segfault in winbindd

Ralph Boehme slow at samba.org
Tue Jan 27 11:13:52 UTC 2026 

Hi!

Completely different trigger, but this looks a lot like

https://bugzilla.samba.org/show_bug.cgi?id=15973

-- 
Join us for the 25th sambaXP 2026 conference
April 20th & 21th, 2026 at Hotel Freizeit In
sponsored by TranquilIT & Microsoft & SerNet
Ticketing & more Info at https://sambaxp.org

SerNet Samba Team Lead  https://sernet.de/
Samba Team PLC          https://samba.org/
Support and Development https://samba.plus/services/
SAMBA+ packages         https://samba.plus/products/samba

On 1/27/26 11:41 AM, Michael Tokarev via samba-technical wrote:
> Hi!
> 
> I was joining samba server to a domain - server which was standalone
> before.  Installed winbindd additionally to samba (since it weren't
> needed before), which started automatically.
> 
> Next, I modified smb.conf to change server role to 'member server',
> without stopping all samba first (active connections to this server
> does not matter to me, they're all old/stale clients I don't care
> about).
> 
> And right after I hit "save" in the editor, I started getting emails
> about segfaults - 1000s of them in a very short period of time, until
> I stopped winbindd service.
> 
> Yes, the whole scenario is a bit weird, - samba components should be
> stopped when joining a domain.  But it should not cause winbindd to
> segfault like this anyway, it should handle the error gracefully.
> 
> The below is an analysis of the resulting core file in gdb.  It is
> a null-pointer dereference in cm_connect_netlogon_transport() - and
> it *might* be triggerable by an nslookup, I guess?
> 
> Note: there were no config reloading or anything like that, so all
> samba processes were running with old, non-domain, config still, or
> should've been.
> 
> When I try to start winbindd with this new config without joining the
> domain, it correctly refuses to start.  But this is not the case when
> it crashed.
> 
> This scenario is easily reproducible here.
> 
> Samba version is 4.23.5+dfsg-1~bpo13+1 (current from Debian Trixie
> backports).
> 
> Can someone take a look at this please?  I've the core file to check
> and a way to trigger it if needed.
> 
> Thanks,
> 
> /mjt
> 
> (gdb) bt
> Thread 1 (Thread 0x7feca82abb00 (LWP 664947)):
> #0  __pthread_kill_implementation (threadid=<optimized out>, 
> signo=signo at entry=6, no_tid=no_tid at entry=0) at ./nptl/pthread_kill.c:44
> #1  0x00007feca9c9f9ff in __pthread_kill_internal (threadid=<optimized 
> out>, signo=6) at ./nptl/pthread_kill.c:89
> #2  0x00007feca9c4acc2 in __GI_raise (sig=sig at entry=6) at ../sysdeps/ 
> posix/raise.c:26
> #3  0x00007feca9c334ac in __GI_abort () at ./stdlib/abort.c:77
> #4  0x00007fecaa9c0ef4 in dump_core () at source3/lib/dumpcore.c:339
> #5  0x00007fecaa9b6b24 in smb_panic_s3 (why=<optimized out>) at source3/ 
> lib/util.c:730
> #6  0x00007fecaa5ca86e in smb_panic (why=why at entry=0x7ffe40e89090 
> "Signal 11: Segmentation fault") at lib/util/fault.c:209
> #7  0x00007fecaa5ca8f5 in fault_report (sig=11) at lib/util/fault.c:83
> #8  sig_fault (sig=11) at lib/util/fault.c:94
> #9  <signal handler called>
> #10 0x000055fc450c834d in cm_connect_netlogon_transport 
> (domain=domain at entry=0x55fc8432d780, transport=transport at entry=NCACN_NP, 
> cli=cli at entry=0x7ffe40e89f60) at source3/winbindd/winbindd_cm.c:3216
> #11 0x000055fc450c653b in cm_connect_netlogon 
> (domain=domain at entry=0x55fc8432d780, cli=0x7ffe40e89f60) at source3/ 
> winbindd/winbindd_cm.c:3333
> #12 0x000055fc450c87b9 in cm_connect_netlogon_secure 
> (domain=domain at entry=0x55fc8432d780, cli=cli at entry=0x7ffe40e89f60, 
> ppdc=ppdc at entry=0x7ffe40e89f68) at source3/winbindd/winbindd_cm.c:3356
> #13 0x000055fc450bad7e in winbind_samlogon_retry_loop 
> (domain=domain at entry=0x55fc8432d780, 
> mem_ctx=mem_ctx at entry=0x55fc84356390, 
> logon_parameters=logon_parameters at entry=2080, 
> username=username at entry=0x55fc8432c5d0 --Type <RET> for more, q to quit, 
> c to continue without paging--c
> "AGaleeva", password=password at entry=0x0, 
> domainname=domainname at entry=0x55fc84326710 "RGSMAIN", 
> workstation=0x55fc8434d470 "002_58157_4144", 
> logon_id=1311862741397045062, plaintext_given=false, chal=..., 
> lm_response=..., nt_response=..., interactive=false, 
> authoritative=0x7ffe40e8a2f1 "\001\377\377", flags=0x7ffe40e8a2f4, 
> _validation_level=0x7ffe40e8a19e, _validation=0x7ffe40e8a1a0) at 
> source3/winbindd/winbindd_pam.c:1670
> #14 0x000055fc450bfb28 in winbind_dual_SamLogon 
> (domain=domain at entry=0x55fc8432d780, mem_ctx=0x55fc84356390, 
> for_netlogon=false, interactive=interactive at entry=false, 
> logon_parameters=2080, name_user=0x55fc8432c5d0 "AGaleeva", 
> name_domain=0x55fc84326710 "RGSMAIN", workstation=0x55fc8434d470 
> "002_58157_4144", logon_id=1311862741397045062, 
> client_name=0x55fc8432a3b0 "smbd", client_pid=664807, chal_blob=..., 
> lm_response=..., nt_response=..., remote=0x55fc84329da0, 
> local=0x55fc84354cb0, authoritative=0x7ffe40e8a2f1 "\001\377\377", 
> skip_sam=false, flags=0x7ffe40e8a2f4, _validation_level=0x7ffe40e8a2f2, 
> _validation=0x7ffe40e8a2f8) at source3/winbindd/winbindd_pam.c:2789
> #15 0x000055fc450c004b in _wbint_PamAuthCrap (p=p at entry=0x55fc84355218, 
> r=r at entry=0x55fc843540e0) at source3/winbindd/winbindd_pam.c:2937
> #16 0x000055fc450e3474 in winbind__op_dispatch_internal 
> (dce_call=0x55fc84356390, mem_ctx=<optimized out>, r=0x55fc843540e0, 
> dispatch=S3COMPAT_RPC_DISPATCH_INTERNAL) at ./librpc/gen_ndr/ 
> ndr_winbind_scompat.c:479
> #17 0x00007fecaae3f0b9 in dcesrv_call_dispatch_local 
> (call=call at entry=0x55fc84356390) at librpc/rpc/dcesrv_core.c:3395
> #18 0x000055fc450db6c7 in winbindd_dual_ndrcmd 
> (domain=domain at entry=0x55fc8432d780, state=state at entry=0x7ffe40e8a638) 
> at source3/winbindd/winbindd_dual_ndr.c:652
> #19 0x000055fc450d7163 in child_process_request (child=<optimized out>, 
> state=0x7ffe40e8a638) at source3/winbindd/winbindd_dual.c:800
> #20 child_handler (ev=<optimized out>, fde=<optimized out>, 
> flags=<optimized out>, private_data=0x7ffe40e8a630) at source3/winbindd/ 
> winbindd_dual.c:1688
> #21 0x00007fecab19a885 in tevent_common_invoke_fd_handler () from /lib/ 
> x86_64-linux-gnu/libtevent.so.0
> #22 0x00007fecab1a1ace in ?? () from /lib/x86_64-linux-gnu/libtevent.so.0
> #23 0x00007fecab19f54b in ?? () from /lib/x86_64-linux-gnu/libtevent.so.0
> #24 0x00007fecab1999c3 in _tevent_loop_once () from /lib/x86_64-linux- 
> gnu/libtevent.so.0
> #25 0x000055fc450d9d10 in fork_domain_child (child=0x55fc8432d9f0) at 
> source3/winbindd/winbindd_dual.c:1927
> #26 0x000055fc450da655 in wb_child_request_waited (subreq=0x0) at 
> source3/winbindd/winbindd_dual.c:271
> #27 0x00007fecab19ae0e in tevent_common_invoke_immediate_handler () 
> from /lib/x86_64-linux-gnu/libtevent.so.0
> #28 0x00007fecab19ae6a in tevent_common_loop_immediate () from /lib/ 
> x86_64-linux-gnu/libtevent.so.0
> #29 0x00007fecab1a183f in ?? () from /lib/x86_64-linux-gnu/libtevent.so.0
> #30 0x00007fecab19f54b in ?? () from /lib/x86_64-linux-gnu/libtevent.so.0
> #31 0x00007fecab1999c3 in _tevent_loop_once () from /lib/x86_64-linux- 
> gnu/libtevent.so.0
> #32 0x000055fc450a60c8 in main (argc=<optimized out>, argv=<optimized 
> out>) at source3/winbindd/winbindd.c:1738
> 
> (gdb) frame 10
> #10 0x000055fc450c834d in cm_connect_netlogon_transport 
> (domain=domain at entry=0x55fc8432d780,
>      transport=transport at entry=NCACN_NP, cli=cli at entry=0x7ffe40e89f60) 
> at source3/winbindd/winbindd_cm.c:3216
> 3216        remote_name = smbXcli_conn_remote_name(conn->cli->conn);
> (gdb) p conn
> $1 = (struct winbindd_cm_conn *) 0x55fc8432d8d8
> (gdb) p conn->cli
> $2 = (struct cli_state *) 0x0
> (gdb)
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20260127/8c8ccdb0/OpenPGP_signature.sig>

More information about the samba-technical mailing list