Bug 6238 - Failed to logoff and dump core with signal 6
Failed to logoff and dump core with signal 6
Status: RESOLVED FIXED
Product: Samba 3.3
Classification: Unclassified
Component: Winbind
3.3.2
x86 FreeBSD
: P3 critical
: ---
Assigned To: Samba Bugzilla Account
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2009-03-31 07:03 UTC by Rashid N. Achilov
Modified: 2009-04-03 06:06 UTC (History)
0 users

See Also:


Attachments
Patch to prevent pam_winbind from crashdump another program with signal 6 (350 bytes, patch)
2009-04-03 01:39 UTC, Rashid N. Achilov
no flags Details
Patch to prevent pam_winbind from crashdump another program with signal 6 when use 'krb5_auth' (366 bytes, patch)
2009-04-03 05:36 UTC, Rashid N. Achilov
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Rashid N. Achilov 2009-03-31 07:03:50 UTC
When use pam_winbind.so at /etc/pam.d/system to use domain names (i.e. to consoile login with it), when logoff:
- login process failed with signal 6
- at secuity log appears these lines
Mar 31 18:21:18 glance login: login on ttyv4 as achilov-rn
Mar 31 18:21:20 glance login: pam_winbind(login): [pamh: 0x2820a040] ENTER: pam_sm_setcred (flags: 0x0001)
Mar 31 18:21:20 glance login: pam_winbind(login): PAM_ESTABLISH_CRED not implemented
Mar 31 18:21:20 glance login: pam_winbind(login): [pamh: 0x2820a040] LEAVE: pam_sm_setcred returning 0 (PAM_SUCCESS)
Mar 31 18:21:21 glance login: pam_winbind(login): [pamh: 0x2820a040] ENTER: pam_sm_setcred (flags: 0x0002)
Mar 31 18:21:21 glance login: pam_winbind(login): [pamh: 0x2820a040] ENTER: _pam_delete_cred (flags: 0x0002)
Mar 31 18:21:21 glance login: pam_winbind(login): username [achilov-rn] obtained
Mar 31 18:21:21 glance login: pam_winbind(login): user has no KRB5CCNAME environment
Mar 31 18:21:21 glance login: pam_winbind(login): request wbcLogoffUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (13), NTSTATUS: NT_STATUS_NO_SUCH_USER, Error message was: No such user
Mar 31 18:21:21 glance login: pam_winbind(login): user 'achilov-rn' not found
Mar 31 18:21:21 glance login: pam_winbind(login): failed to logoff user achilov-rn: WBC_ERR_AUTH_ERROR

at Samba log file log. (so. "log."!) appears these lines: (debug=4)
[2009/03/31 18:21:21,  3] winbindd/winbindd_pam.c:winbindd_pam_logoff(2227)
  [ 5452]: pam logoff achilov-rn
[2009/03/31 18:21:21,  1] winbindd/winbindd_pam.c:winbindd_pam_logoff(2250)
  winbindd_pam_logoff: failed to check peerid: Function not implemented

That's leads to unavailability using Samba 3.3.x at mail server to use domain user names with POP3 server (i.e. qpopper), because qpopper constatnly dumps core. That's lead to unavailability using Samba 3.3.x to use domain user names with /etc/rc.d/system, because su constantly dumps core and scripts cannot run
Comment 1 Rashid N. Achilov 2009-04-02 00:22:33 UTC
Samba 3.3.3 does not solve this problem. But, when I use SSH2 to login with domain name, error does not occured.

Apr  2 11:57:51 glance sshd2[578]: connection from "192.168.1.254"
Apr  2 11:57:55 glance sshd2[98485]: pam_winbind(sshd2): [pamh: 0x2831d1c0] ENTER: pam_sm_authenticate (flags: 0x0001)
Apr  2 11:57:55 glance sshd2[98485]: pam_winbind(sshd2): getting password (0x00000091)
Apr  2 11:57:55 glance sshd2[98485]: pam_winbind(sshd2): pam_get_item returned a password
Apr  2 11:57:55 glance sshd2[98485]: pam_winbind(sshd2): Verify user 'achilov-rn'
Apr  2 11:57:55 glance sshd2[98485]: pam_winbind(sshd2): enabling krb5 login flag
Apr  2 11:57:55 glance sshd2[98485]: pam_winbind(sshd2): request wbcLogonUser succeeded
Apr  2 11:57:55 glance sshd2[98485]: pam_winbind(sshd2): user 'achilov-rn' granted access
Apr  2 11:57:55 glance sshd2[98485]: pam_winbind(sshd2): Returned user was 'achilov-rn'
Apr  2 11:57:55 glance sshd2[98485]: pam_winbind(sshd2): [pamh: 0x2831d1c0] LEAVE: pam_sm_authenticate returning 0 (PAM_SUCCESS)
Apr  2 11:57:55 glance sshd2[98485]: pam_winbind(sshd2): [pamh: 0x2831d1c0] ENTER: pam_sm_setcred (flags: 0x0001)
Apr  2 11:57:55 glance sshd2[98485]: pam_winbind(sshd2): PAM_ESTABLISH_CRED not implemented
Apr  2 11:57:55 glance sshd2[98485]: pam_winbind(sshd2): [pamh: 0x2831d1c0] LEAVE: pam_sm_setcred returning 0 (PAM_SUCCESS)
Apr  2 11:57:55 glance sshd2[98479]: User achilov-rn, coming from glance.askd.gmbh, authen
ticated.
Apr  2 11:57:55 glance sshd2[98487]: Now running on achilov-rn's privileges.

I have tried deleted krb5_auth from pam_winbind flags, but unsuccesful:

Apr  2 12:06:37 glance login: login on ttyv4 as achilov-rn
Apr  2 12:06:38 glance login: pam_winbind(login): [pamh: 0x2820a040] ENTER: pam_sm_setcred (flags: 0x0001)
Apr  2 12:06:38 glance login: pam_winbind(login): PAM_ESTABLISH_CRED not implemented
Apr  2 12:06:38 glance login: pam_winbind(login): [pamh: 0x2820a040] LEAVE: pam_sm_setcred returning 0 (PAM_SUCCESS)
Apr  2 12:06:39 glance login: pam_winbind(login): [pamh: 0x2820a040] ENTER: pam_sm_setcred (flags: 0x0002)
Apr  2 12:06:39 glance login: pam_winbind(login): [pamh: 0x2820a040] ENTER: _pam_delete_cred (flags: 0x0002)

and login exited on signal 6
Comment 2 Rashid N. Achilov 2009-04-02 05:48:40 UTC
Using qpopper as test application, i have detected, that coredump issued when qpopper calls pam_setcred(pamh, PAM_DELETE_CRED)
Comment 3 Jeremy Allison 2009-04-02 13:09:10 UTC
Can you run qpopper under gdb and get us a stack backtrace please ?
Jeremy.
Comment 4 Rashid N. Achilov 2009-04-03 01:36:20 UTC
I have detected an error and solve problem. Problem issued, when uninitialized variable logoff in function _pam_delete_cred checks to presented allocated memory (line 2420 in pam_winbind.c). Because uninitialized variable can contain any junk data, it != 0 and try to allocate memory on this junk address. Patch is trivial and I have made it.
Comment 5 Rashid N. Achilov 2009-04-03 01:39:22 UTC
Created attachment 4047 [details]
Patch to prevent pam_winbind from crashdump another program with signal 6

This trivial patch prevent pam_winbind to crashdump another program witn signal 6, which occured, when issued try to use pam_winbind in PAM environment (i.e. for POP3, SSH, console logins...)
Comment 6 Guenther Deschner 2009-04-03 03:16:07 UTC
Rashid, I checked in a modified version of your patch:

http://git.samba.org/?p=samba.git;a=commitdiff;h=b737a6202cc18bfab091d5f45a3c30e97828e927

Bug should be resolved now. Please test.
Comment 7 Rashid N. Achilov 2009-04-03 05:33:32 UTC
I have tested modified patch. It works. But I have detected one more crashdump issuing - when used krb5_auth in pam_winbind parameters list. This way program tries to execute wbcLogoffUserEx, so allocated blobs to "ccfilename", "flags" and "user_uid". wbcLogoffUserEx failed (I do not know, why - tried user exist in domain, password correct) and should free allocated blobs and do this (lines 2407-2408 in pam_winbind.c). But wbcFreeMemory doesn't mark any way, that memory, addressed in logoff.blobs already freed and try this again in line 2419, because logoff.blobs != 0! So I have done another trivial patch to avoid crashdump. 

About wbcFreeMemory() - now this function simply call talloc_free - probably it should also mark freed area through cleaning pointer at already free space? This way, function should receive not pointer to freed area, but pointer to pointer to freed area and some piece of source files should be rewritten. When you haven't much time, I'll can probably do it.
Comment 8 Rashid N. Achilov 2009-04-03 05:36:24 UTC
Created attachment 4049 [details]
Patch to prevent pam_winbind from crashdump another program with signal 6 when use 'krb5_auth'

This patch prevents crashdump another program with signal 6, when flag 'krb5_auth' using in pam_winbind flags. It clear pointer to area, already freed by wbcFreeMemory and stops try to free it again
Comment 9 Guenther Deschner 2009-04-03 05:50:01 UTC
(In reply to comment #8)
> Created an attachment (id=4049) [details]
> Patch to prevent pam_winbind from crashdump another program with signal 6 when
> use 'krb5_auth'
> 
> This patch prevents crashdump another program with signal 6, when flag
> 'krb5_auth' using in pam_winbind flags. It clear pointer to area, already freed
> by wbcFreeMemory and stops try to free it again

Yes, absolutely correct. And thanks for testing! I add that patch now.

The change of wbcFreeMemory to call TALLOC_FREE instead of talloc_free should be discussed a little more, for now your patch is the best way to solve the problem and makes us work with old and future versions of libwbclient.
Comment 10 Guenther Deschner 2009-04-03 06:06:12 UTC
Closing, we should finally be done with that one. Please reopen if still an issue.