9097 – source4/winbind could get deadlocked by parallel requests

Bug 9097 - source4/winbind could get deadlocked by parallel requests

Summary: source4/winbind could get deadlocked by parallel requests

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 4.0
Classification:	Unclassified
Component:	DCE-RPCs and pipes (show other bugs)
Version:	unspecified
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Andrew Bartlett
QA Contact:	samba4-qa@samba.org

URL:
Keywords:

Depends on:
Blocks:	8622
	Show dependency tree / graph

Reported:	2012-08-15 10:25 UTC by Stefan Metzmacher
Modified:	2012-08-25 07:16 UTC (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Stefan Metzmacher 2012-08-15 10:25:29 UTC

[MS-NRPC] Section 3.3.1 Netlogon as a Security Support Provider - Abstract Data Model is a bit confusing, as it talks about ClientSequenceNumber and ServerSequenceNumber. But each peer just have one Sequence_Number counter, which is incremented with each outgoing and incoming message, this sadly implies that client and server have to do the message processing sequentially.

source4/winbind uses schannel against a server (also to itself)
and may send multiple outstanding requests over one DCERPC connection,
which results in message verification errors. The code doesn't recover
from this situation.

Arvid, as you reported this problem to me a while ago,
can add some more details how this was triggered?

Comment 1 Arvid Requate 2012-08-15 11:10:34 UTC

At that time we tried using squid authentication via ntlm_auth with --helper-protocol=squid-2.5-ntlmssp against source4/winbind.

Parallel/concurrent authentication requests resulted in NT_STATUS_ACCESS_DENIED/NT_STATUS_IO_TIMEOUT. E.g. accessing a single webpage via squid, triggering several authentication requests, showed two successfull authentiactions via ntlm_auth in squid cache.log but after that the next two overlapping authentication requests failed, one with NT_STATUS_ACCESS_DENIED and the other one with NT_STATUS_IO_TIMEOUT. log.samba shows a "rpc fault: WERR_ACCESS_DENIED" ( https://forge.univention.org/bugzilla/attachment.cgi?id=4111 ).

Comment 2 Björn Baumbach 2012-08-24 09:18:29 UTC

Steps to reproduce:

root@dc:~/samba# ./bin/wbinfo -a Administrator%Passw0rd
plaintext password authentication succeeded
challenge/response password authentication succeeded

root@dc:~/samba# for i in $(seq 1 2) ; do { ./bin/wbinfo -a Administrator%Passw0rd & } ; done
[1] 22731
[2] 22732
root@dc:~/samba# plaintext password authentication failed
Could not authenticate user Administrator%Passw0rd with plaintext password
plaintext password authentication failed
Could not authenticate user Administrator%Passw0rd with plaintext password
challenge/response password authentication failed
error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
error message was: Access denied
Could not authenticate user Administrator with challenge/response
challenge/response password authentication failed
error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
error message was: Access denied
Could not authenticate user Administrator with challenge/response

Comment 3 Stefan Metzmacher 2012-08-25 07:16:23 UTC

b05d28ebddb7ebd4f8e28a80489fceb8703a9868 in master should fix this.