Using nss-pam-ldapd to query AD for users and groups. Winbind is used for ZFS ACL support. The search base for nss-pam-ldapd doesn't contain all groups found by Winbind. On first AUTH, groups not in the search base aren't translated to gids. On second AUTH, idmap cache entries for groups not within the search base return "-1" as the gid. Samba panics on Solaris's sys_setgroups, since "-1" isn't a valid gid. If I wait for the winbind idmap cache to timeout, I can successfully connect. NGROUPS_MAX is set to 1024. 1st AUTH sys_setgroups: [2011/12/05 16:41:15.726412, 5] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 161003 Primary group is 513 and contains 21 supplementary groups Group[ 0]: 513 Group[ 1]: 204410 Group[ 2]: 204404 Group[ 3]: 204405 Group[ 4]: 204409 Group[ 5]: 204423 Group[ 6]: 210699 Group[ 7]: 204407 Group[ 8]: 204402 Group[ 9]: 204406 Group[ 10]: 204421 Group[ 11]: 204408 Group[ 12]: 204422 Group[ 13]: 207880 Group[ 14]: 204403 Group[ 15]: 210698 Group[ 16]: 188481 Group[ 17]: 188482 Group[ 18]: 1000000 Group[ 19]: 1000001 Group[ 20]: 1000002 2nd AUTH sys_setgroups: [2011/12/05 16:42:10.025840, 5] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 161003 Primary group is 513 and contains 22 supplementary groups Group[ 0]: 513 Group[ 1]: -1 Group[ 2]: 204410 Group[ 3]: 204404 Group[ 4]: 204405 Group[ 5]: 204409 Group[ 6]: 204423 Group[ 7]: 210699 Group[ 8]: 204407 Group[ 9]: 204402 Group[ 10]: 204406 Group[ 11]: 204421 Group[ 12]: 204408 Group[ 13]: 204422 Group[ 14]: 207880 Group[ 15]: 204403 Group[ 16]: 210698 Group[ 17]: 188481 Group[ 18]: 188482 Group[ 19]: 1000000 Group[ 20]: 1000001 Group[ 21]: 1000002 [2011/12/05 16:42:10.026556, 0] lib/util.c:1117(smb_panic) PANIC (pid 16169): sys_setgroups failed [2011/12/05 16:42:10.027699, 0] lib/util.c:1221(log_stack_trace) BACKTRACE: 21 stack frames: #0 /usr/system/samba-3.6.1/sbin/smbd'log_stack_trace+0x2d [0x847bca1] #1 /usr/system/samba-3.6.1/sbin/smbd'smb_panic+0x7c [0x847bdf2] #2 /usr/system/samba-3.6.1/sbin/smbd'set_unix_security_ctx+0x126 [0x8197166] #3 /usr/system/samba-3.6.1/sbin/smbd'set_sec_ctx+0xdd [0x81975ae] #4 /usr/system/samba-3.6.1/sbin/smbd'change_to_user_internal+0x4e4 [0x81846ee] #5 /usr/system/samba-3.6.1/sbin/smbd'change_to_user+0x2cb [0x8184b87] #6 /usr/system/samba-3.6.1/sbin/smbd'make_connection_snum+0xfbe [0x81b098e] #7 /usr/system/samba-3.6.1/sbin/smbd'make_connection+0x69e [0x81b170d] #8 /usr/system/samba-3.6.1/sbin/smbd'reply_tcon_and_X+0x383 [0x815e1c4] #9 /usr/system/samba-3.6.1/sbin/smbd'switch_message+0x504 [0x81ac6c1] #10 /usr/system/samba-3.6.1/sbin/smbd'process_smb+0x255 [0x81ac927] #11 /usr/system/samba-3.6.1/sbin/smbd'smbd_server_connection_read_handler+0x1aa [0x81acc07] #12 /usr/system/samba-3.6.1/sbin/smbd'smbd_server_connection_handler+0x4a [0x81acc59] #13 /usr/system/samba-3.6.1/sbin/smbd'run_events_poll+0x44a [0x848c7e5] #14 /usr/system/samba-3.6.1/sbin/smbd'smbd_process+0xc77 [0x81ae694] #15 /usr/system/samba-3.6.1/sbin/smbd'smbd_accept_connection+0x38b [0x87475c8] #16 /usr/system/samba-3.6.1/sbin/smbd'run_events_poll+0x44a [0x848c7e5] #17 /usr/system/samba-3.6.1/sbin/smbd's3_event_loop_once+0x12e [0x848c940] #18 /usr/system/samba-3.6.1/sbin/smbd'_tevent_loop_once+0x9d [0x848d520] #19 /usr/system/samba-3.6.1/sbin/smbd'main+0x1821 [0x8748f2d] #20 /usr/system/samba-3.6.1/sbin/smbd'_start+0x83 [0x8127a13] Attached tar contains debug level 10 logs and smb.conf. I also tested this setup on a linux host and sys_setgroups doesn't panic with a gid of "-1". As a workaround I put a check in add_gid_to_array_unique. Should this be handled somewhere else? Pleas advise.
Created attachment 7159 [details] Logs and Config
---------------------------------------------------------------------- I'm using Samba 3.6.3 on Solaris, and am facing a similar problem. My Samba is configured as a PDC (ldapsam) without idmap config in the smb.conf. If no winbindd is running, it's no problem. But if winbindd is running, smbd gets panic by sys_setgroups() failure because GID list has -1. Negative GID values is invalid on Solaris. This panic is occured by the following scenario: When smbd queries a GID for the SID S-1-5-32-546 (BUILDTIN\Guests), winbindd returns the GID -1. log.winbindd: ---------------------------------------------------------------------- [2012/03/24 18:11:10, 10, pid=4674, effective(0, 0), real(0, 0)] winbindd/winbindd_util.c: 795(find_lookup_domain_from_sid) find_lookup_domain_from_sid(S-1-5-32-546) [2012/03/24 18:11:10, 10, pid=4674, effective(0, 0), real(0, 0)] winbindd/winbindd_util.c: 798(find_lookup_domain_from_sid) calling find_domain_from_sid [2012/03/24 18:11:10, 1, pid=4674, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:284(n dr_print_function_debug) wbint_LookupSid: struct wbint_LookupSid in: struct wbint_LookupSid sid : * sid : S-1-5-32-546 [2012/03/24 18:11:10, 1, pid=4674, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:284(n dr_print_function_debug) wbint_Sids2UnixIDs: struct wbint_Sids2UnixIDs in: struct wbint_Sids2UnixIDs domains : * domains: struct lsa_RefDomainList count : 0x00000004 (4) domains : * domains: ARRAY(4) domains: struct lsa_DomainInfo name: struct lsa_StringLarge length : 0x0016 (22) size : 0x0018 (24) string : * string : 'FMYS-S10-S3' sid : * sid : S-1-5-21-3288402307-2639237788-811577492 domains: struct lsa_DomainInfo name: struct lsa_StringLarge length : 0x0000 (0) size : 0x0002 (2) string : * string : '' sid : * sid : S-1-1 domains: struct lsa_DomainInfo name: struct lsa_StringLarge length : 0x0000 (0) size : 0x0002 (2) string : * string : '' sid : * sid : S-1-5 domains: struct lsa_DomainInfo name: struct lsa_StringLarge length : 0x000e (14) size : 0x0010 (16) string : * string : 'BUILTIN' sid : * sid : S-1-5-32 max_size : 0x00000000 (0) ids : * ids: struct wbint_TransIDArray num_ids : 0x00000004 (4) ids: ARRAY(4) ids: struct wbint_TransID type : ID_TYPE_NOT_SPECIFIED (0) domain_index : 0x00000000 (0) rid : 0x00000222 (546) unix_id : 0xffffffffffffffff (-1) ids: struct wbint_TransID type : ID_TYPE_NOT_SPECIFIED (0) domain_index : 0x00000001 (1) rid : 0x00000000 (0) unix_id : 0xffffffffffffffff (-1) ids: struct wbint_TransID type : ID_TYPE_NOT_SPECIFIED (0) domain_index : 0x00000002 (2) rid : 0x00000002 (2) unix_id : 0xffffffffffffffff (-1) ids: struct wbint_TransID type : ID_TYPE_GID (2) domain_index : 0x00000003 (3) rid : 0x00000222 (546) unix_id : 0xffffffffffffffff (-1) [2012/03/24 18:11:10, 1, pid=4674, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:284(n dr_print_function_debug) wbint_Sids2UnixIDs: struct wbint_Sids2UnixIDs out: struct wbint_Sids2UnixIDs ids : * ids: struct wbint_TransIDArray num_ids : 0x00000004 (4) ids: ARRAY(4) ids: struct wbint_TransID type : ID_TYPE_NOT_SPECIFIED (0) domain_index : 0x00000000 (0) rid : 0x00000222 (546) unix_id : 0xffffffffffffffff (-1) ids: struct wbint_TransID type : ID_TYPE_NOT_SPECIFIED (0) domain_index : 0x00000001 (1) rid : 0x00000000 (0) unix_id : 0xffffffffffffffff (-1) ids: struct wbint_TransID type : ID_TYPE_NOT_SPECIFIED (0) domain_index : 0x00000002 (2) rid : 0x00000002 (2) unix_id : 0xffffffffffffffff (-1) ids: struct wbint_TransID type : ID_TYPE_GID (2) domain_index : 0x00000003 (3) rid : 0x00000222 (546) unix_id : 0xffffffffffffffff (-1) result : NT_STATUS_OK [2012/03/24 18:11:10, 10, pid=4674, effective(0, 0), real(0, 0)] lib/gencache.c:183(gencac he_set_data_blob) Adding cache entry with key = IDMAP/SID2GID/S-1-5-32-546 and timeout = Sat Mar 24 18:13: 10 2012 (120 seconds ahead) ---------------------------------------------------------------------- $ net cache list |grep IDMAP Key: IDMAP/SID2GID/S-1-5-32-544 Timeout: 18:15:01 Value: -1 Key: IDMAP/SID2GID/S-1-5-32-546 Timeout: 18:15:01 Value: -1 Key: IDMAP/SID2GID/S-1-5-32-545 Timeout: 18:15:01 Value: -1 Next, smbd creates an local token (create_localtoken()) for "Domain Guest". It has the SID S-1-5-32-546 (BUILTIN\Guests) and its GID -1. log.smbd: ---------------------------------------------------------------------- [2012/03/24 18:56:31, 10, pid=5227, effective(0, 0), real(0, 0)] ../libcli/security/security_token.c:63(security_tok en_debug) Security token SIDs (9): SID[ 0]: S-1-5-21-3288402307-2639237788-811577492-501 SID[ 1]: S-1-5-21-3288402307-2639237788-811577492-514 SID[ 2]: S-1-5-21-3288402307-2639237788-811577492-546 SID[ 3]: S-1-1-0 SID[ 4]: S-1-5-2 SID[ 5]: S-1-5-32-546 SID[ 6]: S-1-22-1-999 SID[ 7]: S-1-22-2-514 SID[ 8]: S-1-22-2-4294967295 Privileges (0x 0): Rights (0x 0): [2012/03/24 18:56:31, 10, pid=5227, effective(0, 0), real(0, 0)] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 999 Primary group is 514 and contains 2 supplementary groups Group[ 0]: 514 Group[ 1]: -1 ---------------------------------------------------------------------- Finally, when smbd becomes to "Domain Guest", sys_setgroups() failes because the UNIX token has the invalid GID -1. log.smbd (set_sec_ctx()) ---------------------------------------------------------------------- [2012/03/24 18:56:34, 4, pid=5229, effective(0, 0), real(0, 0)] smbd/sec_ctx.c:319(set_sec_ctx) setting sec ctx (999, 514) - sec_ctx_stack_ndx = 0 [2012/03/24 18:56:34, 5, pid=5229, effective(0, 0), real(0, 0)] ../libcli/security/security_token.c:63(security_token_debug) Security token SIDs (9): SID[ 0]: S-1-5-21-3288402307-2639237788-811577492-501 SID[ 1]: S-1-5-21-3288402307-2639237788-811577492-514 SID[ 2]: S-1-5-21-3288402307-2639237788-811577492-546 SID[ 3]: S-1-1-0 SID[ 4]: S-1-5-2 SID[ 5]: S-1-5-32-546 SID[ 6]: S-1-22-1-999 SID[ 7]: S-1-22-2-514 SID[ 8]: S-1-22-2-4294967295 Privileges (0x 0): Rights (0x 0): [2012/03/24 18:56:34, 5, pid=5229, effective(0, 0), real(0, 0)] auth/token_util.c:527(debug_unix_user_token) UNIX token of user 999 Primary group is 514 and contains 2 supplementary groups Group[ 0]: 514 Group[ 1]: -1 [2012/03/24 18:56:34, 0, pid=5229, effective(0, 0), real(0, 0)] smbd/sec_ctx.c:252(set_unix_security_ctx) WARNING: failed to sys_setgroups (2 groups) for UID 999: Invalid argument [2012/03/24 18:56:34, 0, pid=5229, effective(0, 0), real(0, 0)] lib/util.c:1117(smb_panic) PANIC (pid 5229): sys_setgroups failed [2012/03/24 18:56:34, 0, pid=5229, effective(0, 0), real(0, 0)] lib/util.c:1271(log_stack_trace) unable to produce a stack trace on this platform [2012/03/24 18:56:34, 0, pid=5229, effective(0, 0), real(0, 0)] lib/fault.c:372(dump_core) dumping core in /opt/osstech/var/log/samba/cores/smbd
(In reply to comment #2) > Next, smbd creates an local token (create_localtoken()) for > "Domain Guest". It has the SID S-1-5-32-546 (BUILTIN\Guests) > and its GID -1. s/create_localtoken/create_local_token/
Created attachment 7401 [details] patch to avoid sys_setgroups panic I'm not sure if this patch is correct or not.
For those people trying to use Oracle's bundled samba for Solaris, which has just been updated to 3.6.x, you can work around this issue with LD_PRELOAD and a custom setgroups replacement. I'll attach it in a minute. For example: gcc -fpic -c setgroups_neg1.c gcc --shared -o setgroups_neg1.so setgroups_neg1.o cp setgroups_neg1.so /usr/lib/samba mv /usr/sbin/smbd /usr/sbin/smbd.orig Then replace /usr/sbin/smbd with something like: ----- #! /usr/bin/perl $ENV{LD_PRELOAD}='/usr/lib/samba/setgroups_neg1.so'; exec {'/usr/sbin/smbd.orig'} 'smbd', @ARGV; ----- As an editorial, what kind of idiocy was it inside Oracle that led them to release a patch involving a major update from 3.5.x to 3.6.x to resolve the recent unauthenticated remote root exploit that was announced last month? On top of taking a *month* to release a fix (as opposed to the major linux distributions that had a fix out the the same *day*, what they released doesn't even work. I'd really have preferred *not* to need to test and vet a major samba upgrade as part of resolving a major security issue :(.
Created attachment 7550 [details] workaround for this bug with Oracle Solaris bundled samba
The reality is the fix should have been done in this bug. But it is done. *** This bug has been marked as a duplicate of bug 8952 ***
just to add some more keywords: http://wesunsolve.net/patch/id/119757-22 and http://wesunsolve.net/patch/id/119758-22 updated Samba to 3.6.4.