Bug 8567 - segfault in dom_sid_compare
Summary: segfault in dom_sid_compare
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.6
Classification: Unclassified
Component: User & Group Accounts (show other bugs)
Version: 3.6.2
Hardware: x86 Linux
: P5 minor
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-11-02 22:25 UTC by Orion Poplawski
Modified: 2012-05-10 16:19 UTC (History)
2 users (show)

See Also:


Attachments
smb.conf (13.36 KB, application/octet-stream)
2011-11-02 22:25 UTC, Orion Poplawski
no flags Details
core dump (221.97 KB, application/x-xz)
2012-02-07 02:16 UTC, Michael Cronenworth
no flags Details
samba logs (42.82 KB, application/x-gzip)
2012-02-08 23:45 UTC, Orion Poplawski
no flags Details
Patch for 3.6 (921 bytes, patch)
2012-02-19 11:54 UTC, Volker Lendecke
bjacke: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Orion Poplawski 2011-11-02 22:25:09 UTC
Created attachment 7056 [details]
smb.conf

I tried upgrading our EL5 samba PDC from 3.5.10 to 3.6.1 but smbd crashes with the following panic:

[2011/11/02 15:49:32.811693,  1] param/loadparm.c:7992(lp_do_parameter)
  WARNING: The "idmap uid" option is deprecated
[2011/11/02 15:49:32.811940,  1] param/loadparm.c:7992(lp_do_parameter)
  WARNING: The "idmap gid" option is deprecated
[2011/11/02 15:49:34.183393,  0] lib/fault.c:47(fault_report)
  ===============================================================
[2011/11/02 15:49:34.184173,  0] lib/fault.c:48(fault_report)
  INTERNAL ERROR: Signal 11 in pid 6788 (3.6.1)
  Please read the Trouble-Shooting section of the Samba3-HOWTO
[2011/11/02 15:49:34.184625,  0] lib/fault.c:50(fault_report)
  
  From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf
[2011/11/02 15:49:34.185078,  0] lib/fault.c:51(fault_report)
  ===============================================================
[2011/11/02 15:49:34.185388,  0] lib/util.c:1117(smb_panic)
  PANIC (pid 6788): internal error
[2011/11/02 15:49:34.190731,  0] lib/util.c:1221(log_stack_trace)
  BACKTRACE: 13 stack frames:
   #0 smbd(log_stack_trace+0x2d) [0x84531d]
   #1 smbd(smb_panic+0x31) [0x845421]
   #2 smbd [0x834076]
   #3 [0x12d420]
   #4 smbd(dom_sid_compare+0x4b) [0x877c0b]
   #5 smbd(add_sid_to_array_unique+0x46) [0x879c86]
   #6 smbd(create_token_from_username+0x51b) [0x8a73cb]
   #7 smbd(create_local_token+0x89) [0x8a4d19]
   #8 smbd(make_serverinfo_from_username+0x9b) [0x8a52cb]
   #9 smbd(init_system_info+0x8f) [0x8a53cf]
   #10 smbd(main+0x82b) [0xb06c4b]
   #11 /lib/libc.so.6(__libc_start_main+0xdc) [0xe9be9c]
   #12 smbd [0x4bb8c1]
[2011/11/02 15:49:34.192642,  0] lib/fault.c:372(dump_core)
  dumping core in /var/log/samba/cores/smbd

gdb session:
(gdb) bt
#0  0x0012d402 in __kernel_vsyscall ()
#1  0x00eaedf0 in raise () from /lib/libc.so.6
#2  0x00eb0701 in abort () from /lib/libc.so.6
#3  0x00833a0c in dump_core () at lib/fault.c:391
#4  0x00845437 in smb_panic (why=0xc5d38e "internal error") at lib/util.c:1133
#5  0x00834076 in fault_report (sig=11) at lib/fault.c:53
#6  sig_fault (sig=11) at lib/fault.c:76
#7  <signal handler called>
#8  0x00877c0b in dom_sid_compare (sid1=0xbfdee670, sid2=0x8440010)
    at ../libcli/security/dom_sid.c:69
#9  0x00879c86 in add_sid_to_array_unique (mem_ctx=0x8418a98, sid=0xbfdee670, sids=0xbfdee664, 
    num_sids=0xbfdee660) at ../libcli/security/util_sid.c:318
#10 0x008a73cb in create_token_from_username (mem_ctx=0x84193b0, username=0x8418c98 "root", 
    is_guest=false, uid=0x84193b4, gid=0x84193b8, found_username=0x8419468, token=0x84193c4)
    at auth/token_util.c:776
#11 0x008a4d19 in create_local_token (server_info=0x84193b0) at auth/auth_util.c:460
#12 0x008a52cb in make_serverinfo_from_username (mem_ctx=0x0, username=0x8417b88 "root", 
    is_guest=false, presult=0xda8634) at auth/auth_util.c:834
#13 0x008a53cf in make_new_session_info_system () at auth/auth_util.c:782
#14 init_system_info () at auth/auth_util.c:945
#15 0x00b06c4b in main (argc=Cannot access memory at address 0x0
) at smbd/server.c:1220
(gdb) up 8
#8  0x00877c0b in dom_sid_compare (sid1=0xbfdee670, sid2=0x8440010)
    at ../libcli/security/dom_sid.c:69
69              if (sid1->num_auths != sid2->num_auths)
(gdb) list
64                      return -1;
65              if (!sid2)
66                      return 1;
67
68              /* Compare most likely different rids, first: i.e start at end */
69              if (sid1->num_auths != sid2->num_auths)
70                      return sid1->num_auths - sid2->num_auths;
71
72              for (i = sid1->num_auths-1; i >= 0; --i)
73                      if (sid1->sub_auths[i] != sid2->sub_auths[i])
(gdb) print sid1
$1 = (const struct dom_sid *) 0xbfdee670
(gdb) print sid2
$2 = (const struct dom_sid *) 0x8440010
(gdb) print *sid1
$3 = {sid_rev_num = 1 '\001', num_auths = 2 '\002', id_auth = "\000\000\000\000\000\026", 
  sub_auths = {2, 0 <repeats 14 times>}}
(gdb) print *sid2
Cannot access memory at address 0x8440010
(gdb) up
#9  0x00879c86 in add_sid_to_array_unique (mem_ctx=0x8418a98, sid=0xbfdee670, sids=0xbfdee664, 
    num_sids=0xbfdee660) at ../libcli/security/util_sid.c:318
318                     if (dom_sid_compare(sid, &(*sids)[i]) == 0)
(gdb) print i
$4 = 2236
(gdb) list
313                                      struct dom_sid **sids, uint32_t *num_sids)
314     {
315             uint32_t i;
316
317             for (i=0; i<(*num_sids); i++) {
318                     if (dom_sid_compare(sid, &(*sids)[i]) == 0)
319                             return NT_STATUS_OK;
320             }
321
322             return add_sid_to_array(mem_ctx, sid, sids, num_sids);
(gdb) print *num_sids
$7 = 138514344
(gdb) up
#10 0x008a73cb in create_token_from_username (mem_ctx=0x84193b0, username=0x8418c98 "root", 
    is_guest=false, uid=0x84193b4, gid=0x84193b8, found_username=0x8419468, token=0x84193c4)
    at auth/token_util.c:776
776                     result = add_sid_to_array_unique(tmp_ctx, &unix_group_sid,
(gdb) list
771                     if ( lp_idmap_gid(&low, &high) && (gids[i] >= low) && (gids[i] <= high) )
772                             continue;
773
774                     gid_to_unix_groups_sid(gids[i], &unix_group_sid);
775
776                     result = add_sid_to_array_unique(tmp_ctx, &unix_group_sid,
777                                                      &group_sids, &num_group_sids);
778                     if (!NT_STATUS_IS_OK(result)) {
779                             goto done;
780                     }
(gdb) print num_group_sids
$8 = 138514344
(gdb) print unix_group_sid
$11 = {sid_rev_num = 1 '\001', num_auths = 2 '\002', id_auth = "\000\000\000\000\000\026", 
  sub_auths = {2, 0 <repeats 14 times>}}

That seems like a few too many group_sids.  Hmm, I think I'll try commenting out the idmap entries.
Comment 1 Orion Poplawski 2011-11-02 22:28:03 UTC
Commenting out the idmap lines did not help.
Comment 2 Orion Poplawski 2011-11-02 22:34:59 UTC
(gdb) print high
$18 = 138514344
(gdb) print low
$19 = 16630080
Comment 3 Orion Poplawski 2012-01-26 18:41:14 UTC
Still present in 3.6.2
Comment 4 Michael Cronenworth 2012-02-07 02:16:07 UTC
Created attachment 7299 [details]
core dump

I think I have the same problem. I have attached a core dump.

I had to go back to Samba 3.5 to have a working environment.
Comment 5 Volker Lendecke 2012-02-07 06:55:53 UTC
Can someone on the CC list send a full debug level 10 log leading to this happening? Please set "max log size = 0" to get us the full logs. Thanks.
Comment 6 Orion Poplawski 2012-02-08 23:45:43 UTC
Created attachment 7310 [details]
samba logs

Here are the samba logs from startup to crash
Comment 7 Volker Lendecke 2012-02-19 11:54:50 UTC
Created attachment 7331 [details]
Patch for 3.6

Can you try the attached patch please? The underlying problem is that you have ldapsam:trusted=yes but no group mapping for root in your database. This patch makes smbd hopefully abort more gracefully and not crash.
Comment 8 Michael Cronenworth 2012-02-19 20:48:04 UTC
(In reply to comment #7)
> The underlying problem is that you have
> ldapsam:trusted=yes but no group mapping for root in your database.

If this is the problem I do not understand your sentence. I have a root account in LDAP. UID=0. GID=0. It is also a member of the "Domain Admins" group. What else am I missing?
Comment 9 Volker Lendecke 2012-02-20 06:05:39 UTC
(In reply to comment #8)
> (In reply to comment #7)
> > The underlying problem is that you have
> > ldapsam:trusted=yes but no group mapping for root in your database.
> 
> If this is the problem I do not understand your sentence. I have a root account
> in LDAP. UID=0. GID=0. It is also a member of the "Domain Admins" group. What
> else am I missing?

You need a sambaGroupMapping entry attached to the posixGroup with gidNumber 0.
Comment 10 Michael Cronenworth 2012-02-20 07:03:30 UTC
(In reply to comment #9)
> You need a sambaGroupMapping entry attached to the posixGroup with gidNumber 0.

Thank you. Adding the entry did stop the crash and Samba 3.6 seems to be working properly. I have studied the Samba man pages and did not find this requirement documented. Should it?
Comment 11 Volker Lendecke 2012-02-20 08:37:10 UTC
Well, it's a requirement of ldapsam:trusted=yes, which I think is more properly documented somewhere on the wiki.

Regarding the patch: Can you verify that without that sambaGroupMapping entry smbd does not segfault anymore, but more gracefully shuts down?

Thanks
Comment 12 Orion Poplawski 2012-02-20 17:13:09 UTC
Hmm, I'm not finding a lot in the docs/wiki that directly address this issue.  I think it may have come up for me because I've moved away from using "root" as the domain admin login in favor of a "winadmin" user.

With the patch I get the following on startup (with log level 1):

[2012/02/20 10:05:42.504228,  1] auth/server_info.c:452(samu_to_SamInfo3)
  Failed to get groups from sam account.
[2012/02/20 10:05:42.504608,  1] smbd/server.c:1229(main)
  ERROR: failed to setup system user info: NT_STATUS_INTERNAL_DB_CORRUPTION.

Not sure how much more useful that is.

I ended up adding the following to ldap:

dn: cn=root,ou=Groups,dc=nwra,dc=com
sambaSID: S-1-5-21-2426356435-4251213716-997332971-1001
sambaGroupType: 2
gidNumber: 0
objectClass: top
objectClass: groupOfUniqueNames
objectClass: posixGroup
objectClass: sambaGroupMapping
cn: root

which allowed it to start up.
Comment 13 Björn Jacke 2012-02-20 19:59:13 UTC
and can you please also verify, that the patch that Volker created for you stops your crashes?
Comment 14 Björn Jacke 2012-02-20 20:00:37 UTC
sorry, overread that first part in your previous comment... :-)
Comment 15 Björn Jacke 2012-02-21 08:17:59 UTC
Comment on attachment 7331 [details]
Patch for 3.6

looks good
Comment 16 Björn Jacke 2012-02-21 08:19:07 UTC
Karo, can you get this to 3.6, please ?
Comment 17 Karolin Seeger 2012-02-21 19:49:14 UTC
Pushed to v3-6-test.
Closing out bug report.

Thanks!