Bug 9148 - Segfault triggered by password expiry
Segfault triggered by password expiry
Product: Samba 4.0
Classification: Unclassified
x64 Linux
: P5 critical
: ---
Assigned To: Andrew Bartlett
Depends on:
Blocks: 8622
  Show dependency treegraph
Reported: 2012-09-09 19:38 UTC by Thomas Hood
Modified: 2012-10-14 19:38 UTC (History)
1 user (show)

See Also:

Valgrind output where the segfault occurs (18.06 KB, text/plain)
2012-10-05 19:05 UTC, Thomas Hood
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Hood 2012-09-09 19:38:36 UTC
Running as active directory domain controller under Ubuntu 12.04, *every* time a user tries to log in when her password has expired, a segfault occurs.

Here is part of the output of "valgrind samba -i" where the packages had been rebuilt with "DEB_BUILD_OPTIONS=nostrip" to preserve debugging symbols.

sam_account_ok: Account for user 'testietest@TESTTEST.XX' password must change!.
==24910== Invalid read of size 4
==24910==    at 0xE6E3195: length_PADATA_TYPE (in /usr/lib/x86_64-linux-gnu/libasn1.so.8.0.0)
==24910==    by 0xE6EC2DF: length_PA_DATA (in /usr/lib/x86_64-linux-gnu/libasn1.so.8.0.0)
==24910==    by 0xE6EDEE7: length_METHOD_DATA (in /usr/lib/x86_64-linux-gnu/libasn1.so.8.0.0)
==24910==    by 0x13CB6F77: ??? (in /usr/lib/x86_64-linux-gnu/libkdc.so.2.0.0)
==24910==    by 0x13CB9F05: ??? (in /usr/lib/x86_64-linux-gnu/libkdc.so.2.0.0)
==24910==    by 0x13CC5232: ??? (in /usr/lib/x86_64-linux-gnu/libkdc.so.2.0.0)
==24910==    by 0x13CC5427: krb5_kdc_process_krb5_request (in /usr/lib/x86_64-linux-gnu/libkdc.so.2.0.0)
==24910==    by 0x13475243: kdc_process (kdc.c:161)
==24910==    by 0x13474EC7: kdc_udp_call_loop (kdc.c:519)
==24910==    by 0xB2CDA26: tdgram_recvfrom_done (tsocket.c:239)
==24910==    by 0x8AEF161: tevent_common_loop_immediate (in /usr/lib/x86_64-linux-gnu/libtevent.so.0.9.16)
==24910==    by 0x8AF16AF: ??? (in /usr/lib/x86_64-linux-gnu/libtevent.so.0.9.16)
==24910==  Address 0x1d45a680 is 112 bytes inside a block of size 320 free'd
==24910==    at 0x4C2A82E: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==24910==    by 0x86D9E28: ??? (in /usr/lib/x86_64-linux-gnu/libtalloc.so.2.0.7)
==24910==    by 0x86D9DC2: ??? (in /usr/lib/x86_64-linux-gnu/libtalloc.so.2.0.7)
==24910==    by 0x86D9DC2: ??? (in /usr/lib/x86_64-linux-gnu/libtalloc.so.2.0.7)
==24910==    by 0x86D9DC2: ??? (in /usr/lib/x86_64-linux-gnu/libtalloc.so.2.0.7)
==24910==    by 0x86D9DC2: ??? (in /usr/lib/x86_64-linux-gnu/libtalloc.so.2.0.7)
==24910==    by 0x86D6642: _talloc_free (in /usr/lib/x86_64-linux-gnu/libtalloc.so.2.0.7)
==24910==    by 0x1B90860D: dsdb_schema_from_db (schema_load.c:248)
==24910==    by 0x1B908935: schema_load_init (schema_load.c:292)
==24910==    by 0x84A7602: ldb_module_init_chain (in /usr/lib/x86_64-linux-gnu/libldb.so.1.1.6)
==24910==    by 0x19E9AC95: operational_init (operational.c:911)
==24910==    by 0x84A7602: ldb_module_init_chain (in /usr/lib/x86_64-linux-gnu/libldb.so.1.1.6)
valgrind: m_mallocfree.c:266 (mk_plain_bszB): Assertion 'bszB != 0' failed.
valgrind: This is probably caused by your program erroneously writing past the
end of a heap block and corrupting heap metadata.  If you fix any
invalid writes reported by Memcheck, this assertion failure will
probably go away.  Please try that before reporting this as a bug.

Afflicts Samba4 Debian packages 4.0.0~alpha18.dfsg1-4ubuntu2 through at least 4.0.0~beta2+dfsg1-3.

A complete valgrind log has been provided to Andrew Bartlett.
Comment 1 Thomas Hood 2012-09-12 13:43:22 UTC
Here is the simplest procedure I have found for triggering the bug.

Log in as root to the machine running Samba 4 AD.

Create a test user.

# samba-tool user add testuser testpass

Use Microsoft Management Console to set Active Directory Users and Computers | REALM | Users | testuser | Properties | UNIX Attributes | NIS Domain to DOMAIN (where 'REALM' and 'DOMAIN' here stand for our realm and domain names).  Without this the segfault doesn't occur.

Expire the password.

# samba-tool user setexpiry testuser

Log in as the test user.

# login testuser
Password: testpass

The segfault occurs.

Clean up.

# ^C
# restart samba4
# samba-tool user delete testuser
Comment 2 Thomas Hood 2012-10-05 08:50:12 UTC
I just tested the samba4 4.0.0~rc2+dfsg1-1 Debian package rebuilt on a Ubuntu precise-quantal system. Following the same procedure as before

    # samba-tool user add testuser testpass
    In Management Console, set NIS Domain to DOMAIN
    # samba-tool user setexpiry testuser
    # login testuser
    Password: testpass

has the same result as before: a segfault.

[2012/10/05 10:42:28,  3] ../source4/auth/sam.c:200(authsam_account_ok)
  authsam_account_ok: Account expired at 'Fri Oct  5 10:42:07 2012 CEST'.
[2012/10/05 10:42:28,  0] ../lib/util/fault.c:72(fault_report)
[2012/10/05 10:42:28,  0] ../lib/util/fault.c:73(fault_report)
  INTERNAL ERROR: Signal 11 in pid 27238 (4.0.0rc2)
  Please read the Trouble-Shooting section of the Samba HOWTO
[2012/10/05 10:42:28,  0] ../lib/util/fault.c:75(fault_report)
[2012/10/05 10:42:28,  0] ../lib/util/fault.c:144(smb_panic_default)
  PANIC: internal error
Comment 3 Thomas Hood 2012-10-05 19:05:24 UTC
Created attachment 7995 [details]
Valgrind output where the segfault occurs

I attach the part of the "valgrind samba -i" output that gets printed when the fault occurs, just after I press Enter after entering testuser3's correct password at the login prompt.  I have used an editor to replace names and addresses actually used at our site with fake ones.

# dpkg -l samba4 libldb1 libroken18-heimdal | grep ^ii
ii  libldb1  1:1.1.12-1  LDAP-like embedded database - shared library
ii  libroken18-heimdal  1.6~git20120403+dfsg1-2  Heimdal Kerberos - roken support library
ii  samba4  4.0.0~rc2+dfsg1-1raaf2dbg  SMB/CIFS file, NT domain and active directory server (version 4)
Comment 4 Thomas Hood 2012-10-07 19:52:02 UTC
Please let me know if there is anything further I can do to assist with debugging.
Comment 5 Thomas Hood 2012-10-10 18:25:30 UTC
There is a Debian BSP on 13 October 2012 which both I and Jelmer Vernooij plan to attend. Perhaps we can investigate this bug then.
Comment 6 Thomas Hood 2012-10-14 16:58:55 UTC
I rebuilt the Debian package to use Samba4 bundled Heimdal instead of the Debian-packaged Heimdal and this eliminated the segfault.
Comment 7 Björn Jacke 2012-10-14 19:30:36 UTC
I've seen this segfault also on opensuse with bundled heimdal, depending on what CFLAGS are being used. And even with Debian provided heimdal this should not happen.
Comment 8 Jelmer Vernooij 2012-10-14 19:37:01 UTC
(In reply to comment #7)
> I've seen this segfault also on opensuse with bundled heimdal, depending on
> what CFLAGS are being used. And even with Debian provided heimdal this should
> not happen.
This happens because there have been a slight API change in Heimdal, which cause this segfault when a different version of Heimdal is being used than Samba was built against. In this particular case the 'client_access' now takes a METHOD_DATA rather than a krb5_data as its last argument. In other words, this is a Debian packaging bug (mismatching Heimdal version).

If you're seeing this with the embedded rather than sytem Heimdal, then it's a different issue.