: WBC_ERR_AUTH_ERROR at Samba log file log. (so. "log."!) appears these lines: (debug=4) [2009/03/31 18:21:21, 3] winbindd/winbindd_pam.c:winbindd_pam_logoff(2227) [ 5452]: pam logoff achilov-rn [2009/03/31 18:21:21, 1] winbindd/winbindd_pam.c:winbindd_pam_logoff(2250) winbindd_pam_logoff: failed to check peerid: Function not implemented That's leads to unavailability using Samba 3.3.x at mail server to use domain user names with POP3 server (i.e. qpopper), because qpopper constatnly dumps core. That's lead to unavailability using Samba 3.3.x to use domain user names with /etc/rc.d/system, because su constantly dumps core and scripts cannot run
Samba 3.3.3 does not solve this problem. But, when I use SSH2 to login with domain name, error does not occured. Apr 2 11:57:51 glance sshd2[578]: connection from "192.168.1.254" Apr 2 11:57:55 glance sshd2[98485]: pam_winbind(sshd2): [pamh: 0x2831d1c0] ENTER: pam_sm_authenticate (flags: 0x0001) Apr 2 11:57:55 glance sshd2[98485]: pam_winbind(sshd2): getting password (0x00000091) Apr 2 11:57:55 glance sshd2[98485]: pam_winbind(sshd2): pam_get_item returned a password Apr 2 11:57:55 glance sshd2[98485]: pam_winbind(sshd2): Verify user 'achilov-rn' Apr 2 11:57:55 glance sshd2[98485]: pam_winbind(sshd2): enabling krb5 login flag Apr 2 11:57:55 glance sshd2[98485]: pam_winbind(sshd2): request wbcLogonUser succeeded Apr 2 11:57:55 glance sshd2[98485]: pam_winbind(sshd2): user 'achilov-rn' granted access Apr 2 11:57:55 glance sshd2[98485]: pam_winbind(sshd2): Returned user was 'achilov-rn' Apr 2 11:57:55 glance sshd2[98485]: pam_winbind(sshd2): [pamh: 0x2831d1c0] LEAVE: pam_sm_authenticate returning 0 (PAM_SUCCESS) Apr 2 11:57:55 glance sshd2[98485]: pam_winbind(sshd2): [pamh: 0x2831d1c0] ENTER: pam_sm_setcred (flags: 0x0001) Apr 2 11:57:55 glance sshd2[98485]: pam_winbind(sshd2): PAM_ESTABLISH_CRED not implemented Apr 2 11:57:55 glance sshd2[98485]: pam_winbind(sshd2): [pamh: 0x2831d1c0] LEAVE: pam_sm_setcred returning 0 (PAM_SUCCESS) Apr 2 11:57:55 glance sshd2[98479]: User achilov-rn, coming from glance.askd.gmbh, authen ticated. Apr 2 11:57:55 glance sshd2[98487]: Now running on achilov-rn's privileges. I have tried deleted krb5_auth from pam_winbind flags, but unsuccesful: Apr 2 12:06:37 glance login: login on ttyv4 as achilov-rn Apr 2 12:06:38 glance login: pam_winbind(login): [pamh: 0x2820a040] ENTER: pam_sm_setcred (flags: 0x0001) Apr 2 12:06:38 glance login: pam_winbind(login): PAM_ESTABLISH_CRED not implemented Apr 2 12:06:38 glance login: pam_winbind(login): [pamh: 0x2820a040] LEAVE: pam_sm_setcred returning 0 (PAM_SUCCESS) Apr 2 12:06:39 glance login: pam_winbind(login): [pamh: 0x2820a040] ENTER: pam_sm_setcred (flags: 0x0002) Apr 2 12:06:39 glance login: pam_winbind(login): [pamh: 0x2820a040] ENTER: _pam_delete_cred (flags: 0x0002) and login exited on signal 6
Using qpopper as test application, i have detected, that coredump issued when qpopper calls pam_setcred(pamh, PAM_DELETE_CRED)
Can you run qpopper under gdb and get us a stack backtrace please ? Jeremy.
I have detected an error and solve problem. Problem issued, when uninitialized variable logoff in function _pam_delete_cred checks to presented allocated memory (line 2420 in pam_winbind.c). Because uninitialized variable can contain any junk data, it != 0 and try to allocate memory on this junk address. Patch is trivial and I have made it.
Created attachment 4047 [details] Patch to prevent pam_winbind from crashdump another program with signal 6 This trivial patch prevent pam_winbind to crashdump another program witn signal 6, which occured, when issued try to use pam_winbind in PAM environment (i.e. for POP3, SSH, console logins...)
Rashid, I checked in a modified version of your patch: http://git.samba.org/?p=samba.git;a=commitdiff;h=b737a6202cc18bfab091d5f45a3c30e97828e927 Bug should be resolved now. Please test.
I have tested modified patch. It works. But I have detected one more crashdump issuing - when used krb5_auth in pam_winbind parameters list. This way program tries to execute wbcLogoffUserEx, so allocated blobs to "ccfilename", "flags" and "user_uid". wbcLogoffUserEx failed (I do not know, why - tried user exist in domain, password correct) and should free allocated blobs and do this (lines 2407-2408 in pam_winbind.c). But wbcFreeMemory doesn't mark any way, that memory, addressed in logoff.blobs already freed and try this again in line 2419, because logoff.blobs != 0! So I have done another trivial patch to avoid crashdump. About wbcFreeMemory() - now this function simply call talloc_free - probably it should also mark freed area through cleaning pointer at already free space? This way, function should receive not pointer to freed area, but pointer to pointer to freed area and some piece of source files should be rewritten. When you haven't much time, I'll can probably do it.
Created attachment 4049 [details] Patch to prevent pam_winbind from crashdump another program with signal 6 when use 'krb5_auth' This patch prevents crashdump another program with signal 6, when flag 'krb5_auth' using in pam_winbind flags. It clear pointer to area, already freed by wbcFreeMemory and stops try to free it again
(In reply to comment #8) > Created an attachment (id=4049) [details] > Patch to prevent pam_winbind from crashdump another program with signal 6 when > use 'krb5_auth' > > This patch prevents crashdump another program with signal 6, when flag > 'krb5_auth' using in pam_winbind flags. It clear pointer to area, already freed > by wbcFreeMemory and stops try to free it again Yes, absolutely correct. And thanks for testing! I add that patch now. The change of wbcFreeMemory to call TALLOC_FREE instead of talloc_free should be discussed a little more, for now your patch is the best way to solve the problem and makes us work with old and future versions of libwbclient.
Closing, we should finally be done with that one. Please reopen if still an issue.