Bug 8314 - smbd crash with unknown user
Summary: smbd crash with unknown user
Alias: None
Product: Samba 3.6
Classification: Unclassified
Component: File services (show other bugs)
Version: 3.6.0rc2
Hardware: All All
: P5 major
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
Depends on:
Reported: 2011-07-22 10:44 UTC by Christian Ambach
Modified: 2012-03-24 16:24 UTC (History)
1 user (show)

See Also:

git-am fix for 3.6.0rc3. (1.65 KB, patch)
2011-07-22 23:45 UTC, Jeremy Allison
ambi: review+
patch for v3-5-test (1.73 KB, patch)
2012-02-16 13:20 UTC, Guenther Deschner
ambi: review+

Note You need to log in before you can comment on or make changes to this bug.
Description Christian Ambach 2011-07-22 10:44:53 UTC
Trying to connect to Samba with security=share (yes, I know it is deprecated, but the setting is still available) and using a username that is unknown to the server makes smbd crash

Last logs:
[2011/07/22 12:42:28.484570, 10, pid=20560] auth/auth_sam.c:75(auth_samstrict_auth)
  Check auth for: [ambi]
[2011/07/22 12:42:28.484638,  8, pid=20560] lib/util.c:1520(is_myname)
  is_myname("TERRA") returns 1
[2011/07/22 12:42:28.484714,  4, pid=20560] smbd/sec_ctx.c:214(push_sec_ctx)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2011/07/22 12:42:28.484796,  4, pid=20560] smbd/uid.c:460(push_conn_ctx)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2011/07/22 12:42:28.484865,  4, pid=20560] smbd/sec_ctx.c:314(set_sec_ctx)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2011/07/22 12:42:28.484933,  5, pid=20560] ../libcli/security/security_token.c:53(security_token_debug)
  Security token: (NULL)
[2011/07/22 12:42:28.485001,  5, pid=20560] auth/token_util.c:527(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2011/07/22 12:42:28.485488,  5, pid=20560] passdb/pdb_tdb.c:562(tdbsam_getsampwnam)
  pdb_getsampwnam (TDB): error fetching database.
   Key: USER_ambi
[2011/07/22 12:42:28.485608,  4, pid=20560] smbd/sec_ctx.c:422(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2011/07/22 12:42:28.485678,  3, pid=20560] auth/check_samsec.c:399(check_sam_security)
  check_sam_security: Couldn't find user 'ambi' in passdb.
[2011/07/22 12:42:28.485749,  5, pid=20560] auth/auth.c:271(check_ntlm_password)
  check_ntlm_password: sam authentication for user [ambi] FAILED with error NT_STATUS_NO_SUCH_USER
[2011/07/22 12:42:28.485852,  0, pid=20560] ../lib/util/debug.c:413(talloc_log_fn)
  auth/auth_server.c:281: Type mismatch: name[NULL] expected[struct server_security_state]
[2011/07/22 12:42:28.485934,  0, pid=20560] lib/util.c:1110(smb_panic)
  smb_panic: clobber_region() last called from [tdbsam_getsampwnam(545)]
[2011/07/22 12:42:28.486042,  0, pid=20560] lib/util.c:1116(smb_panic)
  PANIC (pid 20560): auth/auth_server.c:281: Type mismatch: name[NULL] expected[struct server_security_state]

(gdb) bt
#0  0x00007fd702d9a64e in waitpid () from /lib64/libc.so.6
#1  0x00007fd702d2d769 in do_system () from /lib64/libc.so.6
#2  0x00007fd705e1262b in smb_panic (why=0x7fd706f7e920 "auth/auth_server.c:281: Type mismatch: name[NULL] expected[struct server_security_state]")
    at lib/util.c:1122
#3  0x00007fd7036c1df9 in talloc_abort (reason=0x7fd706f7e920 "auth/auth_server.c:281: Type mismatch: name[NULL] expected[struct server_security_state]")
    at ../lib/talloc/talloc.c:320
#4  0x00007fd7036c3846 in talloc_abort_type_missmatch (location=0x7fd7063ebf6a "auth/auth_server.c:281", name=0x0, 
    expected=0x7fd7063ebd25 "struct server_security_state") at ../lib/talloc/talloc.c:1192
#5  0x00007fd7036c3881 in _talloc_get_type_abort (ptr=0x0, name=0x7fd7063ebd25 "struct server_security_state", 
    location=0x7fd7063ebf6a "auth/auth_server.c:281") at ../lib/talloc/talloc.c:1200
#6  0x00007fd705e860e2 in check_smbserver_security (auth_context=0x7fd706f9fa50, my_private_data=0x0, mem_ctx=0x7fd706f96a90, user_info=0x7fd706f88c40, 
    server_info=0x7fd706f7faa8) at auth/auth_server.c:280
#7  0x00007fd705e81a08 in check_ntlm_password (auth_context=0x7fd706f9fa50, user_info=0x7fd706f88c40, server_info=0x7fd706f7faa8) at auth/auth.c:255
#8  0x00007fd705e93647 in auth_ntlmssp_check_password (ntlmssp_state=0x7fd706f8a4b0, mem_ctx=0x7fd706f80050, user_session_key=0x7fd706f80050, 
    lm_session_key=0x7fd706f80060) at auth/auth_ntlmssp.c:146
#9  0x00007fd705b02361 in ntlmssp_server_auth (ntlmssp_state=0x7fd706f8a4b0, out_mem_ctx=0x7fd706f8a4b0, in=..., out=0x7fff87985660)
    at ../libcli/auth/ntlmssp_server.c:566
#10 0x00007fd705af0e10 in ntlmssp_update (ntlmssp_state=0x7fd706f8a4b0, input=..., out=0x7fff87985660) at libsmb/ntlmssp.c:269
#11 0x00007fd705af299b in auth_ntlmssp_update (ans=0x7fd706f7faa0, request=..., reply=0x7fff87985660) at libsmb/ntlmssp_wrap.c:154
#12 0x00007fd705a17078 in reply_spnego_auth (req=0x7fd706fa90d0, vuid=100, blob1=..., auth_ntlmssp_state=0x7fd706f93490) at smbd/sesssetup.c:799
#13 0x00007fd705a181b4 in reply_sesssetup_and_X_spnego (req=0x7fd706fa90d0) at smbd/sesssetup.c:1192
#14 0x00007fd705a1895b in reply_sesssetup_and_X (req=0x7fd706fa90d0) at smbd/sesssetup.c:1354
#15 0x00007fd705a68353 in switch_message (type=115 's', req=0x7fd706fa90d0, size=260) at smbd/process.c:1573
#16 0x00007fd705a68504 in construct_reply (sconn=0x7fd706f765d0, inbuf=0x0, size=260, unread_bytes=0, seqnum=0, encrypted=false, deferred_pcd=0x0)
    at smbd/process.c:1609
#17 0x00007fd705a6884a in process_smb (sconn=0x7fd706f765d0, inbuf=0x7fd706fa8f70 "", nread=260, unread_bytes=0, seqnum=0, encrypted=false, 
    deferred_pcd=0x0) at smbd/process.c:1687
#18 0x00007fd705a6a02e in smbd_server_connection_read_handler (conn=0x7fd706f765d0, fd=25) at smbd/process.c:2307
#19 0x00007fd705a6a0a4 in smbd_server_connection_handler (ev=0x7fd706f76510, fde=0x7fd706f9a4f0, flags=1, private_data=0x7fd706f765d0)
    at smbd/process.c:2324
#20 0x00007fd705e25a56 in run_events_poll (ev=0x7fd706f76510, pollrtn=1, pfds=0x7fd706f968c0, num_pfds=2) at lib/events.c:282
#21 0x00007fd705a67812 in smbd_server_connection_loop_once (conn=0x7fd706f765d0) at smbd/process.c:1016
#22 0x00007fd705a6c913 in smbd_process (sconn=0x7fd706f765d0) at smbd/process.c:3153
#23 0x00007fd70624bd87 in smbd_accept_connection (ev=0x7fd706f76510, fde=0x7fd706f94e50, flags=1, private_data=0x7fd706f9b1b0) at smbd/server.c:505
#24 0x00007fd705e25a56 in run_events_poll (ev=0x7fd706f76510, pollrtn=1, pfds=0x7fd706f8f6e0, num_pfds=5) at lib/events.c:282
#25 0x00007fd705e25cf1 in s3_event_loop_once (ev=0x7fd706f76510, location=0x7fd70649001c "smbd/server.c:838") at lib/events.c:345
#26 0x00007fd705e26e2b in _tevent_loop_once (ev=0x7fd706f76510, location=0x7fd70649001c "smbd/server.c:838") at ../lib/tevent/tevent.c:494
#27 0x00007fd70624cad5 in smbd_parent_loop (parent=0x7fd706f8f770) at smbd/server.c:838
#28 0x00007fd70624db7c in main (argc=1, argv=0x7fff87986698) at smbd/server.c:1320
Comment 1 Jeremy Allison 2011-07-22 19:26:41 UTC
NB. This is with "security=server", not "security=share".

Comment 2 Christian Ambach 2011-07-22 19:31:05 UTC
Ups, you are right my bad :(

security=user works (reports NT_STATUS_LOGON_FAILURE), security=server crashes
Comment 3 Jeremy Allison 2011-07-22 21:30:26 UTC
One more question - does the user exist on the server that is acting as the "password server =" target, and if so did you log on using a valid password for that user, or does the user simply not exist on both Samba server and password server ?

Comment 4 Christian Ambach 2011-07-22 21:51:25 UTC
I do not have a password server set.
The user exists in /etc/passwd, but it was not added as Samba user.
But the crash also happens when trying to connect as a user that is not in /etc/passwd.

e.g. smbclient -U thisuserdoesnotexist%secret -L //localhost

# cat lib/smb.conf
	netbios name = TERRA 
	workgroup = WORKGROUP
	security = server 

	debug pid = yes 
	debug level = 10

	winbind max domain connections = 5

	client NTLMv2 auth = yes

	max protocol= smb2

	 path = /data

	path = /data/ambi/share
	writeable = yes
Comment 5 Jeremy Allison 2011-07-22 22:09:00 UTC
I can't seem to reproduce this with a build from the latest v3-6-test - current top revision of bdc078a81e49bce3b51560a75984e0306c387573.

Comment 6 Jeremy Allison 2011-07-22 22:42:32 UTC
I can't reproduce this with either a smbclient or Windows7 client. Did you "make clean" before doing the build ?

Comment 7 Jeremy Allison 2011-07-22 23:07:51 UTC
Christian, can you arrange some time to work with me interactively on this over IRC please, as it 's a blocker for rc3.

Comment 8 Jeremy Allison 2011-07-22 23:32:34 UTC
Finally reproduced it !
Expect a patch shortly.

Comment 9 Jeremy Allison 2011-07-22 23:45:30 UTC
Created attachment 6712 [details]
git-am fix for 3.6.0rc3.

Fairly obvious patch I've already committed to master. Christian please review and test and I'll re-assign to Karolin once you've ok'ed it.

Comment 10 Christian Ambach 2011-07-23 19:10:43 UTC
Comment on attachment 6712 [details]
git-am fix for 3.6.0rc3.

With the patch, the crash does no longer happen.

However, I think the debug log might be misleading as there is no password server in the configuration, so which server is not connected? Or does it want to say that there is no password server in the config?

But as this is a debug 10 log, users will usually not see it and the patch is good to go into 3-6-test
Comment 11 Jeremy Allison 2011-07-25 17:32:33 UTC
Re-assigning to Karolin for inclusion in 3.6.0rc3.

Comment 12 Karolin Seeger 2011-07-26 19:23:28 UTC
Pushed to v3-6-test.
Closing out bug report.

Comment 13 Guenther Deschner 2012-02-15 13:41:52 UTC
This is an issue for 3.5.x as well.
Comment 14 Guenther Deschner 2012-02-16 13:20:58 UTC
Created attachment 7327 [details]
patch for v3-5-test
Comment 15 Karolin Seeger 2012-02-21 19:45:06 UTC
Re-assigning to Ambi for patch review.
Comment 16 Christian Ambach 2012-03-23 14:53:27 UTC
Comment on attachment 7327 [details]
patch for v3-5-test

fixes the problem in v3-5-test
Comment 17 Christian Ambach 2012-03-23 14:54:33 UTC
Karolin, please pick for 3.5.next
Comment 18 Karolin Seeger 2012-03-24 16:24:57 UTC
Pushed to v3-5-test.
Closing out bug report.