Reported by Andrew Porter <andy@defsdoor.org>: Below is a log file of a panic that occurs on two different sites running Debian Stable Samba 3.2.5. The problem is triggered by Sophos Control Centre doing it's hourly check for updates, and as SCC is running on a user's PC in both cases causes problems for the user. I've tried everything and cannot figure it out - anyone got any pointers/ideas what to do next ? [2009/05/18 22:04:17, 5] rpc_server/srv_lsa_nt.c:lookup_lsa_rids(166) lookup_lsa_rids: looking up name \\REBECCA\EMLibrary Users [2009/05/18 22:04:17, 10] passdb/lookup_sid.c:lookup_name(69) lookup_name: \\REBECCA\EMLibrary Users => (domain), \REBECCA\EMLibrary Users (name) [2009/05/18 22:04:17, 10] passdb/lookup_sid.c:lookup_name(70) lookup_name: flags = 0x043 [2009/05/18 22:04:17, 5] passdb/secrets.c:secrets_fetch_trusted_domain_password(644) secrets_fetch failed! [2009/05/18 22:04:17, 3] smbd/sec_ctx.c:push_sec_ctx(224) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2 [2009/05/18 22:04:17, 3] smbd/uid.c:push_conn_ctx(357) push_conn_ctx(108) : conn_ctx_stack_ndx = 1 [2009/05/18 22:04:17, 3] smbd/sec_ctx.c:set_sec_ctx(324) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2 [2009/05/18 22:04:17, 5] auth/token_util.c:debug_nt_user_token(464) NT user token: (NULL) [2009/05/18 22:04:17, 5] auth/token_util.c:debug_unix_user_token(490) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2009/05/18 22:04:17, 5] passdb/pdb_tdb.c:tdbsam_getsampwnam(911) pdb_getsampwnam (TDB): error fetching database. Key: USER_\rebecca\emlibrary users [2009/05/18 22:04:17, 3] smbd/sec_ctx.c:pop_sec_ctx(432) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1 [2009/05/18 22:04:17, 3] smbd/sec_ctx.c:push_sec_ctx(224) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2 [2009/05/18 22:04:17, 3] smbd/uid.c:push_conn_ctx(357) push_conn_ctx(108) : conn_ctx_stack_ndx = 1 [2009/05/18 22:04:17, 3] smbd/sec_ctx.c:set_sec_ctx(324) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2 [2009/05/18 22:04:17, 5] auth/token_util.c:debug_nt_user_token(464) NT user token: (NULL) [2009/05/18 22:04:17, 5] auth/token_util.c:debug_unix_user_token(490) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2009/05/18 22:04:17, 0] lib/fault.c:fault_report(40) =============================================================== [2009/05/18 22:04:17, 0] lib/fault.c:fault_report(41) INTERNAL ERROR: Signal 6 in pid 18208 (3.2.5) Please read the Trouble-Shooting section of the Samba3-HOWTO [2009/05/18 22:04:17, 0] lib/fault.c:fault_report(43) From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf [2009/05/18 22:04:17, 0] lib/fault.c:fault_report(44) =============================================================== [2009/05/18 22:04:17, 0] lib/util.c:smb_panic(1663) PANIC (pid 18208): internal error [2009/05/18 22:04:17, 0] lib/util.c:log_stack_trace(1767) BACKTRACE: 25 stack frames: #0 /usr/sbin/smbd(log_stack_trace+0x2d) [0x8201d24] #1 /usr/sbin/smbd(smb_panic+0x80) [0x8201e81] #2 /usr/sbin/smbd [0x81ecc73] #3 [0xb7f2c420] #4 /lib/i686/cmov/libc.so.6(abort+0x188) [0xb7b01018] #5 /usr/lib/libtalloc.so.1(_talloc_steal+0x175) [0xb7c3ab45] #6 /usr/sbin/smbd [0x823c49b] #7 /usr/sbin/smbd(pdb_default_getgrnam+0x90) [0x8238fdf] #8 /usr/sbin/smbd(pdb_getgrnam+0x26) [0x81b4250] #9 /usr/sbin/smbd(lookup_global_sam_name+0x1ad) [0x84a9ab1] #10 /usr/sbin/smbd(lookup_name+0x7b1) [0x81b956c] #11 /usr/sbin/smbd(_lsa_LookupNames+0x349) [0x84899d2] #12 /usr/sbin/smbd [0x81201f1] #13 /usr/sbin/smbd(api_rpcTNP+0x2b6) [0x818d229] #14 /usr/sbin/smbd(api_pipe_request+0x238) [0x818d821] #15 /usr/sbin/smbd [0x8186d85] #16 /usr/sbin/smbd(write_to_pipe+0x13d) [0x818530e] #17 /usr/sbin/smbd [0x841506e] #18 /usr/sbin/smbd [0x84157d5] #19 /usr/sbin/smbd(reply_trans+0x726) [0x84163c8] #20 /usr/sbin/smbd [0x80de096] #21 /usr/sbin/smbd(smbd_process+0x429) [0x80dfbe1] #22 /usr/sbin/smbd(main+0xfa2) [0x80a747f] #23 /lib/i686/cmov/libc.so.6(__libc_start_main+0xe5) [0xb7aea455] #24 /usr/sbin/smbd [0x80a4511] [2009/05/18 22:04:17, 0] lib/util.c:smb_panic(1668) smb_panic(): calling panic action [/usr/share/samba/panic-action 18208] Failed to read a valid object file image from memory. [2009/05/18 22:04:17, 0] lib/util.c:smb_panic(1676) smb_panic(): action returned status 0
Jeremy Allison wrote: > Attach to it with gdb and then type "bt" to get a full stack > backtrace. This looks to me a bit like a null pointer indirection > which we may have fixed in the current 3.2.x code in the git tree > (but I can't promise that until I see the backtrace). > > (gdb) bt #0 0xb7fbc424 in __kernel_vsyscall () #1 0xb7c016f3 in waitpid () from /lib/i686/cmov/libc.so.6 #2 0xb7b9f46b in ?? () from /lib/i686/cmov/libc.so.6 #3 0xb7d8b4ad in system () from /lib/i686/cmov/libpthread.so.0 #4 0x08201ef9 in smb_panic () #5 0x081ecc73 in sig_fault () #6 <signal handler called> #7 0xb7fbc424 in __kernel_vsyscall () #8 0xb7b91640 in raise () from /lib/i686/cmov/libc.so.6 #9 0xb7b93018 in abort () from /lib/i686/cmov/libc.so.6 #10 0xb7cccb45 in _talloc_steal () from /usr/lib/libtalloc.so.1 #11 0x0823c49b in get_group_map_from_ntname () #12 0x08238fdf in pdb_default_getgrnam () #13 0x081b4250 in pdb_getgrnam () #14 0x084a9ab1 in lookup_global_sam_name () #15 0x081b956c in lookup_name () #16 0x084899d2 in _lsa_LookupNames () #17 0x081201f1 in api_lsa_LookupNames () #18 0x0818d229 in api_rpcTNP () #19 0x0818d821 in api_pipe_request () #20 0x08186d85 in write_to_internal_pipe () #21 0x0818530e in write_to_pipe () #22 0x0841506e in api_fd_reply () #23 0x084157d5 in handle_trans () #24 0x084163c8 in reply_trans () #25 0x080de096 in switch_message () #26 0x080dfbe1 in smbd_process () #27 0x080a747f in main ()
Created attachment 4176 [details] Patch for 3.2.x and above. Reported by reviewer as having fixed the problem. I'm applying to 3.4 and master and I'll wait confirmation from the reviewer in his production environment for several hours. Jeremy.
I've revived the ldb code in master/source3 (and source4 for that matter), and I can't see how this can happen there. There is a strict ABI guarantee in ldb_search() that if ret == LDB_SUCCESS, then res is a non-NULL valid pointer.
This is 3.2 code, did you check there ? Jeremy.
Created attachment 4177 [details] Better patch for 3.2 and 3.3 that covers all possible cases. This is a better patch. I'll mail to submitter. Jeremy.
Created attachment 4178 [details] Real fix :-).
Created attachment 4179 [details] patch to ldb ok Jeremy beat me to it, but I'v got a real git formatted patch :-)
Created attachment 4180 [details] Groupdb mapping fix. Karolin, the two patches that should be applied to 3.2 are Simo's "patch to ldb" and this "Groupdb mapping fix." Thanks, Jeremy.
Reported fixed using these two patches: Karolin these two fixes need applying to the 3.2.x tree. Thanks, Jeremy. From: Andrew Porter <andy@defsdoor.org> To: Jeremy Allison <jra@samba.org> Subject: Re: [Samba] Samba Panic Jeremy Allison wrote: > If you revert to your pristine 3.2.5 source code and apply > this patch I'm 100% certain the bug will die :-). > Patch installed and tested and no panics. Everything else still seems to be working ok also. Job done I think. Thank you very much ;)
Pushed both patches. Couldn't find "Groupdb mapping fix" in master and .53de3b136edbb0b8e7c3a0293dce657cf732f1d2 is much shorter. Please make sure that I didn't mess up anything... ;-) Thanks!
Seems like we can close this one, right ?
Yep, this one looks finished :-). Jeremy.