Bug 8646 - invalid group (-1) using idmap backend nss panics sys_setgroups on solaris
Summary: invalid group (-1) using idmap backend nss panics sys_setgroups on solaris
Status: RESOLVED DUPLICATE of bug 8952
Alias: None
Product: Samba 3.6
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 3.6.1
Hardware: x86 Solaris
: P5 normal
Target Milestone: ---
Assignee: Michael Adam
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-12-05 22:57 UTC by wmason
Modified: 2012-06-13 08:17 UTC (History)
4 users (show)

See Also:


Attachments
Logs and Config (72.41 KB, application/octet-stream)
2011-12-05 23:01 UTC, wmason
no flags Details
patch to avoid sys_setgroups panic (820 bytes, patch)
2012-03-24 13:30 UTC, SATOH Fumiyasu
no flags Details
workaround for this bug with Oracle Solaris bundled samba (335 bytes, text/plain)
2012-05-10 22:22 UTC, Paul B. Henson
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description wmason 2011-12-05 22:57:08 UTC
Using nss-pam-ldapd to query AD for users and groups.  Winbind is used for ZFS ACL support.  The search base for nss-pam-ldapd doesn't contain all groups found by Winbind.  On first AUTH, groups not in the search base aren't translated to gids.  On second AUTH, idmap cache entries for groups not within the search base return "-1" as the gid.  Samba panics on Solaris's sys_setgroups, since "-1" isn't a valid gid.  If I wait for the winbind idmap cache to timeout, I can successfully connect.  NGROUPS_MAX is set to 1024.

1st AUTH sys_setgroups:

[2011/12/05 16:41:15.726412,  5] auth/token_util.c:527(debug_unix_user_token)
  UNIX token of user 161003
  Primary group is 513 and contains 21 supplementary groups
  Group[  0]: 513
  Group[  1]: 204410
  Group[  2]: 204404
  Group[  3]: 204405
  Group[  4]: 204409
  Group[  5]: 204423
  Group[  6]: 210699
  Group[  7]: 204407
  Group[  8]: 204402
  Group[  9]: 204406
  Group[ 10]: 204421
  Group[ 11]: 204408
  Group[ 12]: 204422
  Group[ 13]: 207880
  Group[ 14]: 204403
  Group[ 15]: 210698
  Group[ 16]: 188481
  Group[ 17]: 188482
  Group[ 18]: 1000000
  Group[ 19]: 1000001
  Group[ 20]: 1000002

2nd AUTH sys_setgroups:

[2011/12/05 16:42:10.025840,  5] auth/token_util.c:527(debug_unix_user_token)
  UNIX token of user 161003
  Primary group is 513 and contains 22 supplementary groups
  Group[  0]: 513
  Group[  1]: -1
  Group[  2]: 204410
  Group[  3]: 204404
  Group[  4]: 204405
  Group[  5]: 204409
  Group[  6]: 204423
  Group[  7]: 210699
  Group[  8]: 204407
  Group[  9]: 204402
  Group[ 10]: 204406
  Group[ 11]: 204421
  Group[ 12]: 204408
  Group[ 13]: 204422
  Group[ 14]: 207880
  Group[ 15]: 204403
  Group[ 16]: 210698
  Group[ 17]: 188481
  Group[ 18]: 188482
  Group[ 19]: 1000000
  Group[ 20]: 1000001
  Group[ 21]: 1000002
[2011/12/05 16:42:10.026556,  0] lib/util.c:1117(smb_panic)
  PANIC (pid 16169): sys_setgroups failed
[2011/12/05 16:42:10.027699,  0] lib/util.c:1221(log_stack_trace)
  BACKTRACE: 21 stack frames:
   #0 /usr/system/samba-3.6.1/sbin/smbd'log_stack_trace+0x2d [0x847bca1]
   #1 /usr/system/samba-3.6.1/sbin/smbd'smb_panic+0x7c [0x847bdf2]
   #2 /usr/system/samba-3.6.1/sbin/smbd'set_unix_security_ctx+0x126 [0x8197166]
   #3 /usr/system/samba-3.6.1/sbin/smbd'set_sec_ctx+0xdd [0x81975ae]
   #4 /usr/system/samba-3.6.1/sbin/smbd'change_to_user_internal+0x4e4 [0x81846ee]
   #5 /usr/system/samba-3.6.1/sbin/smbd'change_to_user+0x2cb [0x8184b87]
   #6 /usr/system/samba-3.6.1/sbin/smbd'make_connection_snum+0xfbe [0x81b098e]
   #7 /usr/system/samba-3.6.1/sbin/smbd'make_connection+0x69e [0x81b170d]
   #8 /usr/system/samba-3.6.1/sbin/smbd'reply_tcon_and_X+0x383 [0x815e1c4]
   #9 /usr/system/samba-3.6.1/sbin/smbd'switch_message+0x504 [0x81ac6c1]
   #10 /usr/system/samba-3.6.1/sbin/smbd'process_smb+0x255 [0x81ac927]
   #11 /usr/system/samba-3.6.1/sbin/smbd'smbd_server_connection_read_handler+0x1aa [0x81acc07]
   #12 /usr/system/samba-3.6.1/sbin/smbd'smbd_server_connection_handler+0x4a [0x81acc59]
   #13 /usr/system/samba-3.6.1/sbin/smbd'run_events_poll+0x44a [0x848c7e5]
   #14 /usr/system/samba-3.6.1/sbin/smbd'smbd_process+0xc77 [0x81ae694]
   #15 /usr/system/samba-3.6.1/sbin/smbd'smbd_accept_connection+0x38b [0x87475c8]
   #16 /usr/system/samba-3.6.1/sbin/smbd'run_events_poll+0x44a [0x848c7e5]
   #17 /usr/system/samba-3.6.1/sbin/smbd's3_event_loop_once+0x12e [0x848c940]
   #18 /usr/system/samba-3.6.1/sbin/smbd'_tevent_loop_once+0x9d [0x848d520]
   #19 /usr/system/samba-3.6.1/sbin/smbd'main+0x1821 [0x8748f2d]
   #20 /usr/system/samba-3.6.1/sbin/smbd'_start+0x83 [0x8127a13]

Attached tar contains debug level 10 logs and smb.conf.  I also tested this setup on a linux host and sys_setgroups doesn't panic with a gid of "-1".  As a workaround I put a check in add_gid_to_array_unique.  Should this be handled somewhere else?  Pleas advise.
Comment 1 wmason 2011-12-05 23:01:13 UTC
Created attachment 7159 [details]
Logs and Config
Comment 2 SATOH Fumiyasu 2012-03-24 13:15:19 UTC
----------------------------------------------------------------------
I'm using Samba 3.6.3 on Solaris, and am facing a similar
problem.

My Samba is configured as a PDC (ldapsam) without idmap config
in the smb.conf. If no winbindd is running, it's no problem.
But if winbindd is running, smbd gets panic by sys_setgroups()
failure because GID list has -1. Negative GID values is invalid
on Solaris.

This panic is occured by the following scenario:

When smbd queries a GID for the SID S-1-5-32-546 (BUILDTIN\Guests),
winbindd returns the GID -1.

log.winbindd:
----------------------------------------------------------------------
[2012/03/24 18:11:10, 10, pid=4674, effective(0, 0), real(0, 0)]
winbindd/winbindd_util.c:
795(find_lookup_domain_from_sid)
  find_lookup_domain_from_sid(S-1-5-32-546)
[2012/03/24 18:11:10, 10, pid=4674, effective(0, 0), real(0, 0)]
winbindd/winbindd_util.c:
798(find_lookup_domain_from_sid)
  calling find_domain_from_sid
[2012/03/24 18:11:10,  1, pid=4674, effective(0, 0), real(0, 0)]
../librpc/ndr/ndr.c:284(n
dr_print_function_debug)
       wbint_LookupSid: struct wbint_LookupSid
          in: struct wbint_LookupSid
              sid                      : *
                  sid                      : S-1-5-32-546
[2012/03/24 18:11:10,  1, pid=4674, effective(0, 0), real(0, 0)]
../librpc/ndr/ndr.c:284(n
dr_print_function_debug)
       wbint_Sids2UnixIDs: struct wbint_Sids2UnixIDs
          in: struct wbint_Sids2UnixIDs
              domains                  : *
                  domains: struct lsa_RefDomainList
                      count                    : 0x00000004 (4)
                      domains                  : *
                          domains: ARRAY(4)
                              domains: struct lsa_DomainInfo
                                  name: struct lsa_StringLarge
                                      length                   : 0x0016 (22)
                                      size                     : 0x0018 (24)
                                      string                   : *
                                          string                   : 'FMYS-S10-S3'
                                  sid                      : *
                                      sid                      : S-1-5-21-3288402307-2639237788-811577492
                              domains: struct lsa_DomainInfo
                                  name: struct lsa_StringLarge
                                      length                   : 0x0000 (0)
                                      size                     : 0x0002 (2)
                                      string                   : *
                                          string                   : ''
                                  sid                      : *
                                      sid                      : S-1-1
                              domains: struct lsa_DomainInfo
                                  name: struct lsa_StringLarge
                                      length                   : 0x0000 (0)
                                      size                     : 0x0002 (2)
                                      string                   : *
                                          string                   : ''
                                  sid                      : *
                                      sid                      : S-1-5
                              domains: struct lsa_DomainInfo
                                  name: struct lsa_StringLarge
                                      length                   : 0x000e (14)
                                      size                     : 0x0010 (16)
                                      string                   : *
                                          string                   : 'BUILTIN'
                                  sid                      : *
                                      sid                      : S-1-5-32
                      max_size                 : 0x00000000 (0)
              ids                      : *
                  ids: struct wbint_TransIDArray
                      num_ids                  : 0x00000004 (4)
                      ids: ARRAY(4)
                          ids: struct wbint_TransID
                              type                     : ID_TYPE_NOT_SPECIFIED (0)
                              domain_index             : 0x00000000 (0)
                              rid                      : 0x00000222 (546)
                              unix_id                  : 0xffffffffffffffff (-1)
                          ids: struct wbint_TransID
                              type                     : ID_TYPE_NOT_SPECIFIED (0)
                              domain_index             : 0x00000001 (1)
                              rid                      : 0x00000000 (0)
                              unix_id                  : 0xffffffffffffffff (-1)
                          ids: struct wbint_TransID
                              type                     : ID_TYPE_NOT_SPECIFIED (0)
                              domain_index             : 0x00000002 (2)
                              rid                      : 0x00000002 (2)
                              unix_id                  : 0xffffffffffffffff (-1)
                          ids: struct wbint_TransID
                              type                     : ID_TYPE_GID (2)
                              domain_index             : 0x00000003 (3)
                              rid                      : 0x00000222 (546)
                              unix_id                  : 0xffffffffffffffff (-1)
[2012/03/24 18:11:10,  1, pid=4674, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:284(n
dr_print_function_debug)
       wbint_Sids2UnixIDs: struct wbint_Sids2UnixIDs
          out: struct wbint_Sids2UnixIDs
              ids                      : *
                  ids: struct wbint_TransIDArray
                      num_ids                  : 0x00000004 (4)
                      ids: ARRAY(4)
                          ids: struct wbint_TransID
                              type                     : ID_TYPE_NOT_SPECIFIED (0)
                              domain_index             : 0x00000000 (0)
                              rid                      : 0x00000222 (546)
                              unix_id                  : 0xffffffffffffffff (-1)
                          ids: struct wbint_TransID
                              type                     : ID_TYPE_NOT_SPECIFIED (0)
                              domain_index             : 0x00000001 (1)
                              rid                      : 0x00000000 (0)
                              unix_id                  : 0xffffffffffffffff (-1)
                          ids: struct wbint_TransID
                              type                     : ID_TYPE_NOT_SPECIFIED (0)
                              domain_index             : 0x00000002 (2)
                              rid                      : 0x00000002 (2)
                              unix_id                  : 0xffffffffffffffff (-1)
                          ids: struct wbint_TransID
                              type                     : ID_TYPE_GID (2)
                              domain_index             : 0x00000003 (3)
                              rid                      : 0x00000222 (546)
                              unix_id                  : 0xffffffffffffffff (-1)
              result                   : NT_STATUS_OK
[2012/03/24 18:11:10, 10, pid=4674, effective(0, 0), real(0, 0)] lib/gencache.c:183(gencac
he_set_data_blob)
  Adding cache entry with key = IDMAP/SID2GID/S-1-5-32-546 and timeout = Sat Mar 24 18:13:
10 2012
   (120 seconds ahead)
----------------------------------------------------------------------

$ net cache list |grep IDMAP
Key: IDMAP/SID2GID/S-1-5-32-544  Timeout: 18:15:01       Value: -1
Key: IDMAP/SID2GID/S-1-5-32-546  Timeout: 18:15:01       Value: -1
Key: IDMAP/SID2GID/S-1-5-32-545  Timeout: 18:15:01       Value: -1

Next, smbd creates an local token (create_localtoken()) for
"Domain Guest". It has the SID S-1-5-32-546 (BUILTIN\Guests)
and its GID -1.

log.smbd:
----------------------------------------------------------------------
[2012/03/24 18:56:31, 10, pid=5227, effective(0, 0), real(0, 0)] ../libcli/security/security_token.c:63(security_tok
en_debug)
  Security token SIDs (9):
    SID[  0]: S-1-5-21-3288402307-2639237788-811577492-501
    SID[  1]: S-1-5-21-3288402307-2639237788-811577492-514
    SID[  2]: S-1-5-21-3288402307-2639237788-811577492-546
    SID[  3]: S-1-1-0
    SID[  4]: S-1-5-2
    SID[  5]: S-1-5-32-546
    SID[  6]: S-1-22-1-999
    SID[  7]: S-1-22-2-514
    SID[  8]: S-1-22-2-4294967295
   Privileges (0x               0):
   Rights (0x               0):
[2012/03/24 18:56:31, 10, pid=5227, effective(0, 0), real(0, 0)] auth/token_util.c:527(debug_unix_user_token)
  UNIX token of user 999
  Primary group is 514 and contains 2 supplementary groups
  Group[  0]: 514
  Group[  1]: -1
----------------------------------------------------------------------

Finally, when smbd becomes to "Domain Guest", sys_setgroups()
failes because the UNIX token has the invalid GID -1.

log.smbd (set_sec_ctx())
----------------------------------------------------------------------
[2012/03/24 18:56:34,  4, pid=5229, effective(0, 0), real(0, 0)] smbd/sec_ctx.c:319(set_sec_ctx)
  setting sec ctx (999, 514) - sec_ctx_stack_ndx = 0
[2012/03/24 18:56:34,  5, pid=5229, effective(0, 0), real(0, 0)] ../libcli/security/security_token.c:63(security_token_debug)
  Security token SIDs (9):
    SID[  0]: S-1-5-21-3288402307-2639237788-811577492-501
    SID[  1]: S-1-5-21-3288402307-2639237788-811577492-514
    SID[  2]: S-1-5-21-3288402307-2639237788-811577492-546
    SID[  3]: S-1-1-0
    SID[  4]: S-1-5-2
    SID[  5]: S-1-5-32-546
    SID[  6]: S-1-22-1-999
    SID[  7]: S-1-22-2-514
    SID[  8]: S-1-22-2-4294967295
   Privileges (0x               0):
   Rights (0x               0):
[2012/03/24 18:56:34,  5, pid=5229, effective(0, 0), real(0, 0)] auth/token_util.c:527(debug_unix_user_token)
  UNIX token of user 999
  Primary group is 514 and contains 2 supplementary groups
  Group[  0]: 514
  Group[  1]: -1
[2012/03/24 18:56:34,  0, pid=5229, effective(0, 0), real(0, 0)] smbd/sec_ctx.c:252(set_unix_security_ctx)
  WARNING: failed to sys_setgroups (2 groups) for UID 999: Invalid argument
[2012/03/24 18:56:34,  0, pid=5229, effective(0, 0), real(0, 0)] lib/util.c:1117(smb_panic)
  PANIC (pid 5229): sys_setgroups failed
[2012/03/24 18:56:34,  0, pid=5229, effective(0, 0), real(0, 0)] lib/util.c:1271(log_stack_trace)
  unable to produce a stack trace on this platform
[2012/03/24 18:56:34,  0, pid=5229, effective(0, 0), real(0, 0)] lib/fault.c:372(dump_core)
  dumping core in /opt/osstech/var/log/samba/cores/smbd
Comment 3 SATOH Fumiyasu 2012-03-24 13:19:03 UTC
(In reply to comment #2)
> Next, smbd creates an local token (create_localtoken()) for
> "Domain Guest". It has the SID S-1-5-32-546 (BUILTIN\Guests)
> and its GID -1.

s/create_localtoken/create_local_token/
Comment 4 SATOH Fumiyasu 2012-03-24 13:30:47 UTC
Created attachment 7401 [details]
patch to avoid sys_setgroups panic

I'm not sure if this patch is correct or not.
Comment 5 Paul B. Henson 2012-05-10 22:20:46 UTC
For those people trying to use Oracle's bundled samba for Solaris, which has just been updated to 3.6.x, you can work around this issue with LD_PRELOAD and a custom setgroups replacement. I'll attach it in a minute.

For example:

gcc -fpic -c setgroups_neg1.c
gcc --shared -o setgroups_neg1.so setgroups_neg1.o
cp setgroups_neg1.so /usr/lib/samba
mv /usr/sbin/smbd /usr/sbin/smbd.orig


Then replace /usr/sbin/smbd with something like:

-----
#! /usr/bin/perl

$ENV{LD_PRELOAD}='/usr/lib/samba/setgroups_neg1.so';
exec {'/usr/sbin/smbd.orig'} 'smbd', @ARGV;
-----

As an editorial, what kind of idiocy was it inside Oracle that led them to release a patch involving a major update from 3.5.x to 3.6.x to resolve the recent unauthenticated remote root exploit that was announced last month? On top of taking a *month* to release a fix (as opposed to the major linux distributions that had a fix out the the same *day*, what they released doesn't even work. I'd really have preferred *not* to need to test and vet a major samba upgrade as part of resolving a major security issue :(.
Comment 6 Paul B. Henson 2012-05-10 22:22:18 UTC
Created attachment 7550 [details]
workaround for this bug with Oracle Solaris bundled samba
Comment 7 Ira Cooper 2012-05-24 13:28:08 UTC
The reality is the fix should have been done in this bug.  But it is done.

*** This bug has been marked as a duplicate of bug 8952 ***
Comment 8 Björn Jacke 2012-06-13 08:17:30 UTC
just to add some more keywords: http://wesunsolve.net/patch/id/119757-22 and http://wesunsolve.net/patch/id/119758-22 updated Samba to 3.6.4.