segfault in winbindd

Michael Tokarev mjt at tls.msk.ru
Tue Jan 27 10:41:59 UTC 2026 

Hi!

I was joining samba server to a domain - server which was standalone
before.  Installed winbindd additionally to samba (since it weren't
needed before), which started automatically.

Next, I modified smb.conf to change server role to 'member server',
without stopping all samba first (active connections to this server
does not matter to me, they're all old/stale clients I don't care
about).

And right after I hit "save" in the editor, I started getting emails
about segfaults - 1000s of them in a very short period of time, until
I stopped winbindd service.

Yes, the whole scenario is a bit weird, - samba components should be
stopped when joining a domain.  But it should not cause winbindd to
segfault like this anyway, it should handle the error gracefully.

The below is an analysis of the resulting core file in gdb.  It is
a null-pointer dereference in cm_connect_netlogon_transport() - and
it *might* be triggerable by an nslookup, I guess?

Note: there were no config reloading or anything like that, so all
samba processes were running with old, non-domain, config still, or
should've been.

When I try to start winbindd with this new config without joining the
domain, it correctly refuses to start.  But this is not the case when
it crashed.

This scenario is easily reproducible here.

Samba version is 4.23.5+dfsg-1~bpo13+1 (current from Debian Trixie
backports).

Can someone take a look at this please?  I've the core file to check
and a way to trigger it if needed.

Thanks,

/mjt

(gdb) bt
Thread 1 (Thread 0x7feca82abb00 (LWP 664947)):
#0  __pthread_kill_implementation (threadid=<optimized out>, 
signo=signo at entry=6, no_tid=no_tid at entry=0) at ./nptl/pthread_kill.c:44
#1  0x00007feca9c9f9ff in __pthread_kill_internal (threadid=<optimized 
out>, signo=6) at ./nptl/pthread_kill.c:89
#2  0x00007feca9c4acc2 in __GI_raise (sig=sig at entry=6) at 
../sysdeps/posix/raise.c:26
#3  0x00007feca9c334ac in __GI_abort () at ./stdlib/abort.c:77
#4  0x00007fecaa9c0ef4 in dump_core () at source3/lib/dumpcore.c:339
#5  0x00007fecaa9b6b24 in smb_panic_s3 (why=<optimized out>) at 
source3/lib/util.c:730
#6  0x00007fecaa5ca86e in smb_panic (why=why at entry=0x7ffe40e89090 
"Signal 11: Segmentation fault") at lib/util/fault.c:209
#7  0x00007fecaa5ca8f5 in fault_report (sig=11) at lib/util/fault.c:83
#8  sig_fault (sig=11) at lib/util/fault.c:94
#9  <signal handler called>
#10 0x000055fc450c834d in cm_connect_netlogon_transport 
(domain=domain at entry=0x55fc8432d780, transport=transport at entry=NCACN_NP, 
cli=cli at entry=0x7ffe40e89f60) at source3/winbindd/winbindd_cm.c:3216
#11 0x000055fc450c653b in cm_connect_netlogon 
(domain=domain at entry=0x55fc8432d780, cli=0x7ffe40e89f60) at 
source3/winbindd/winbindd_cm.c:3333
#12 0x000055fc450c87b9 in cm_connect_netlogon_secure 
(domain=domain at entry=0x55fc8432d780, cli=cli at entry=0x7ffe40e89f60, 
ppdc=ppdc at entry=0x7ffe40e89f68) at source3/winbindd/winbindd_cm.c:3356
#13 0x000055fc450bad7e in winbind_samlogon_retry_loop 
(domain=domain at entry=0x55fc8432d780, 
mem_ctx=mem_ctx at entry=0x55fc84356390, 
logon_parameters=logon_parameters at entry=2080, 
username=username at entry=0x55fc8432c5d0 --Type <RET> for more, q to quit, 
c to continue without paging--c
"AGaleeva", password=password at entry=0x0, 
domainname=domainname at entry=0x55fc84326710 "RGSMAIN", 
workstation=0x55fc8434d470 "002_58157_4144", 
logon_id=1311862741397045062, plaintext_given=false, chal=..., 
lm_response=..., nt_response=..., interactive=false, 
authoritative=0x7ffe40e8a2f1 "\001\377\377", flags=0x7ffe40e8a2f4, 
_validation_level=0x7ffe40e8a19e, _validation=0x7ffe40e8a1a0) at 
source3/winbindd/winbindd_pam.c:1670
#14 0x000055fc450bfb28 in winbind_dual_SamLogon 
(domain=domain at entry=0x55fc8432d780, mem_ctx=0x55fc84356390, 
for_netlogon=false, interactive=interactive at entry=false, 
logon_parameters=2080, name_user=0x55fc8432c5d0 "AGaleeva", 
name_domain=0x55fc84326710 "RGSMAIN", workstation=0x55fc8434d470 
"002_58157_4144", logon_id=1311862741397045062, 
client_name=0x55fc8432a3b0 "smbd", client_pid=664807, chal_blob=..., 
lm_response=..., nt_response=..., remote=0x55fc84329da0, 
local=0x55fc84354cb0, authoritative=0x7ffe40e8a2f1 "\001\377\377", 
skip_sam=false, flags=0x7ffe40e8a2f4, _validation_level=0x7ffe40e8a2f2, 
_validation=0x7ffe40e8a2f8) at source3/winbindd/winbindd_pam.c:2789
#15 0x000055fc450c004b in _wbint_PamAuthCrap (p=p at entry=0x55fc84355218, 
r=r at entry=0x55fc843540e0) at source3/winbindd/winbindd_pam.c:2937
#16 0x000055fc450e3474 in winbind__op_dispatch_internal 
(dce_call=0x55fc84356390, mem_ctx=<optimized out>, r=0x55fc843540e0, 
dispatch=S3COMPAT_RPC_DISPATCH_INTERNAL) at 
./librpc/gen_ndr/ndr_winbind_scompat.c:479
#17 0x00007fecaae3f0b9 in dcesrv_call_dispatch_local 
(call=call at entry=0x55fc84356390) at librpc/rpc/dcesrv_core.c:3395
#18 0x000055fc450db6c7 in winbindd_dual_ndrcmd 
(domain=domain at entry=0x55fc8432d780, state=state at entry=0x7ffe40e8a638) 
at source3/winbindd/winbindd_dual_ndr.c:652
#19 0x000055fc450d7163 in child_process_request (child=<optimized out>, 
state=0x7ffe40e8a638) at source3/winbindd/winbindd_dual.c:800
#20 child_handler (ev=<optimized out>, fde=<optimized out>, 
flags=<optimized out>, private_data=0x7ffe40e8a630) at 
source3/winbindd/winbindd_dual.c:1688
#21 0x00007fecab19a885 in tevent_common_invoke_fd_handler () from 
/lib/x86_64-linux-gnu/libtevent.so.0
#22 0x00007fecab1a1ace in ?? () from /lib/x86_64-linux-gnu/libtevent.so.0
#23 0x00007fecab19f54b in ?? () from /lib/x86_64-linux-gnu/libtevent.so.0
#24 0x00007fecab1999c3 in _tevent_loop_once () from 
/lib/x86_64-linux-gnu/libtevent.so.0
#25 0x000055fc450d9d10 in fork_domain_child (child=0x55fc8432d9f0) at 
source3/winbindd/winbindd_dual.c:1927
#26 0x000055fc450da655 in wb_child_request_waited (subreq=0x0) at 
source3/winbindd/winbindd_dual.c:271
#27 0x00007fecab19ae0e in tevent_common_invoke_immediate_handler () from 
/lib/x86_64-linux-gnu/libtevent.so.0
#28 0x00007fecab19ae6a in tevent_common_loop_immediate () from 
/lib/x86_64-linux-gnu/libtevent.so.0
#29 0x00007fecab1a183f in ?? () from /lib/x86_64-linux-gnu/libtevent.so.0
#30 0x00007fecab19f54b in ?? () from /lib/x86_64-linux-gnu/libtevent.so.0
#31 0x00007fecab1999c3 in _tevent_loop_once () from 
/lib/x86_64-linux-gnu/libtevent.so.0
#32 0x000055fc450a60c8 in main (argc=<optimized out>, argv=<optimized 
out>) at source3/winbindd/winbindd.c:1738

(gdb) frame 10
#10 0x000055fc450c834d in cm_connect_netlogon_transport 
(domain=domain at entry=0x55fc8432d780,
     transport=transport at entry=NCACN_NP, cli=cli at entry=0x7ffe40e89f60) 
at source3/winbindd/winbindd_cm.c:3216
3216		remote_name = smbXcli_conn_remote_name(conn->cli->conn);
(gdb) p conn
$1 = (struct winbindd_cm_conn *) 0x55fc8432d8d8
(gdb) p conn->cli
$2 = (struct cli_state *) 0x0
(gdb)

More information about the samba-technical mailing list