Running as active directory domain controller under Ubuntu 12.04, *every* time a user tries to log in when her password has expired, a segfault occurs. Here is part of the output of "valgrind samba -i" where the packages had been rebuilt with "DEB_BUILD_OPTIONS=nostrip" to preserve debugging symbols. sam_account_ok: Account for user 'testietest@TESTTEST.XX' password must change!. ==24910== Invalid read of size 4 ==24910== at 0xE6E3195: length_PADATA_TYPE (in /usr/lib/x86_64-linux-gnu/libasn1.so.8.0.0) ==24910== by 0xE6EC2DF: length_PA_DATA (in /usr/lib/x86_64-linux-gnu/libasn1.so.8.0.0) ==24910== by 0xE6EDEE7: length_METHOD_DATA (in /usr/lib/x86_64-linux-gnu/libasn1.so.8.0.0) ==24910== by 0x13CB6F77: ??? (in /usr/lib/x86_64-linux-gnu/libkdc.so.2.0.0) ==24910== by 0x13CB9F05: ??? (in /usr/lib/x86_64-linux-gnu/libkdc.so.2.0.0) ==24910== by 0x13CC5232: ??? (in /usr/lib/x86_64-linux-gnu/libkdc.so.2.0.0) ==24910== by 0x13CC5427: krb5_kdc_process_krb5_request (in /usr/lib/x86_64-linux-gnu/libkdc.so.2.0.0) ==24910== by 0x13475243: kdc_process (kdc.c:161) ==24910== by 0x13474EC7: kdc_udp_call_loop (kdc.c:519) ==24910== by 0xB2CDA26: tdgram_recvfrom_done (tsocket.c:239) ==24910== by 0x8AEF161: tevent_common_loop_immediate (in /usr/lib/x86_64-linux-gnu/libtevent.so.0.9.16) ==24910== by 0x8AF16AF: ??? (in /usr/lib/x86_64-linux-gnu/libtevent.so.0.9.16) ==24910== Address 0x1d45a680 is 112 bytes inside a block of size 320 free'd ==24910== at 0x4C2A82E: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==24910== by 0x86D9E28: ??? (in /usr/lib/x86_64-linux-gnu/libtalloc.so.2.0.7) ==24910== by 0x86D9DC2: ??? (in /usr/lib/x86_64-linux-gnu/libtalloc.so.2.0.7) ==24910== by 0x86D9DC2: ??? (in /usr/lib/x86_64-linux-gnu/libtalloc.so.2.0.7) ==24910== by 0x86D9DC2: ??? (in /usr/lib/x86_64-linux-gnu/libtalloc.so.2.0.7) ==24910== by 0x86D9DC2: ??? (in /usr/lib/x86_64-linux-gnu/libtalloc.so.2.0.7) ==24910== by 0x86D6642: _talloc_free (in /usr/lib/x86_64-linux-gnu/libtalloc.so.2.0.7) ==24910== by 0x1B90860D: dsdb_schema_from_db (schema_load.c:248) ==24910== by 0x1B908935: schema_load_init (schema_load.c:292) ==24910== by 0x84A7602: ldb_module_init_chain (in /usr/lib/x86_64-linux-gnu/libldb.so.1.1.6) ==24910== by 0x19E9AC95: operational_init (operational.c:911) ==24910== by 0x84A7602: ldb_module_init_chain (in /usr/lib/x86_64-linux-gnu/libldb.so.1.1.6) ==24910== [...] valgrind: m_mallocfree.c:266 (mk_plain_bszB): Assertion 'bszB != 0' failed. valgrind: This is probably caused by your program erroneously writing past the end of a heap block and corrupting heap metadata. If you fix any invalid writes reported by Memcheck, this assertion failure will probably go away. Please try that before reporting this as a bug. [...] Afflicts Samba4 Debian packages 4.0.0~alpha18.dfsg1-4ubuntu2 through at least 4.0.0~beta2+dfsg1-3. A complete valgrind log has been provided to Andrew Bartlett.
Here is the simplest procedure I have found for triggering the bug. Log in as root to the machine running Samba 4 AD. Create a test user. # samba-tool user add testuser testpass Use Microsoft Management Console to set Active Directory Users and Computers | REALM | Users | testuser | Properties | UNIX Attributes | NIS Domain to DOMAIN (where 'REALM' and 'DOMAIN' here stand for our realm and domain names). Without this the segfault doesn't occur. Expire the password. # samba-tool user setexpiry testuser Log in as the test user. # login testuser Password: testpass The segfault occurs. Clean up. # ^C # restart samba4 # samba-tool user delete testuser
I just tested the samba4 4.0.0~rc2+dfsg1-1 Debian package rebuilt on a Ubuntu precise-quantal system. Following the same procedure as before # samba-tool user add testuser testpass In Management Console, set NIS Domain to DOMAIN # samba-tool user setexpiry testuser # login testuser Password: testpass has the same result as before: a segfault. [2012/10/05 10:42:28, 3] ../source4/auth/sam.c:200(authsam_account_ok) authsam_account_ok: Account expired at 'Fri Oct 5 10:42:07 2012 CEST'. [2012/10/05 10:42:28, 0] ../lib/util/fault.c:72(fault_report) =============================================================== [2012/10/05 10:42:28, 0] ../lib/util/fault.c:73(fault_report) INTERNAL ERROR: Signal 11 in pid 27238 (4.0.0rc2) Please read the Trouble-Shooting section of the Samba HOWTO [2012/10/05 10:42:28, 0] ../lib/util/fault.c:75(fault_report) =============================================================== [2012/10/05 10:42:28, 0] ../lib/util/fault.c:144(smb_panic_default) PANIC: internal error
Created attachment 7995 [details] Valgrind output where the segfault occurs I attach the part of the "valgrind samba -i" output that gets printed when the fault occurs, just after I press Enter after entering testuser3's correct password at the login prompt. I have used an editor to replace names and addresses actually used at our site with fake ones. # dpkg -l samba4 libldb1 libroken18-heimdal | grep ^ii ii libldb1 1:1.1.12-1 LDAP-like embedded database - shared library ii libroken18-heimdal 1.6~git20120403+dfsg1-2 Heimdal Kerberos - roken support library ii samba4 4.0.0~rc2+dfsg1-1raaf2dbg SMB/CIFS file, NT domain and active directory server (version 4)
Please let me know if there is anything further I can do to assist with debugging.
There is a Debian BSP on 13 October 2012 which both I and Jelmer Vernooij plan to attend. Perhaps we can investigate this bug then.
I rebuilt the Debian package to use Samba4 bundled Heimdal instead of the Debian-packaged Heimdal and this eliminated the segfault.
I've seen this segfault also on opensuse with bundled heimdal, depending on what CFLAGS are being used. And even with Debian provided heimdal this should not happen.
(In reply to comment #7) > I've seen this segfault also on opensuse with bundled heimdal, depending on > what CFLAGS are being used. And even with Debian provided heimdal this should > not happen. This happens because there have been a slight API change in Heimdal, which cause this segfault when a different version of Heimdal is being used than Samba was built against. In this particular case the 'client_access' now takes a METHOD_DATA rather than a krb5_data as its last argument. In other words, this is a Debian packaging bug (mismatching Heimdal version). If you're seeing this with the embedded rather than sytem Heimdal, then it's a different issue.