[Samba] double segfault in smbd 3.0.21a

Blindauer Emmanuel samba at agat.net
Tue Jan 10 00:06:09 GMT 2006 

Hi
I'm able to reproduce a segfault in smbd, with security=ads , using normal 
login or kerberos.
samba 3.0.21a compiled from source, on debian stable. 

here are the backtrace:


For the kerberos part, using "smbclient //server/share -k"

Using host libthread_db library "/lib/tls/libthread_db.so.1".
`system-supplied DSO at 0xffffe000' has disappeared; keeping its symbols.
[Thread debugging using libthread_db enabled]
[New Thread 1077522240 (LWP 26945)]
0x4020f3ae in waitpid () from /lib/tls/libc.so.6
#0  0x4020f3ae in waitpid () from /lib/tls/libc.so.6
#1  0x401a4d12 in system () from /lib/tls/libc.so.6
#2  0x081fc648 in smb_panic2 ()
#3  0x081fc5bb in smb_panic ()
#4  0x081e9cf3 in fault_report ()
#5  0x081e9d68 in sig_fault ()
#6  <signal handler called>
#7  0x401ce487 in fseek () from /lib/tls/libc.so.6
#8  0x400ae2cc in krb5_ktfile_get_next () from /usr/lib/libkrb5.so.3
#9  0x400add4c in krb5_kt_next_entry () from /usr/lib/libkrb5.so.3
#10 0x08275daf in ads_keytab_verify_ticket ()
#11 0x08276828 in ads_verify_ticket ()
#12 0x080b4802 in reply_spnego_kerberos ()
#13 0x080b5738 in reply_spnego_negotiate ()
#14 0x080b5db0 in reply_sesssetup_and_X_spnego ()
#15 0x080b62c6 in reply_sesssetup_and_X ()
#16 0x080dda92 in switch_message ()
#17 0x080ddb42 in construct_reply ()
#18 0x080dde8e in process_smb ()
#19 0x080debe9 in smbd_process ()
#20 0x0828850b in main ()

For the normal login, i.e. "smbclient //server/share -U username"

Using host libthread_db library "/lib/tls/libthread_db.so.1".
`system-supplied DSO at 0xffffe000' has disappeared; keeping its symbols.
[Thread debugging using libthread_db enabled]
[New Thread 1077522240 (LWP 26935)]
0x4020f3ae in waitpid () from /lib/tls/libc.so.6
#0  0x4020f3ae in waitpid () from /lib/tls/libc.so.6
#1  0x401a4d12 in system () from /lib/tls/libc.so.6
#2  0x081fc648 in smb_panic2 ()
#3  0x081fc5bb in smb_panic ()
#4  0x081e9cf3 in fault_report ()
#5  0x081e9d68 in sig_fault ()
#6  <signal handler called>
#7  0x4000770a in _dl_unload_cache () from /lib/ld-linux.so.2
#8  0x40007edf in _dl_lookup_symbol () from /lib/ld-linux.so.2
#9  0x4026fdb9 in __libc_dlclose () from /lib/tls/libc.so.6
#10 0x4000c016 in _dl_catch_error () from /lib/ld-linux.so.2
#11 0x4026fc68 in __libc_dlsym () from /lib/tls/libc.so.6
#12 0x4024db81 in __nss_lookup_function () from /lib/tls/libc.so.6
#13 0x4024d8c3 in __nss_next () from /lib/tls/libc.so.6
#14 0x4020eb49 in getpwnam_r () from /lib/tls/libc.so.6
#15 0x4020e441 in getpwnam () from /lib/tls/libc.so.6
#16 0x081ec962 in sys_getpwnam ()
#17 0x081f0a7f in getpwnam_alloc ()
#18 0x081eefbb in Get_Pwnam_internals ()
#19 0x081ef29c in Get_Pwnam_alloc ()
#20 0x082385ca in smb_getpwnam ()
#21 0x08238489 in fill_sam_account ()
#22 0x08238854 in make_server_info_info3 ()
#23 0x08233f98 in check_winbind_security ()
#24 0x08230f88 in check_ntlm_password ()
#25 0x0823a036 in auth_ntlmssp_check_password ()
#26 0x08115054 in ntlmssp_server_auth ()
#27 0x08114480 in ntlmssp_update ()
#28 0x0823a36e in auth_ntlmssp_update ()
#29 0x080b592a in reply_spnego_auth ()
#30 0x080b5e0d in reply_sesssetup_and_X_spnego ()
#31 0x080b62c6 in reply_sesssetup_and_X ()
#32 0x080dda92 in switch_message ()
#33 0x080ddb42 in construct_reply ()
#34 0x080dde8e in process_smb ()
#35 0x080debe9 in smbd_process ()
#36 0x0828850b in main ()


and here my smb.conf:

# ./testparm
Load smb config files from /usr/local/samba/lib/smb.conf
Processing section "[web$]"
Loaded services file OK.
WARNING: passdb expand explicit = yes is deprecated
'winbind separator = +' might cause problems with group membership.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions

[global]
        workgroup = DPTINFO
        realm = DPTINFO.URS.LOCAL
        server string = %h server (Extranet, Samba %v)
        security = ADS
        allow trusted domains = No
        passwd chat = *Enter\snew\sUNIX\spassword:* %n\n 
*Retype\snew\sUNIX\spassword:* %n\n .
        use kerberos keytab = Yes
        syslog = 0
        log file = /var/log/samba/log.%m
        max log size = 10000
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        dns proxy = No
        ldap admin dn = cn=admin,dc=iutinfo,dc=local
        ldap idmap suffix = ou=Idmap
        ldap suffix = dc=iutinfo,dc=local
        panic action = /usr/share/samba/panic-action %d
        idmap backend = ldap:ldap://ldap.urs.fr
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        template homedir = /home/%U
        template shell = /bin/bash
        winbind separator = +
        winbind cache time = 0
        winbind use default domain = Yes
        invalid users = root

More information about the samba mailing list