Problem with SAMR pipe (ChangePassword() Python binding)

Anatoliy Atanasov anatoliy.atanasov at postpath.com
Mon Aug 24 03:36:29 MDT 2009 

Hi Team,
 
Here is a detailed back trace:
#0  0x00d70416 in __kernel_vsyscall ()
#1  0x00826660 in raise () from /lib/libc.so.6
#2  0x00828028 in abort () from /lib/libc.so.6
#3  0x086716be in talloc_abort (reason=0x87824ac  Bad talloc magic value - double free ) at ../lib/talloc/talloc.c:154
#4  0x08671718 in talloc_abort_double_free () at ../lib/talloc/talloc.c:167
#5  0x08671817 in talloc_chunk_from_ptr (ptr=0x9126040) at ../lib/talloc/talloc.c:186
#6  0x0867292b in talloc_get_name (ptr=0x9126040) at ../lib/talloc/talloc.c:876
#7  0x086729af in talloc_check_name (ptr=0x9126040, name=0x8684f00  struct composite_context ) at ../lib/talloc/talloc.c:895
#8  0x08115297 in continue_smb_connect (ctx=0x911cfd8) at librpc/rpc/dcerpc_connect.c:68
#9  0x082149d6 in composite_error (ctx=0x911cfd8, status={v = 3221225787}) at libcli/composite/composite.c:116
#10 0x08214a57 in composite_is_ok (ctx=0x911cfd8) at libcli/composite/composite.c:134
#11 0x0814e237 in state_handler (c=0x911cfd8) at libcli/smb_composite/connect.c:429
#12 0x0814e279 in request_handler (req=0x9114430) at libcli/smb_composite/connect.c:441
#13 0x0815705a in smbcli_transport_dead (transport=0x911d938, status={v = 3221225787}) at libcli/raw/clitransport.c:153
#14 0x08156bb4 in transport_destructor (transport=0x911d938) at libcli/raw/clitransport.c:56
#15 0x086724d1 in _talloc_free_internal (ptr=0x911d938) at ../lib/talloc/talloc.c:545
#16 0x08672652 in _talloc_free_internal (ptr=0x911d028) at ../lib/talloc/talloc.c:576
#17 0x08672652 in _talloc_free_internal (ptr=0x911cfd8) at ../lib/talloc/talloc.c:576
#18 0x08672652 in _talloc_free_internal (ptr=0x91135b8) at ../lib/talloc/talloc.c:576
#19 0x08672652 in _talloc_free_internal (ptr=0x9113540) at ../lib/talloc/talloc.c:576
#20 0x08672652 in _talloc_free_internal (ptr=0x911d4c0) at ../lib/talloc/talloc.c:576
#21 0x08672de9 in _talloc_free (ptr=0x911d4c0, location=0x8685254  librpc/rpc/dcerpc_connect.c:809 ) at ../lib/talloc/talloc.c:1072
#22 0x08116b6a in dcerpc_pipe_connect_b_recv (c=0x911d4c0, mem_ctx=0x9114290, p=0x91143dc) at librpc/rpc/dcerpc_connect.c:809
#23 0x080c08c6 in continue_pipe_connect (ctx=0x911d4c0) at libnet/libnet_rpc.c:145
#24 0x082149d6 in composite_error (ctx=0x911d4c0, status={v = 3221225653}) at libcli/composite/composite.c:116
#25 0x08116800 in dcerpc_connect_timeout_handler (ev=0x9112750, te=0x911d510, t={tv_sec = 1251102639, tv_usec = 616891}, private_data=0x911d4c0)
    at librpc/rpc/dcerpc_connect.c:715
#26 0x086478ad in tevent_common_loop_timer_delay (ev=0x9112750) at ../lib/tevent/tevent_timed.c:254
#27 0x08649d97 in epoll_event_loop (std_ev=0x91126b0, tvalp=0xbfae0d74) at ../lib/tevent/tevent_standard.c:279
#28 0x0864a549 in std_event_loop_once (ev=0x9112750, location=0x86ad200  libcli/composite/composite.c:60 ) at ../lib/tevent/tevent_standard.c:544
#29 0x086469ff in _tevent_loop_once (ev=0x9112750, location=0x86ad200  libcli/composite/composite.c:60 ) at ../lib/tevent/tevent.c:488
#30 0x0821484e in composite_wait (c=0x9112e38) at libcli/composite/composite.c:60
#31 0x080c0f87 in libnet_RpcConnectDC_recv (c=0x9112e38, ctx=0x9112af8, mem_ctx=0x9111e18, r=0xbfae0f80) at libnet/libnet_rpc.c:401
#32 0x080c22fa in libnet_RpcConnect_recv (c=0x9112e38, ctx=0x9112af8, mem_ctx=0x9111e18, r=0xbfae0f80) at libnet/libnet_rpc.c:970
#33 0x080c23ba in libnet_RpcConnect (ctx=0x9112af8, mem_ctx=0x9111e18, r=0xbfae0f80) at libnet/libnet_rpc.c:997
#34 0x080bfaca in libnet_SetPassword_samr (ctx=0x9112af8, mem_ctx=0x9111e18, r=0xbfae0ff0) at libnet/libnet_passwd.c:517
#35 0x080c00ad in libnet_SetPassword (ctx=0x9112af8, mem_ctx=0x9111e18, r=0xbfae0ff0) at libnet/libnet_passwd.c:659
#36 0x080c0014 in libnet_SetPassword_generic (ctx=0x9112af8, mem_ctx=0x9111e18, r=0xbfae1070) at libnet/libnet_passwd.c:646
#37 0x080c0085 in libnet_SetPassword (ctx=0x9112af8, mem_ctx=0x9111e18, r=0xbfae1070) at libnet/libnet_passwd.c:657
#38 0x080bcbb9 in net_password_set (ctx=0x9111e18, argc=1, argv=0x91051ac) at utils/net/net_password.c:144
#39 0x080bbfb9 in net_run_function (ctx=0x9111e18, argc=2, argv=0x91051a8, functable=0x8783960, usage_fn=0x80bcc94 <net_password_usage>) at utils/net/net.c:72
#40 0x080bcc8e in net_password (ctx=0x9111e18, argc=2, argv=0x91051a8) at utils/net/net_password.c:164
#41 0x080bbfb9 in net_run_function (ctx=0x9111e18, argc=3, argv=0x91051a4, functable=0x878bd20, usage_fn=0x80bc159 <net_usage>) at utils/net/net.c:72
#42 0x080bc4a4 in binary_net (argc=4, argv=0xbfae1304) at utils/net/net.c:206
#43 0x080bc55a in main (argc=Cannot access memory at address 0x7684
 
I suspect the frame 22, where we have talloc_free(c); of the context passed to the function.
 
Anatoliy
 
> -----Original Message-----
> From: samba-technical-bounces at lists.samba.org [mailto:samba-technical-
> bounces at lists.samba.org] On Behalf Of Andrew Bartlett
> Sent: Sunday, August 23, 2009 15:45
> To: Nadezhda Ivanova
> Cc: samba-technical at lists.samba.org
> Subject: RE: Problem with SAMR pipe (ChangePassword() Python binding)
> 
>On Sat, 2009-08-22 at 19:33 +0300, Nadezhda Ivanova wrote:
> >Hi all,
> >I played a bit with libnet_ChangePassword and here is what I get:
> >The error message that happens to Zahari below does not appear if you
> >sue a sudoer, so it's a basic permissions issue.
> 
>This actually gives us a clue - as it should still work without root
> permissions.  What happens however is that when it can contact the
> nbt_server, it will ask it to send a GetDC request to the target server,
> in the hope of discovering it's name.   This will trigger a response to
> port 137, where the nbt_server is listening.
> 
>If that fails, it will try a node status request.  This may fail on a
> system that doesn't support NBT, or perhaps something else goes wrong.
> This is probably where the code triggers it's INVALID_PARAMETER error.
> 
>> However, I get a crash, bith when using Zahari's python binding and
> >when I use  net password set  or  net password change 
> 
>Well, at least that means it can't be the bindings :-)
> 
>>[root at dev bin]# ./net password change Administrator
> >Password for [RUMBA\root]:
> >=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
> >INTERNAL ERROR: Signal 6 in pid 28516 (4.0.0alpha9-GIT-6f69f16)
> >Please read the file BUGS.txt in the distribution
> >=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
> >PANIC: internal error
> >BACKTRACE: 49 stack frames:
> > #0 ./net(call_backtrace+0x2b) [0x865a3ff]
> > #1 ./net(smb_panic+0x296) [0x865a781]
> > #2 ./net [0x865a94c]
> > #3 ./net(fault_setup+0) [0x865a981]
> > #4 [0x52f400]
> > #5 /lib/libc.so.6(abort+0x188) [0x828028]
> > #6 ./net [0x86716be]
> > #7 ./net [0x8671718]
> > #8 ./net [0x8671817]
> > #9 ./net(talloc_get_name+0x1d) [0x867292b]
> > #10 ./net(talloc_check_name+0x34) [0x86729af]
> > #11 ./net [0x8115297]
> > #12 ./net(composite_error+0xc1) [0x82149d6]
> > #13 ./net(composite_is_ok+0x37) [0x8214a57]
> > #14 ./net [0x814e237]
> > #15 ./net [0x814e279]
> > #16 ./net(smbcli_transport_dead+0x15c) [0x815705a]
> > #17 ./net [0x8156bb4]
> > #18 ./net [0x86724d1]
> > #19 ./net [0x8672652]
> > #20 ./net [0x8672652]
> > #21 ./net [0x8672652]
> > #22 ./net [0x8672652]
> > #23 ./net [0x8672652]
> > #24 ./net(_talloc_free+0xbe) [0x8672de9]
> > #25 ./net(dcerpc_pipe_connect_b_recv+0x89) [0x8116b6a]
> > #26 ./net [0x80c08c6]
> > #27 ./net(composite_error+0xc1) [0x82149d6]
> > #28 ./net [0x8116800]
> > #29 ./net(tevent_common_loop_timer_delay+0x195) [0x86478ad]
> > #30 ./net [0x8649d97]
> > #31 ./net [0x864a549]
> > #32 ./net(_tevent_loop_once+0xdf) [0x86469ff]
> > #33 ./net(composite_wait+0x44) [0x821484e]
> > #34 ./net [0x80c0f87]
> > #35 ./net(libnet_RpcConnect_recv+0x88) [0x80c22fa]
> > #36 ./net(libnet_RpcConnect+0x5e) [0x80c23ba]
> > #37 ./net [0x80be820]
> > #38 ./net(libnet_ChangePassword+0x76) [0x80bf007]
> > #39 ./net [0x80bef75]
> > #40 ./net(libnet_ChangePassword+0x51) [0x80befe2]
> > #41 ./net [0x80bc8d8]
> > #42 ./net(net_run_function+0xc5) [0x80bbfb9]
> > #43 ./net(net_password+0x3f) [0x80bcc8e]
> > #44 ./net(net_run_function+0xc5) [0x80bbfb9]
> > #45 ./net [0x80bc4a4]
> > #46 ./net(main+0x22) [0x80bc55a]
> > #47 /lib/libc.so.6(__libc_start_main+0xe6) [0x8125d6]
> > #48 ./net [0x80bbe61]
> >Aborted
> >
>>Any ideas what might be the cause of this?
> 
>Did it actually manage to connect before it crashed (see a wireshark
> trace).  This looks like our long-standing challenge with pulling down
> RPC connections in Samba4 after the remote server drops the connection.
> 
>Andrew Bartlett
> --
> Andrew Bartlett                                http://samba.org/~abartlet/
> Authentication Developer, Samba Team           http://samba.org
> Samba Developer, Cisco Inc.

More information about the samba-technical mailing list