Bug 6386 - Samba Panic triggered by Sophos Control Centre.
Summary: Samba Panic triggered by Sophos Control Centre.
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.2
Classification: Unclassified
Component: User & Group Accounts (show other bugs)
Version: 3.2.5
Hardware: x86 Linux
: P3 normal
Target Milestone: ---
Assignee: Jeremy Allison
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-05-21 19:23 UTC by Jeremy Allison
Modified: 2009-08-06 19:45 UTC (History)
0 users

See Also:
jra: review+


Attachments
Patch for 3.2.x and above. (582 bytes, patch)
2009-05-21 19:25 UTC, Jeremy Allison
jra: review+
Details
Better patch for 3.2 and 3.3 that covers all possible cases. (2.31 KB, patch)
2009-05-21 20:06 UTC, Jeremy Allison
no flags Details
Real fix :-). (321 bytes, patch)
2009-05-21 20:34 UTC, Jeremy Allison
no flags Details
patch to ldb (854 bytes, patch)
2009-05-21 20:37 UTC, Simo Sorce
no flags Details
Groupdb mapping fix. (2.58 KB, patch)
2009-05-21 20:52 UTC, Jeremy Allison
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jeremy Allison 2009-05-21 19:23:06 UTC
Reported by Andrew Porter <andy@defsdoor.org>:

Below is a log file of a panic that occurs on two different sites running
Debian Stable Samba 3.2.5.  The problem is triggered by Sophos Control
Centre doing it's hourly check for updates, and as SCC is running on a
user's PC in both cases causes problems for the user.  I've tried
everything and cannot figure it out - anyone got any pointers/ideas what to
do next ?

[2009/05/18 22:04:17,  5] rpc_server/srv_lsa_nt.c:lookup_lsa_rids(166)
 lookup_lsa_rids: looking up name \\REBECCA\EMLibrary Users
[2009/05/18 22:04:17, 10] passdb/lookup_sid.c:lookup_name(69)
lookup_name: \\REBECCA\EMLibrary Users =>  (domain), \REBECCA\EMLibrary
Users (name)
[2009/05/18 22:04:17, 10] passdb/lookup_sid.c:lookup_name(70)
 lookup_name: flags = 0x043
[2009/05/18 22:04:17,  5]
passdb/secrets.c:secrets_fetch_trusted_domain_password(644)
 secrets_fetch failed!
[2009/05/18 22:04:17,  3] smbd/sec_ctx.c:push_sec_ctx(224)
 push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
[2009/05/18 22:04:17,  3] smbd/uid.c:push_conn_ctx(357)
 push_conn_ctx(108) : conn_ctx_stack_ndx = 1
[2009/05/18 22:04:17,  3] smbd/sec_ctx.c:set_sec_ctx(324)
 setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
[2009/05/18 22:04:17,  5] auth/token_util.c:debug_nt_user_token(464)
 NT user token: (NULL)
[2009/05/18 22:04:17,  5] auth/token_util.c:debug_unix_user_token(490)
 UNIX token of user 0
 Primary group is 0 and contains 0 supplementary groups
[2009/05/18 22:04:17,  5] passdb/pdb_tdb.c:tdbsam_getsampwnam(911)
 pdb_getsampwnam (TDB): error fetching database.
  Key: USER_\rebecca\emlibrary users
[2009/05/18 22:04:17,  3] smbd/sec_ctx.c:pop_sec_ctx(432)
 pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
[2009/05/18 22:04:17,  3] smbd/sec_ctx.c:push_sec_ctx(224)
 push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
[2009/05/18 22:04:17,  3] smbd/uid.c:push_conn_ctx(357)
 push_conn_ctx(108) : conn_ctx_stack_ndx = 1
[2009/05/18 22:04:17,  3] smbd/sec_ctx.c:set_sec_ctx(324)
 setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
[2009/05/18 22:04:17,  5] auth/token_util.c:debug_nt_user_token(464)
 NT user token: (NULL)
[2009/05/18 22:04:17,  5] auth/token_util.c:debug_unix_user_token(490)
 UNIX token of user 0
 Primary group is 0 and contains 0 supplementary groups
[2009/05/18 22:04:17,  0] lib/fault.c:fault_report(40)
 ===============================================================
[2009/05/18 22:04:17,  0] lib/fault.c:fault_report(41)
 INTERNAL ERROR: Signal 6 in pid 18208 (3.2.5)
 Please read the Trouble-Shooting section of the Samba3-HOWTO
[2009/05/18 22:04:17,  0] lib/fault.c:fault_report(43)
 From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf
[2009/05/18 22:04:17,  0] lib/fault.c:fault_report(44)
 ===============================================================
[2009/05/18 22:04:17,  0] lib/util.c:smb_panic(1663)
 PANIC (pid 18208): internal error
[2009/05/18 22:04:17,  0] lib/util.c:log_stack_trace(1767)
 BACKTRACE: 25 stack frames:
  #0 /usr/sbin/smbd(log_stack_trace+0x2d) [0x8201d24]
  #1 /usr/sbin/smbd(smb_panic+0x80) [0x8201e81]
  #2 /usr/sbin/smbd [0x81ecc73]
  #3 [0xb7f2c420]
  #4 /lib/i686/cmov/libc.so.6(abort+0x188) [0xb7b01018]
  #5 /usr/lib/libtalloc.so.1(_talloc_steal+0x175) [0xb7c3ab45]
  #6 /usr/sbin/smbd [0x823c49b]
  #7 /usr/sbin/smbd(pdb_default_getgrnam+0x90) [0x8238fdf]
  #8 /usr/sbin/smbd(pdb_getgrnam+0x26) [0x81b4250]
  #9 /usr/sbin/smbd(lookup_global_sam_name+0x1ad) [0x84a9ab1]
  #10 /usr/sbin/smbd(lookup_name+0x7b1) [0x81b956c]
  #11 /usr/sbin/smbd(_lsa_LookupNames+0x349) [0x84899d2]
  #12 /usr/sbin/smbd [0x81201f1]
  #13 /usr/sbin/smbd(api_rpcTNP+0x2b6) [0x818d229]
  #14 /usr/sbin/smbd(api_pipe_request+0x238) [0x818d821]
  #15 /usr/sbin/smbd [0x8186d85]
  #16 /usr/sbin/smbd(write_to_pipe+0x13d) [0x818530e]
  #17 /usr/sbin/smbd [0x841506e]
  #18 /usr/sbin/smbd [0x84157d5]
  #19 /usr/sbin/smbd(reply_trans+0x726) [0x84163c8]
  #20 /usr/sbin/smbd [0x80de096]
  #21 /usr/sbin/smbd(smbd_process+0x429) [0x80dfbe1]
  #22 /usr/sbin/smbd(main+0xfa2) [0x80a747f]
  #23 /lib/i686/cmov/libc.so.6(__libc_start_main+0xe5) [0xb7aea455]
  #24 /usr/sbin/smbd [0x80a4511]
[2009/05/18 22:04:17,  0] lib/util.c:smb_panic(1668)
 smb_panic(): calling panic action [/usr/share/samba/panic-action 18208]
Failed to read a valid object file image from memory.
[2009/05/18 22:04:17,  0] lib/util.c:smb_panic(1676)
 smb_panic(): action returned status 0
Comment 1 Jeremy Allison 2009-05-21 19:23:35 UTC
Jeremy Allison wrote:
> Attach to it with gdb and then type "bt" to get a full stack
> backtrace. This looks to me a bit like a null pointer indirection
> which we may have fixed in the current 3.2.x code in the git tree
> (but I can't promise that until I see the backtrace).
>
>
(gdb) bt
#0  0xb7fbc424 in __kernel_vsyscall ()
#1  0xb7c016f3 in waitpid () from /lib/i686/cmov/libc.so.6
#2  0xb7b9f46b in ?? () from /lib/i686/cmov/libc.so.6
#3  0xb7d8b4ad in system () from /lib/i686/cmov/libpthread.so.0
#4  0x08201ef9 in smb_panic ()
#5  0x081ecc73 in sig_fault ()
#6  <signal handler called>
#7  0xb7fbc424 in __kernel_vsyscall ()
#8  0xb7b91640 in raise () from /lib/i686/cmov/libc.so.6
#9  0xb7b93018 in abort () from /lib/i686/cmov/libc.so.6
#10 0xb7cccb45 in _talloc_steal () from /usr/lib/libtalloc.so.1
#11 0x0823c49b in get_group_map_from_ntname ()
#12 0x08238fdf in pdb_default_getgrnam ()
#13 0x081b4250 in pdb_getgrnam ()
#14 0x084a9ab1 in lookup_global_sam_name ()
#15 0x081b956c in lookup_name ()
#16 0x084899d2 in _lsa_LookupNames ()
#17 0x081201f1 in api_lsa_LookupNames ()
#18 0x0818d229 in api_rpcTNP ()
#19 0x0818d821 in api_pipe_request ()
#20 0x08186d85 in write_to_internal_pipe ()
#21 0x0818530e in write_to_pipe ()
#22 0x0841506e in api_fd_reply ()
#23 0x084157d5 in handle_trans ()
#24 0x084163c8 in reply_trans ()
#25 0x080de096 in switch_message ()
#26 0x080dfbe1 in smbd_process ()
#27 0x080a747f in main ()
Comment 2 Jeremy Allison 2009-05-21 19:25:27 UTC
Created attachment 4176 [details]
Patch for 3.2.x and above.

Reported by reviewer as having fixed the problem. I'm applying to 3.4 and master and I'll wait confirmation from the reviewer in his production environment for several hours.
Jeremy.
Comment 3 Andrew Bartlett 2009-05-21 19:50:09 UTC
I've revived the ldb code in master/source3 (and source4 for that matter), and I can't see how this can happen there.  There is a strict ABI guarantee in ldb_search() that if ret == LDB_SUCCESS, then res is a non-NULL valid pointer. 
Comment 4 Jeremy Allison 2009-05-21 20:01:21 UTC
This is 3.2 code, did you check there ?

Jeremy.
Comment 5 Jeremy Allison 2009-05-21 20:06:47 UTC
Created attachment 4177 [details]
Better patch for 3.2 and 3.3 that covers all possible cases.

This is a better patch. I'll mail to submitter.
Jeremy.
Comment 6 Jeremy Allison 2009-05-21 20:34:17 UTC
Created attachment 4178 [details]
Real fix :-).
Comment 7 Simo Sorce 2009-05-21 20:37:57 UTC
Created attachment 4179 [details]
patch to ldb

ok Jeremy beat me to it, but I'v got a real git formatted patch :-)
Comment 8 Jeremy Allison 2009-05-21 20:52:35 UTC
Created attachment 4180 [details]
Groupdb mapping fix.

Karolin, the two patches that should be applied to 3.2 are Simo's "patch to ldb" and this "Groupdb mapping fix."

Thanks,

Jeremy.
Comment 9 Jeremy Allison 2009-05-22 14:20:08 UTC
Reported fixed using these two patches:

Karolin these two fixes need applying to the 3.2.x tree.

Thanks,

Jeremy.

From: Andrew Porter <andy@defsdoor.org>
To: Jeremy Allison <jra@samba.org>
Subject: Re: [Samba] Samba Panic

Jeremy Allison wrote:
> If you revert to your pristine 3.2.5 source code and apply
> this patch I'm 100% certain the bug will die :-).
>

Patch installed and tested and no panics.  Everything else still seems to
be working ok also.

Job done I think.  Thank you very much ;)
Comment 10 Karolin Seeger 2009-05-23 14:09:44 UTC
Pushed both patches.
Couldn't find "Groupdb mapping fix" in master and .53de3b136edbb0b8e7c3a0293dce657cf732f1d2 is much shorter.
Please make sure that I didn't mess up anything... ;-)

Thanks!
Comment 11 Guenther Deschner 2009-08-06 19:24:00 UTC
Seems like we can close this one, right ?
Comment 12 Jeremy Allison 2009-08-06 19:45:04 UTC
Yep, this one looks finished :-).
Jeremy.