[Samba] Possible bug in samba-2.2.8a-1...

Administrador de la Red system at dm.uba.ar
Wed Apr 16 17:35:19 GMT 2003 

Hi,
I found what seems to be a bug in smbd (and smbclient?) from  samba-2.2.8a-1.
Scenario is the following:
All users have accounts in linux box "mate", with homes mounted via NFS
from linux box "fserver". mate and fserver run samba-2.2.8a-1, mate ONLY 
validates passwords and has no shares; fserver in turn, ONLY shares [homes]
and [netlogon], but has no users, so samba uses "password server = mate" AND
"root directory = /mhomes"

The problem is that the server segfaults when the client issues a dir command.
gets and puts have no problem, just dir or ls.

The problem arises because the file /mhomes/etc/mtab is symlinked to /etc/mtab,
if I just copy /etc/mtab to /mhomes/etc/mtab the server runs fine.

Older versions (2.0.3) of smbd run OK in the chroot'd environment.

Here I provide more info:

fserver and mate run RedHat Linux 6.x with libc updated to 
glibc-2.1.3-29.i386.rpm

samba compiled in fserver with:
rpm --rebuild samba-2.2.8a-1.src.rpm

and installed with:
rpm -Uvh --replacepkgs --replacefiles samba-2.2.8a-1.i386.rpm


fserver smb.conf:
-----------------------------
[global]

interfaces = 157.92.22.10/24
socket address = 157.92.22.10
bind interfaces only = yes
root directory = /mhomes
   workgroup = WORKGROUP
hosts allow = 157.92.22. 127.
   printcap name = /etc/printcap
   load printers = yes
   printing = bsd	
   max log size = 50
	security = server
	password server = mate
   socket options = TCP_NODELAY 
   local master = yes
   os level = 33
   domain master = yes 
   preferred master = yes
   domain logons = yes
   logon script = %U.bat
   wins support = yes
   dns proxy = no 
[homes]
   comment = Home Directories
   browseable = no
   writable = yes
[netlogon]
   comment = Network Logon Service
   path = /netlogon
   guest ok = yes
   writable = no
   share modes = no
-------------------------------

Client is mate and runs:
smbclient   //fserver/rcoss -U rcoss

Server is fserver and the logfile log.mate shows:
[2003/04/15 16:14:21, 0] lib/fault.c:fault_report(38)
  ===============================================================
[2003/04/15 16:14:21, 0] lib/fault.c:fault_report(39)
  INTERNAL ERROR: Signal 11 in pid 17579 (2.2.8a)
  Please read the file BUGS.txt in the distribution
[2003/04/15 16:14:21, 0] lib/fault.c:fault_report(41)
  ===============================================================
[2003/04/15 16:14:21, 0] lib/util.c:smb_panic(1094)
  PANIC: internal error



Output from smbclient is:
----------------------
smb: \>dir
...[snipped]
...
...
 wea.pl                              A     2073  Mon Apr 14 19:50:42 2003
Error in dskattr: Call returned zero bytes (EOF)

smb: \> Segmentation fault (core dumped)
-----------------------

Older versions of smbclient , 2.0.3, get same error but don't segfault:
----------------------
smb: \>dir
...[snipped]
...
...
 wea.pl                              A    2073  Mon Apr 14 20:50:42 2003
Error in dskattr: code 0
smb: \> read_data: read failure. Error = Broken pipe
Broken pipe
--------------------------

Output from gdb /usr/sbin/smbd PID is:
---------------------------
...
This GDB was configured as "i386-redhat-linux"...
(no debugging symbols found)...

/mhomes/etc/17579: No such file or directory.
Attaching to program `/usr/sbin/smbd', Pid 17579
Reading symbols from /lib/libdl.so.2...done.
Reading symbols from /lib/libnsl.so.1...done.
Reading symbols from /lib/libpam.so.0...done.
Reading symbols from /usr/lib/libpopt.so.0...done.
Reading symbols from /lib/libc.so.6...done.
Reading symbols from /lib/ld-linux.so.2...done.
Reading symbols from /lib/libnss_files.so.2...done.
Reading symbols from /lib/libnss_nisplus.so.2...done.
Reading symbols from /lib/libnss_nis.so.2...done.
0x400f10de in __select ()
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
fgets_unlocked (buf=0x824eea8 "p0\023 at p0\023@\200ê3\233báÁ\001", n=4096, 
    fp=0x0) at iofgets_u.c:44
iofgets_u.c:44: No such file or directory.
(gdb) where
#0  fgets_unlocked (buf=0x824eea8 "p0\023 at p0\023@\200ê3\233báÁ\001", n=4096, 
    fp=0x0) at iofgets_u.c:44
#1  0x400f1bce in __getmntent_r (stream=0x0, mp=0x4013655c, 
    buffer=0x824eea8 "p0\023 at p0\023@\200ê3\233báÁ\001", bufsiz=4096)
    at mntent_r.c:102
#2  0x400f1b1f in getmntent (stream=0x0) at mntent.c:53
#3  0x81511c0 in disk_quotas ()
#4  0x806e98f in session_yield ()
#5  0x806ec6d in sys_disk_free ()
#6  0x809dea2 in vfswrap_disk_free ()
#7  0x8085a4a in reply_dskattr ()
#8  0x80a428d in respond_to_all_remaining_local_messages ()
#9  0x80a431a in respond_to_all_remaining_local_messages ()
#10 0x80a44a4 in process_smb ()
#11 0x80a4dcf in smbd_process ()
#12 0x806ace8 in main ()
#13 0x4005c9cb in __libc_start_main (main=0x806a5e0 <main>, argc=2, 
    argv=0xbffffd64, init=0x806898c <_init>, fini=0x81541bc <_fini>, 
    rtld_fini=0x4000aea0 <_dl_fini>, stack_end=0xbffffd5c)
    at ../sysdeps/generic/libc-start.c:92

------------------------------

Output from strace  -f /usr/sbin/smbd -i -d 2 :
------------------------
...
...
stat("./curr.doc", {st_mode=033607, st_size=0, ...}) = 0
stat("./listacasamiento.xls", {st_mode=033613, st_size=0, ...}) = 0
stat("./licit2003.zip", {st_mode=033650, st_size=0, ...}) = 0
stat("./wea.pl", {st_mode=033722, st_size=0, ...}) = 0
send(11, "\0\0\3\214\377SMB2\0\0\0\0\210A\0"..., 912, 0) = 912
select(20, [9 11 19], NULL, NULL, {60, 0}) = 1 (in [11], left {59, 880000})
read(11, "\0\0\0#", 4)                  = 4
read(11, "\377SMB\200\0\0\0\0\10\1\0\0\0\0"..., 35) = 35
gettimeofday({1050510946, 443001}, NULL) = 0
statfs(".", {f_type="EXT2_SUPER_MAGIC", f_bsize=1024, f_blocks=1949119, f_bfree=274728, f_files=65280, f_ffree=24610, f_namelen=255}}) = 0
stat(".", {st_mode=030210, st_size=0, ...}) = 0
open("/proc/mounts", O_RDONLY)          = -1 ENOENT (No such file or directory)
open("/etc/mtab", O_RDONLY)             = -1 ELOOP (Too many levels of symbolic links)
geteuid()                               = 200
stat(".", {st_mode=030210, st_size=0, ...}) = 0
open("/etc/mtab", O_RDONLY)             = -1 ELOOP (Too many levels of symbolic links)
--- SIGSEGV (Segmentation fault) ---
write(1, "================================"..., 64===============================================================
) = 64
write(1, "INTERNAL ERROR: Signal 11 in pid"..., 48INTERNAL ERROR: Signal 11 in pid 18206 (2.2.8a)
) = 48
write(1, "Please read the file BUGS.txt in"..., 50Please read the file BUGS.txt in the distribution
) = 50
write(1, "================================"..., 64===============================================================
) = 64
write(1, "PANIC: internal error\n", 22PANIC: internal error
) = 22
SYS_175(0x1, 0xbfffeb38, 0, 0x8, 0x1)   = 0
getpid()                                = 18206
kill(18206, SIGABRT)                    = 0
--- SIGABRT (Aborted) ---
+++ killed by SIGABRT +++

-----------------------------

I can provide more info and testing if needed.

BTW, How can I tell which set of files must be replicated in the
chroot'd directory?

Thanks in advance,

Rodolfo Cossalter
System Administrator
Universidad de Buenos Aires

More information about the samba mailing list