Bug 8567 - segfault in dom_sid_compare
Summary: segfault in dom_sid_compare
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.6
Classification: Unclassified
Component: User & Group Accounts (show other bugs)
Version: 3.6.2
Hardware: x86 Linux
: P5 minor
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-11-02 22:25 UTC by Orion Poplawski
Modified: 2012-05-10 16:19 UTC (History)
2 users (show)

See Also:

Attachments
smb.conf (13.36 KB, application/octet-stream)
2011-11-02 22:25 UTC, Orion Poplawski 		no flags Details
core dump (221.97 KB, application/x-xz)
2012-02-07 02:16 UTC, Michael Cronenworth 		no flags Details
samba logs (42.82 KB, application/x-gzip)
2012-02-08 23:45 UTC, Orion Poplawski 		no flags Details
Patch for 3.6 (921 bytes, patch)
2012-02-19 11:54 UTC, Volker Lendecke 		bjacke: review+
Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Orion Poplawski 2011-11-02 22:25:09 UTC 
Created attachment 7056 [details]
smb.conf

I tried upgrading our EL5 samba PDC from 3.5.10 to 3.6.1 but smbd crashes with the following panic:

[2011/11/02 15:49:32.811693,  1] param/loadparm.c:7992(lp_do_parameter)
  WARNING: The "idmap uid" option is deprecated
[2011/11/02 15:49:32.811940,  1] param/loadparm.c:7992(lp_do_parameter)
  WARNING: The "idmap gid" option is deprecated
[2011/11/02 15:49:34.183393,  0] lib/fault.c:47(fault_report)
  ===============================================================
[2011/11/02 15:49:34.184173,  0] lib/fault.c:48(fault_report)
  INTERNAL ERROR: Signal 11 in pid 6788 (3.6.1)
  Please read the Trouble-Shooting section of the Samba3-HOWTO
[2011/11/02 15:49:34.184625,  0] lib/fault.c:50(fault_report)
  
  From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf
[2011/11/02 15:49:34.185078,  0] lib/fault.c:51(fault_report)
  ===============================================================
[2011/11/02 15:49:34.185388,  0] lib/util.c:1117(smb_panic)
  PANIC (pid 6788): internal error
[2011/11/02 15:49:34.190731,  0] lib/util.c:1221(log_stack_trace)
  BACKTRACE: 13 stack frames:
   #0 smbd(log_stack_trace+0x2d) [0x84531d]
   #1 smbd(smb_panic+0x31) [0x845421]
   #2 smbd [0x834076]
   #3 [0x12d420]
   #4 smbd(dom_sid_compare+0x4b) [0x877c0b]
   #5 smbd(add_sid_to_array_unique+0x46) [0x879c86]
   #6 smbd(create_token_from_username+0x51b) [0x8a73cb]
   #7 smbd(create_local_token+0x89) [0x8a4d19]
   #8 smbd(make_serverinfo_from_username+0x9b) [0x8a52cb]
   #9 smbd(init_system_info+0x8f) [0x8a53cf]
   #10 smbd(main+0x82b) [0xb06c4b]
   #11 /lib/libc.so.6(__libc_start_main+0xdc) [0xe9be9c]
   #12 smbd [0x4bb8c1]
[2011/11/02 15:49:34.192642,  0] lib/fault.c:372(dump_core)
  dumping core in /var/log/samba/cores/smbd

gdb session:
(gdb) bt
#0  0x0012d402 in __kernel_vsyscall ()
#1  0x00eaedf0 in raise () from /lib/libc.so.6
#2  0x00eb0701 in abort () from /lib/libc.so.6
#3  0x00833a0c in dump_core () at lib/fault.c:391
#4  0x00845437 in smb_panic (why=0xc5d38e "internal error") at lib/util.c:1133
#5  0x00834076 in fault_report (sig=11) at lib/fault.c:53
#6  sig_fault (sig=11) at lib/fault.c:76
#7  <signal handler called>
#8  0x00877c0b in dom_sid_compare (sid1=0xbfdee670, sid2=0x8440010)
    at ../libcli/security/dom_sid.c:69
#9  0x00879c86 in add_sid_to_array_unique (mem_ctx=0x8418a98, sid=0xbfdee670, sids=0xbfdee664, 
    num_sids=0xbfdee660) at ../libcli/security/util_sid.c:318
#10 0x008a73cb in create_token_from_username (mem_ctx=0x84193b0, username=0x8418c98 "root", 
    is_guest=false, uid=0x84193b4, gid=0x84193b8, found_username=0x8419468, token=0x84193c4)
    at auth/token_util.c:776
#11 0x008a4d19 in create_local_token (server_info=0x84193b0) at auth/auth_util.c:460
#12 0x008a52cb in make_serverinfo_from_username (mem_ctx=0x0, username=0x8417b88 "root", 
    is_guest=false, presult=0xda8634) at auth/auth_util.c:834
#13 0x008a53cf in make_new_session_info_system () at auth/auth_util.c:782
#14 init_system_info () at auth/auth_util.c:945
#15 0x00b06c4b in main (argc=Cannot access memory at address 0x0
) at smbd/server.c:1220
(gdb) up 8
#8  0x00877c0b in dom_sid_compare (sid1=0xbfdee670, sid2=0x8440010)
    at ../libcli/security/dom_sid.c:69
69              if (sid1->num_auths != sid2->num_auths)
(gdb) list
64                      return -1;
65              if (!sid2)
66                      return 1;
67
68              /* Compare most likely different rids, first: i.e start at end */
69              if (sid1->num_auths != sid2->num_auths)
70                      return sid1->num_auths - sid2->num_auths;
71
72              for (i = sid1->num_auths-1; i >= 0; --i)
73                      if (sid1->sub_auths[i] != sid2->sub_auths[i])
(gdb) print sid1
$1 = (const struct dom_sid *) 0xbfdee670
(gdb) print sid2
$2 = (const struct dom_sid *) 0x8440010
(gdb) print *sid1
$3 = {sid_rev_num = 1 '\001', num_auths = 2 '\002', id_auth = "\000\000\000\000\000\026", 
  sub_auths = {2, 0 <repeats 14 times>}}
(gdb) print *sid2
Cannot access memory at address 0x8440010
(gdb) up
#9  0x00879c86 in add_sid_to_array_unique (mem_ctx=0x8418a98, sid=0xbfdee670, sids=0xbfdee664, 
    num_sids=0xbfdee660) at ../libcli/security/util_sid.c:318
318                     if (dom_sid_compare(sid, &(*sids)[i]) == 0)
(gdb) print i
$4 = 2236
(gdb) list
313                                      struct dom_sid **sids, uint32_t *num_sids)
314     {
315             uint32_t i;
316
317             for (i=0; i<(*num_sids); i++) {
318                     if (dom_sid_compare(sid, &(*sids)[i]) == 0)
319                             return NT_STATUS_OK;
320             }
321
322             return add_sid_to_array(mem_ctx, sid, sids, num_sids);
(gdb) print *num_sids
$7 = 138514344
(gdb) up
#10 0x008a73cb in create_token_from_username (mem_ctx=0x84193b0, username=0x8418c98 "root", 
    is_guest=false, uid=0x84193b4, gid=0x84193b8, found_username=0x8419468, token=0x84193c4)
    at auth/token_util.c:776
776                     result = add_sid_to_array_unique(tmp_ctx, &unix_group_sid,
(gdb) list
771                     if ( lp_idmap_gid(&low, &high) && (gids[i] >= low) && (gids[i] <= high) )
772                             continue;
773
774                     gid_to_unix_groups_sid(gids[i], &unix_group_sid);
775
776                     result = add_sid_to_array_unique(tmp_ctx, &unix_group_sid,
777                                                      &group_sids, &num_group_sids);
778                     if (!NT_STATUS_IS_OK(result)) {
779                             goto done;
780                     }
(gdb) print num_group_sids
$8 = 138514344
(gdb) print unix_group_sid
$11 = {sid_rev_num = 1 '\001', num_auths = 2 '\002', id_auth = "\000\000\000\000\000\026", 
  sub_auths = {2, 0 <repeats 14 times>}}

That seems like a few too many group_sids.  Hmm, I think I'll try commenting out the idmap entries.
Comment 1 Orion Poplawski 2011-11-02 22:28:03 UTC 
Commenting out the idmap lines did not help.
Comment 2 Orion Poplawski 2011-11-02 22:34:59 UTC 
(gdb) print high
$18 = 138514344
(gdb) print low
$19 = 16630080
Comment 3 Orion Poplawski 2012-01-26 18:41:14 UTC 
Still present in 3.6.2
Comment 4 Michael Cronenworth 2012-02-07 02:16:07 UTC 
Created attachment 7299 [details]
core dump

I think I have the same problem. I have attached a core dump.

I had to go back to Samba 3.5 to have a working environment.
Comment 5 Volker Lendecke 2012-02-07 06:55:53 UTC 
Can someone on the CC list send a full debug level 10 log leading to this happening? Please set "max log size = 0" to get us the full logs. Thanks.
Comment 6 Orion Poplawski 2012-02-08 23:45:43 UTC 
Created attachment 7310 [details]
samba logs

Here are the samba logs from startup to crash
Comment 7 Volker Lendecke 2012-02-19 11:54:50 UTC 
Created attachment 7331 [details]
Patch for 3.6

Can you try the attached patch please? The underlying problem is that you have ldapsam:trusted=yes but no group mapping for root in your database. This patch makes smbd hopefully abort more gracefully and not crash.
Comment 8 Michael Cronenworth 2012-02-19 20:48:04 UTC 
(In reply to comment #7)
> The underlying problem is that you have
> ldapsam:trusted=yes but no group mapping for root in your database.

If this is the problem I do not understand your sentence. I have a root account in LDAP. UID=0. GID=0. It is also a member of the "Domain Admins" group. What else am I missing?
Comment 9 Volker Lendecke 2012-02-20 06:05:39 UTC 
(In reply to comment #8)
> (In reply to comment #7)
> > The underlying problem is that you have
> > ldapsam:trusted=yes but no group mapping for root in your database.
> 
> If this is the problem I do not understand your sentence. I have a root account
> in LDAP. UID=0. GID=0. It is also a member of the "Domain Admins" group. What
> else am I missing?

You need a sambaGroupMapping entry attached to the posixGroup with gidNumber 0.
Comment 10 Michael Cronenworth 2012-02-20 07:03:30 UTC 
(In reply to comment #9)
> You need a sambaGroupMapping entry attached to the posixGroup with gidNumber 0.

Thank you. Adding the entry did stop the crash and Samba 3.6 seems to be working properly. I have studied the Samba man pages and did not find this requirement documented. Should it?
Comment 11 Volker Lendecke 2012-02-20 08:37:10 UTC 
Well, it's a requirement of ldapsam:trusted=yes, which I think is more properly documented somewhere on the wiki.

Regarding the patch: Can you verify that without that sambaGroupMapping entry smbd does not segfault anymore, but more gracefully shuts down?

Thanks
Comment 12 Orion Poplawski 2012-02-20 17:13:09 UTC 
Hmm, I'm not finding a lot in the docs/wiki that directly address this issue.  I think it may have come up for me because I've moved away from using "root" as the domain admin login in favor of a "winadmin" user.

With the patch I get the following on startup (with log level 1):

[2012/02/20 10:05:42.504228,  1] auth/server_info.c:452(samu_to_SamInfo3)
  Failed to get groups from sam account.
[2012/02/20 10:05:42.504608,  1] smbd/server.c:1229(main)
  ERROR: failed to setup system user info: NT_STATUS_INTERNAL_DB_CORRUPTION.

Not sure how much more useful that is.

I ended up adding the following to ldap:

dn: cn=root,ou=Groups,dc=nwra,dc=com
sambaSID: S-1-5-21-2426356435-4251213716-997332971-1001
sambaGroupType: 2
gidNumber: 0
objectClass: top
objectClass: groupOfUniqueNames
objectClass: posixGroup
objectClass: sambaGroupMapping
cn: root

which allowed it to start up.
Comment 13 Björn Jacke 2012-02-20 19:59:13 UTC 
and can you please also verify, that the patch that Volker created for you stops your crashes?
Comment 14 Björn Jacke 2012-02-20 20:00:37 UTC 
sorry, overread that first part in your previous comment... :-)
Comment 15 Björn Jacke 2012-02-21 08:17:59 UTC 
Comment on attachment 7331 [details]
Patch for 3.6

looks good
Comment 16 Björn Jacke 2012-02-21 08:19:07 UTC 
Karo, can you get this to 3.6, please ?
Comment 17 Karolin Seeger 2012-02-21 19:49:14 UTC 
Pushed to v3-6-test.
Closing out bug report.

Thanks!