Domain logon problems with 10.Mar.99 CVS source

Stefan Walter walter at inf.ethz.ch
Thu Mar 11 15:16:00 GMT 1999 

> 
> I hope the change I asked Luke to make is not causing your problem. I
> believe it is a memory corruption problem, in order to find it do the
> following. This will depend on the kind of system you are using but try
> this, assuming you are the only one trying to log onto the PDC. There should
> be only 1 or 2 smbd processes running, if there is 1 then hitting
> Ctrl-Alt-Del on your NT machine should start another one. For the process
> that is the child of the other smbd run dbx -p <pid> and try to log in. Hit
> return in dbx as it will stop when it it receives the SIGSEV. At this point
> do a where and post the results here.

Ok, did this:

Program received signal SIGSEGV, Segmentation fault.
0xc4bb4 in Get_Pwnam ()
(gdb) where
#0  0xc4bb4 in Get_Pwnam ()
#1  0xc29f0 in nametouid ()
#2  0xad7f0 in lookupsmbpwnam ()
#3  0xb1dc0 in get_unixgroup_members ()
#4  0xb2124 in getgrpunixpwent ()
#5  0xafddc in getgroupent ()
#6  0xafad0 in iterate_getusergroupsnam ()
#7  0xaffcc in getusergroupsntnam ()
#8  0x74878 in api_net_sam_logon ()
#9  0x7e714 in api_rpc_command ()
#10 0x7e810 in api_rpcTNP ()
#11 0x74c10 in api_netlog_rpc ()
#12 0x7e40c in api_pipe_request ()
#13 0x7e510 in rpc_command ()
#14 0x3c180 in api_fd_reply ()
#15 0x3c8f0 in named_pipe ()
#16 0x3d034 in reply_trans ()
#17 0x5aaf4 in switch_message ()
#18 0x5ab80 in construct_reply ()
#19 0x5ad3c in process_smb ()
#20 0x5b6c0 in smbd_process ()
#21 0x2c9bc in main ()

smbd is running on a Sparc 5 and compiled with GCC 2.8.1, the disassembly 
looks like this:

(gdb) disassemble 0xc4b9c
Dump of assembler code for function Get_Pwnam:
0xc4b9c <Get_Pwnam>:    save  %sp, -240, %sp
0xc4ba0 <Get_Pwnam+4>:  call  0x6018c <lp_usernamelevel>
0xc4ba4 <Get_Pwnam+8>:  nop 
0xc4ba8 <Get_Pwnam+12>: cmp  %i0, 0
0xc4bac <Get_Pwnam+16>: be  0xc4cdc <Get_Pwnam+320>
0xc4bb0 <Get_Pwnam+20>: mov  %o0, %l1
0xc4bb4 <Get_Pwnam+24>: ldsb  [ %i0 ], %o0
0xc4bb8 <Get_Pwnam+28>: cmp  %o0, 0
0xc4bbc <Get_Pwnam+32>: be  0xc4cdc <Get_Pwnam+320>
0xc4bc0 <Get_Pwnam+36>: add  %fp, -144, %l0
0xc4bc4 <Get_Pwnam+40>: mov  %l0, %o0
0xc4bc8 <Get_Pwnam+44>: mov  %i0, %o1
0xc4bcc <Get_Pwnam+48>: call  0xc77d8 <StrnCpy>
...
(gdb) disassemble 0xc29f0
Dump of assembler code for function nametouid:
0xc29e0 <nametouid>:    save  %sp, -112, %sp
0xc29e4 <nametouid+4>:  mov  %i0, %o0
0xc29e8 <nametouid+8>:  call  0xc4b9c <Get_Pwnam>
0xc29ec <nametouid+12>: clr  %o1
0xc29f0 <nametouid+16>: cmp  %o0, 0
...

Some registers:

o0             0x0      0
l0             0x0      0
l1             0x0      0
i0             0x6270727a       1651536506

Looks like i0 is incorrect and addressing memory at [%i0] causes the SIGSEGV:

(gdb) x 0x6270727a
0x6270727a <_end+1650381810>:   Cannot access memory at address 0x6270727a.

Seems like a memory corruption to me too:

0> perl -e 'print "\x62\x70\x72\x7a\n";'
bprz
0> ypcat group | fgrep bprz
cocoon:*:10014:rys,wunderli,norrie,bprzydat,richwood,roehm

Remember my logfile sniplet?

>   4156    lookupsmbgrpnam: unix user group cocoon
>   4157  [1999/03/10 18:14:49, 10] lib/domain_namemap.c:lookupsmbgrpgid(1270)
>   4158    lookupsmbgrpgid: unix gid 10014
>   4159  [1999/03/10 18:14:49, 10] lib/domain_namemap.c:lookupsmbpwnam(886)
>   4160  [1999/03/10 18:14:49, 0] lib/fault.c:fault_report(40)

After some analysis I found out he wrong 'unix_name' originates from here:

...
BOOL get_unixgroup_members(struct group *grp,
                                int *num_mem, DOMAIN_GRP_MEMBER **members)
{
 ...
        for (i = 0; (unix_name = grp->gr_mem[i]) != NULL; i++)
                     ^^^^^^^^^^^^^^^^^^^^^^^^^^
 
I'll try to locate the place where the memory gets corrupted but this will take
some time as I'm not familiar with the code yet.

Thanks so far!

- Stefan

--
Stefan Walter - SysAdmin at D-INFK (StabSoft), ETH Zurich, Switzerland

More information about the samba-ntdom mailing list