[Samba] Bug on PAM_Winbind ?
Thiago Fernandes Crepaldi
tognado at gmail.com
Wed Aug 21 09:14:29 MDT 2013
Hello guys,
I am using PAM (0.82) to authenticate (samba) workgroup users and it works
fine (pam_smbpass). But after joining a domain and start using pam_winbind
too, pwauth (2.3.10) get a segmentation fault when trying to authenticate
any workgroup or domain user. What happens is that it does authenticate the
user successfully, but when it calls pam_end() to release its resources, it
crashes. Maybe pam_winbind is freeing something that will be freed by
pam_end or something like that - I don't really know about PAM and their
modules (smbpass/winbind), but it seems that pam_winbind might be misusing
libtalloc somehow. Any ideas ?
I believe this is an important use case because (AFAIK) it is the
recommended way of authenticating users on web servers. Although I am using
Samba 4.0.9 (with symbols), I can also see this issue on Samba 4.0.7 and
4.0.0 too. The funny thing is that it works fine on samba 3.6.9, though.
*pwauth backtrace:*
Program received signal SIGSEGV, Segmentation fault.
0xb7e32f03 in ?? ()
(gdb) bt
#0 0xb7e32f03 in ?? ()
*#1 0xb7bb26e1 in _talloc_free_internal (ptr=0x80612d0,
location=0xb7bb54c7 "../lib/talloc/talloc.c:2251") at
../lib/talloc/talloc.c:831*
*#2 0xb7bb33f0 in _talloc_free_children_internal (tc=0x8060d88,
ptr=0x8060db8, location=0xb7bb54c7 "../lib/talloc/talloc.c:2251") at
../lib/talloc/talloc.c:1256*
*#3 0xb7bb2830 in _talloc_free_internal (ptr=0x8060db8,
location=0xb7bb54c7 "../lib/talloc/talloc.c:2251") at
../lib/talloc/talloc.c:851*
*#4 0xb7bb3742 in _talloc_free (ptr=0x8060db8, location=0xb7bb54c7
"../lib/talloc/talloc.c:2251") at ../lib/talloc/talloc.c:1371*
*#5 0xb7bb4d82 in talloc_autofree () at ../lib/talloc/talloc.c:2251*
*#6 0xb7e865e8 in __cxa_finalize () from /lib/i386-linux-gnu/libc.so.6*
*#7 0xb7bb1a43 in __do_global_dtors_aux () from
/usr/local/samba/lib/private/libtalloc.so.2*
#8 0xb7ff4e52 in ?? () from /lib/ld-linux.so.2
#9 0xb7ff5947 in ?? () from /lib/ld-linux.so.2
#10 0xb7e53cc4 in ?? () from /lib/i386-linux-gnu/libdl.so.2
#11 0xb7fefde6 in ?? () from /lib/ld-linux.so.2
#12 0xb7e540bc in ?? () from /lib/i386-linux-gnu/libdl.so.2
#13 0xb7e53cfa in dlclose () from /lib/i386-linux-gnu/libdl.so.2
#14 0xb7fadf8b in ?? () from /lib/i386-linux-gnu/libpam.so.0
#15 0xb7fab8ff in ?? () from /lib/i386-linux-gnu/libpam.so.0
*#16 0xb7fa8da0 in pam_end () from /lib/i386-linux-gnu/libpam.so.0*
#17 0x08048baf in check_auth (login=0xbffff8bf "admin", passwd=0xbffff4be
"soho") at auth_pam.c:186
#18 0x08048952 in main (argc=1, argv=0xbffffd84) at main.c:92
*cat /etc/nsswitch.conf *
passwd: files winbind
shadow: files winbind
group: files winbind
hosts: files wins dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: nisplus
publickey: nisplus
automount: files nisplus
aliases: files nisplus
*cat /etc/pam.d/pwauth *
#%PAM-1.0
auth sufficient /lib/security/pam_smbpass.so
auth sufficient /lib/security/pam_winbind.so cached_login
auth required /lib/security/pam_winbind.so krb5_auth
account required /lib/security/pam_nologin.so
account sufficient /lib/security/pam_smbpass.so
account required /lib/security/pam_winbind.so
password sufficient /lib/security/pam_smbpass.so
password required /lib/security/pam_winbind.so
session required /lib/security/pam_unix.so
*cat /etc/samba/smb.conf*
[Global]
available= yes
client signing= auto
server signing= auto
server string= Bla
Workgroup= DISNEY
netbios name= vmstore-4
realm= DISNEY.XXTEST.ASD-ABC.LOCALDOMAIN
password server= *
idmap backend= tdb
idmap uid= 5000-9999999
idmap gid= 5000-9999999
idmap config DISNEY : backend= rid
idmap config DISNEY : range= 10000000-19999999
security= ADS
name resolve order= wins host bcast lmhosts
client use spnego= yes
dns proxy= no
winbind use default domain= no
winbind nested groups= yes
inherit acls= yes
winbind enum users= yes
winbind enum groups= yes
winbind separator= \\
winbind cache time= 300
winbind offline logon= true
encrypt passwords= yes
passdb backend= smbpasswd
More information about the samba
mailing list