Bug 9148 - Segfault triggered by password expiry
Summary: Segfault triggered by password expiry
Status: RESOLVED INVALID
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.0.0rc2
Hardware: x64 Linux
: P5 critical (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: samba4-qa@samba.org
URL:
Keywords:
Depends on:
Blocks: 8622
  Show dependency treegraph
 
Reported: 2012-09-09 19:38 UTC by Thomas Hood
Modified: 2012-10-14 19:38 UTC (History)
1 user (show)

See Also:

Attachments
Valgrind output where the segfault occurs (18.06 KB, text/plain)
2012-10-05 19:05 UTC, Thomas Hood 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Hood 2012-09-09 19:38:36 UTC 
Running as active directory domain controller under Ubuntu 12.04, *every* time a user tries to log in when her password has expired, a segfault occurs.

Here is part of the output of "valgrind samba -i" where the packages had been rebuilt with "DEB_BUILD_OPTIONS=nostrip" to preserve debugging symbols.

sam_account_ok: Account for user 'testietest@TESTTEST.XX' password must change!.
==24910== Invalid read of size 4
==24910==    at 0xE6E3195: length_PADATA_TYPE (in /usr/lib/x86_64-linux-gnu/libasn1.so.8.0.0)
==24910==    by 0xE6EC2DF: length_PA_DATA (in /usr/lib/x86_64-linux-gnu/libasn1.so.8.0.0)
==24910==    by 0xE6EDEE7: length_METHOD_DATA (in /usr/lib/x86_64-linux-gnu/libasn1.so.8.0.0)
==24910==    by 0x13CB6F77: ??? (in /usr/lib/x86_64-linux-gnu/libkdc.so.2.0.0)
==24910==    by 0x13CB9F05: ??? (in /usr/lib/x86_64-linux-gnu/libkdc.so.2.0.0)
==24910==    by 0x13CC5232: ??? (in /usr/lib/x86_64-linux-gnu/libkdc.so.2.0.0)
==24910==    by 0x13CC5427: krb5_kdc_process_krb5_request (in /usr/lib/x86_64-linux-gnu/libkdc.so.2.0.0)
==24910==    by 0x13475243: kdc_process (kdc.c:161)
==24910==    by 0x13474EC7: kdc_udp_call_loop (kdc.c:519)
==24910==    by 0xB2CDA26: tdgram_recvfrom_done (tsocket.c:239)
==24910==    by 0x8AEF161: tevent_common_loop_immediate (in /usr/lib/x86_64-linux-gnu/libtevent.so.0.9.16)
==24910==    by 0x8AF16AF: ??? (in /usr/lib/x86_64-linux-gnu/libtevent.so.0.9.16)
==24910==  Address 0x1d45a680 is 112 bytes inside a block of size 320 free'd
==24910==    at 0x4C2A82E: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==24910==    by 0x86D9E28: ??? (in /usr/lib/x86_64-linux-gnu/libtalloc.so.2.0.7)
==24910==    by 0x86D9DC2: ??? (in /usr/lib/x86_64-linux-gnu/libtalloc.so.2.0.7)
==24910==    by 0x86D9DC2: ??? (in /usr/lib/x86_64-linux-gnu/libtalloc.so.2.0.7)
==24910==    by 0x86D9DC2: ??? (in /usr/lib/x86_64-linux-gnu/libtalloc.so.2.0.7)
==24910==    by 0x86D9DC2: ??? (in /usr/lib/x86_64-linux-gnu/libtalloc.so.2.0.7)
==24910==    by 0x86D6642: _talloc_free (in /usr/lib/x86_64-linux-gnu/libtalloc.so.2.0.7)
==24910==    by 0x1B90860D: dsdb_schema_from_db (schema_load.c:248)
==24910==    by 0x1B908935: schema_load_init (schema_load.c:292)
==24910==    by 0x84A7602: ldb_module_init_chain (in /usr/lib/x86_64-linux-gnu/libldb.so.1.1.6)
==24910==    by 0x19E9AC95: operational_init (operational.c:911)
==24910==    by 0x84A7602: ldb_module_init_chain (in /usr/lib/x86_64-linux-gnu/libldb.so.1.1.6)
==24910== 
[...]
valgrind: m_mallocfree.c:266 (mk_plain_bszB): Assertion 'bszB != 0' failed.
valgrind: This is probably caused by your program erroneously writing past the
end of a heap block and corrupting heap metadata.  If you fix any
invalid writes reported by Memcheck, this assertion failure will
probably go away.  Please try that before reporting this as a bug.
[...]

Afflicts Samba4 Debian packages 4.0.0~alpha18.dfsg1-4ubuntu2 through at least 4.0.0~beta2+dfsg1-3.

A complete valgrind log has been provided to Andrew Bartlett.
Comment 1 Thomas Hood 2012-09-12 13:43:22 UTC 
Here is the simplest procedure I have found for triggering the bug.

Log in as root to the machine running Samba 4 AD.

Create a test user.

# samba-tool user add testuser testpass

Use Microsoft Management Console to set Active Directory Users and Computers | REALM | Users | testuser | Properties | UNIX Attributes | NIS Domain to DOMAIN (where 'REALM' and 'DOMAIN' here stand for our realm and domain names).  Without this the segfault doesn't occur.

Expire the password.

# samba-tool user setexpiry testuser

Log in as the test user.

# login testuser
Password: testpass

The segfault occurs.

Clean up.

# ^C
# restart samba4
# samba-tool user delete testuser
Comment 2 Thomas Hood 2012-10-05 08:50:12 UTC 
I just tested the samba4 4.0.0~rc2+dfsg1-1 Debian package rebuilt on a Ubuntu precise-quantal system. Following the same procedure as before

    # samba-tool user add testuser testpass
    In Management Console, set NIS Domain to DOMAIN
    # samba-tool user setexpiry testuser
    # login testuser
    Password: testpass

has the same result as before: a segfault.

[2012/10/05 10:42:28,  3] ../source4/auth/sam.c:200(authsam_account_ok)
  authsam_account_ok: Account expired at 'Fri Oct  5 10:42:07 2012 CEST'.
[2012/10/05 10:42:28,  0] ../lib/util/fault.c:72(fault_report)
  ===============================================================
[2012/10/05 10:42:28,  0] ../lib/util/fault.c:73(fault_report)
  INTERNAL ERROR: Signal 11 in pid 27238 (4.0.0rc2)
  Please read the Trouble-Shooting section of the Samba HOWTO
[2012/10/05 10:42:28,  0] ../lib/util/fault.c:75(fault_report)
  ===============================================================
[2012/10/05 10:42:28,  0] ../lib/util/fault.c:144(smb_panic_default)
  PANIC: internal error
Comment 3 Thomas Hood 2012-10-05 19:05:24 UTC 
Created attachment 7995 [details]
Valgrind output where the segfault occurs

I attach the part of the "valgrind samba -i" output that gets printed when the fault occurs, just after I press Enter after entering testuser3's correct password at the login prompt.  I have used an editor to replace names and addresses actually used at our site with fake ones.

# dpkg -l samba4 libldb1 libroken18-heimdal | grep ^ii
ii  libldb1  1:1.1.12-1  LDAP-like embedded database - shared library
ii  libroken18-heimdal  1.6~git20120403+dfsg1-2  Heimdal Kerberos - roken support library
ii  samba4  4.0.0~rc2+dfsg1-1raaf2dbg  SMB/CIFS file, NT domain and active directory server (version 4)
Comment 4 Thomas Hood 2012-10-07 19:52:02 UTC 
Please let me know if there is anything further I can do to assist with debugging.
Comment 5 Thomas Hood 2012-10-10 18:25:30 UTC 
There is a Debian BSP on 13 October 2012 which both I and Jelmer Vernooij plan to attend. Perhaps we can investigate this bug then.
Comment 6 Thomas Hood 2012-10-14 16:58:55 UTC 
I rebuilt the Debian package to use Samba4 bundled Heimdal instead of the Debian-packaged Heimdal and this eliminated the segfault.
Comment 7 Björn Jacke 2012-10-14 19:30:36 UTC 
I've seen this segfault also on opensuse with bundled heimdal, depending on what CFLAGS are being used. And even with Debian provided heimdal this should not happen.
Comment 8 Jelmer Vernooij 2012-10-14 19:37:01 UTC 
(In reply to comment #7)
> I've seen this segfault also on opensuse with bundled heimdal, depending on
> what CFLAGS are being used. And even with Debian provided heimdal this should
> not happen.
This happens because there have been a slight API change in Heimdal, which cause this segfault when a different version of Heimdal is being used than Samba was built against. In this particular case the 'client_access' now takes a METHOD_DATA rather than a krb5_data as its last argument. In other words, this is a Debian packaging bug (mismatching Heimdal version).

If you're seeing this with the embedded rather than sytem Heimdal, then it's a different issue.