I was trying to use ntlm_auth utility on samba 3.4.x (onwards) as an authentication proxy . It seems "gss-spnego" helper protocol dumps core every time when I send the initial command "YR". #0 0x00002aaaaca7a065 in raise () from /lib64/libc.so.6 #1 0x00002aaaaca7bb00 in abort () from /lib64/libc.so.6 #2 0x00002aaaac42891f in talloc_abort () from/var/home/root/samba340/libtalloc.so.1 #3 0x00002aaaac428936 in talloc_abort_unknown_value () from /var/home/root/samba340/libtalloc.so.1 #4 0x00002aaaac42bfd7 in talloc_free () from/var/home/root/samba340/libtalloc.so.1 #5 0x00005555555bced4 in free_spnego_data () from /var/home/root/samba340/ntlm_auth #6 0x00005555555a3962 in manage_gss_spnego_request (state=<value optimized out>, buf=<value optimized out>, length=<value optimized out>) at utils/ntlm_auth.c:1099 #7 0x00005555555a827b in main (argc=<value optimized out>, argv=<value optimized out>) at utils/ntlm_auth.c:2198 Samba 3.3.x ( and prior ) releases responds with proper "TT xxx" I think the problem is "free_spnego_data" started using talloc_free() from samba 3.4.x onwards. But ntlm_auth allocates mechTypes using malloc() and calls "free_spnego_data" and dumps core while checking the magic number
Created attachment 5544 [details] Proposed patch Hi there. This patch seems to fix the issue for me. Could you try if this solves your issue as well?
Thanks Kai Blin. Works for me too.
Obvious fix - spnego_free_data inside ../libcli/auth/spnego_parse.c uses talloc_free on these values. Pushing to master (and I'll investigate for 3.5.2 and 3.4.8). Jeremy.
Kai's patch applies cleanly to 3.5.2, but not 3.4.8. New fix to follow. Jeremy.
Created attachment 5550 [details] git-am fix for 3.4.8. Kai please review then re-assign to Karolin for inclusion in 3.5.2 and 3.4.8. Thanks, Jeremy.
Comment on attachment 5550 [details] git-am fix for 3.4.8. Looks good to me.
Karolin, please pick these patches for the next 3.5 and 3.4 releases.
Pushed to v3-5-test and v3-4-test. Closing out bug report. Thanks!