samba - Jun 2008 - Winbind issue

All,

After upgrading to samba 3.0.30 on gentoo amd64 because of my recent
best friend CVE-2008-1105

 

My winbind daemon is 'hanging up', and refusing to respond to pings
after a few minutes of activity.

Wbinfo -u, getent passwd all work successfully, then after a bit wbinfo
-p just tells me winbind dies.

I have 3.0.30/winbind on another machine, also amd64 that is working....
So I'm a little confused. (the patch levels and kernels are different on
the two machines)

 

The failing server has mit-krb5-1.6.3-r1 openldap-2.3.41 and kernel
2.6.16-gentoo-r9

Glibc-2.6.1

gcc version 3.4.4 (Gentoo 3.4.4-r1, ssp-3.4.4-1.0, pie-8.7.8)

 

This is an excerpt of the log at the point winbind dies;

At the point this excerpt stops, winbind establishes a hundred or so
connections with ads,

I've snipped it for brevity.

 

 

[2008/06/01 00:16:31, 1] nsswitch/winbindd_ads.c:query_user_list(209)

  Not a user account? atype=0x30000000

[2008/06/01 00:16:31, 1] nsswitch/winbindd_ads.c:query_user_list(209)

  Not a user account? atype=0x30000000

[2008/06/01 00:16:31, 1] nsswitch/winbindd_ads.c:query_user_list(209)

  Not a user account? atype=0x30000000

[2008/06/01 00:16:31, 1] nsswitch/winbindd_ads.c:query_user_list(209)

  Not a user account? atype=0x30000000

[2008/06/01 00:16:31, 1] nsswitch/winbindd_ads.c:query_user_list(209)

  Not a user account? atype=0x30000000

[2008/06/01 00:16:31, 1] nsswitch/winbindd_ads.c:query_user_list(209)

  Not a user account? atype=0x30000000

[2008/06/01 00:16:31, 1] nsswitch/winbindd_ads.c:query_user_list(209)

  Not a user account? atype=0x30000000

[2008/06/01 00:16:31, 1] nsswitch/winbindd_ads.c:query_user_list(209)

  Not a user account? atype=0x30000000

[2008/06/01 00:16:31, 1] nsswitch/winbindd_ads.c:query_user_list(209)

  Not a user account? atype=0x30000000

[2008/06/01 00:16:31, 1] nsswitch/winbindd_ads.c:query_user_list(209)

  Not a user account? atype=0x30000000

[2008/06/01 00:16:31, 1] nsswitch/winbindd_ads.c:query_user_list(209)

  Not a user account? atype=0x30000000

[2008/06/01 00:16:31, 1] nsswitch/winbindd_ads.c:query_user_list(209)

  Not a user account? atype=0x30000000

[2008/06/01 00:17:53, 1] nsswitch/idmap.c:idmap_init(377)

  Initializing idmap domains

[2008/06/01 00:17:53, 1]
libads/ldap_utils.c:ads_do_search_retry_internal(115)

  ads reopen failed after error Referral

[2008/06/01 00:17:53, 1]
libads/ldap_utils.c:ads_do_search_retry_internal(115)

  ads reopen failed after error Referral

[2008/06/01 00:17:54, 1]
libads/ldap_utils.c:ads_do_search_retry_internal(115)

  ads reopen failed after error Referral

[2008/06/01 00:17:54, 1]
libads/ldap_utils.c:ads_do_search_retry_internal(115)

  ads reopen failed after error Referral

[2008/06/01 00:17:54, 1]
libads/ldap_utils.c:ads_do_search_retry_internal(115)

  ads reopen failed after error Referral

[2008/06/01 00:17:54, 1]
libads/ldap_utils.c:ads_do_search_retry_internal(115)

  ads reopen failed after error Referral

.

.

.

.

<snip>

 

 

Anyway, if someone has any suggestions - I'd really appreciate it.

 

 

Cheers,

Rob

I have run a debug level 10, and removed the option "PASSWORD SERVER"
from the configuration file since my last email.
Also since the last post I have checked to ensure I'm using gcc 4.1.2 by
changing the profile correctly, which I'd not done in the past.

I think that removing password server got rid of the Referrer loop...

Anyway, if someone has any suggestions - I'd really appreciate it.

This is the output I get in /var/log/samba/winbind.log

/etc/init.d/samba start
Wbinfo -u
Wbinfo -g
Getent passwd
.
.
srvr sam # wbinfo -p
Ping to winbindd succeeded on fd 4
srvr sam # wbinfo -p
Ping to winbindd succeeded on fd 4
srvr sam # wbinfo -p
Ping to winbindd failed on fd -1
could not ping winbindd!


<SNIP>
.
.
[2008/06/01 18:16:25, 10] nsswitch/idmap_cache.c:idmap_cache_set(176)
  Adding cache entry with key = IDMAP/UID/68673; value =  
1212309085/IDMAP/SID/<snip> and timeout = Sun Jun  1 18:31:25 2008
   (900 seconds ahead)
[2008/06/01 18:16:25, 10] nsswitch/idmap_util.c:idmap_sid_to_gid(145)
  idmap_sid_to_gid: sid = [<snip>]
[2008/06/01 18:16:25, 10] nsswitch/idmap_cache.c:idmap_cache_map_sid(423)
  Returning valid cache entry: key = IDMAP/SID/<snip>, value =
IDMAP/GID/15016, timeout = Sun Jun  1 18:31:00 2008
[2008/06/01 18:16:25, 10] nsswitch/winbindd.c:process_request(314)
  process_request: request fn GETPWENT
[2008/06/01 18:16:25, 3] nsswitch/winbindd_user.c:winbindd_getpwent(636)
  [10129]: getpwent
[2008/06/01 18:16:25, 10] nsswitch/winbindd.c:process_request(314)
  process_request: request fn ENDPWENT
[2008/06/01 18:16:25, 3] nsswitch/winbindd_user.c:winbindd_endpwent(521)
  [10129]: endpwent
[2008/06/01 18:17:16, 6] nsswitch/winbindd.c:new_connection(628)
  accepted socket 25
[2008/06/01 18:17:16, 10] nsswitch/winbindd.c:process_request(314)
  process_request: request fn INTERFACE_VERSION
[2008/06/01 18:17:16, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(491)
  [10130]: request interface version
[2008/06/01 18:17:16, 10] nsswitch/winbindd.c:process_request(314)
  process_request: request fn WINBINDD_PRIV_PIPE_DIR
[2008/06/01 18:17:16, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(524)
  [10130]: request location of privileged pipe
[2008/06/01 18:17:16, 6] nsswitch/winbindd.c:new_connection(628)
  accepted socket 26
[2008/06/01 18:17:16, 10] nsswitch/winbindd.c:process_request(314)
  process_request: request fn PING
[2008/06/01 18:17:16, 3] nsswitch/winbindd_misc.c:winbindd_ping(470)
  [10130]: ping
[2008/06/01 18:17:18, 6] nsswitch/winbindd.c:new_connection(628)
  accepted socket 25
[2008/06/01 18:17:18, 10] nsswitch/winbindd.c:process_request(314)
  process_request: request fn INTERFACE_VERSION
[2008/06/01 18:17:18, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(491)
  [10131]: request interface version
[2008/06/01 18:17:18, 10] nsswitch/winbindd.c:process_request(314)
  process_request: request fn WINBINDD_PRIV_PIPE_DIR
[2008/06/01 18:17:18, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(524)
  [10131]: request location of privileged pipe
[2008/06/01 18:17:18, 6] nsswitch/winbindd.c:new_connection(628)
  accepted socket 26
[2008/06/01 18:17:18, 10] nsswitch/winbindd.c:process_request(314)
  process_request: request fn PING
[2008/06/01 18:17:18, 3] nsswitch/winbindd_misc.c:winbindd_ping(470)
  [10131]: ping
[2008/06/01 18:17:30, 6] nsswitch/winbindd.c:new_connection(628)
  accepted socket 25
[2008/06/01 18:17:30, 10] nsswitch/winbindd.c:process_request(314)
  process_request: request fn INTERFACE_VERSION
[2008/06/01 18:17:30, 3]
nsswitch/winbindd_misc.c:winbindd_interface_version(491)
  [10132]: request interface version
[2008/06/01 18:17:30, 10] nsswitch/winbindd.c:process_request(314)
  process_request: request fn WINBINDD_PRIV_PIPE_DIR
[2008/06/01 18:17:30, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(524)
  [10132]: request location of privileged pipe
[2008/06/01 18:17:30, 6] nsswitch/winbindd.c:new_connection(628)
  accepted socket 26
[2008/06/01 18:17:30, 10] nsswitch/winbindd.c:process_request(314)
  process_request: request fn PING
[2008/06/01 18:17:30, 3] nsswitch/winbindd_misc.c:winbindd_ping(470)
  [10132]: ping
[2008/06/01 18:17:41, 10] lib/events.c:event_add_timed(129)
  Added timed event "async_request_timeout": 5555559b4c00
[2008/06/01 18:17:41, 10] lib/events.c:get_timed_events_timeout(295)
  timed_events_timeout: 299/999853
[2008/06/01 18:17:41, 10] lib/events.c:timed_event_destructor(66)
  Destroying timed event 5555559b4c00 "async_request_timeout"
[2008/06/01 18:17:41, 10]
nsswitch/winbindd_cache.c:cache_retrieve_response(2307)
  Retrieving response for pid 10133
[2008/06/01 18:17:41, 10]
nsswitch/winbindd_cache.c:cache_retrieve_response(2329)
  Retrieving extra data length=124

----

My config file:
[global]
        netbios name = FSDP-PRIME
        workgroup = doma
        realm = doma.EDU.AU
        idmap uid = 15000-200000
        idmap gid = 15000-200000
        loglevel = 10
        server string = SAMBA SERVER #2
        interfaces = <snip>
        load printers = no
        log file = /var/log/samba/%m.log
        max log size = 500000
        security = ADS
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        wins server = dnsa dnsb
        dns proxy = no
        ea support = yes
        winbind enum users = yes
        winbind enum groups = yes
[homes]
        comment = Home Directory
        browseable = no
        create mask = 0777
        directory mask = 0777
        valid users = +doma\\homedir
        writable = yes
.
.
.




Rob

________________________________________

All,
After upgrading to samba 3.0.30 on gentoo amd64 because of my recent best friend
CVE-2008-1105

My winbind daemon is 'hanging up', and refusing to respond to pings
after a few minutes of activity.
Wbinfo -u, getent passwd all work successfully, then after a bit wbinfo -p just
tells me winbind dies.
I have 3.0.30/winbind on another machine, also amd64 that is working.... So
I'm a little confused. (the patch levels and kernels are different on the
two machines)

The failing server has mit-krb5-1.6.3-r1 openldap-2.3.41 and kernel
2.6.16-gentoo-r9
Glibc-2.6.1
gcc version 3.4.4 (Gentoo 3.4.4-r1, ssp-3.4.4-1.0, pie-8.7.8)

This is an excerpt of the log at the point winbind dies;
At the point this excerpt stops, winbind establishes a hundred or so connections
with ads,
I've snipped it for brevity.


[2008/06/01 00:16:31, 1] nsswitch/winbindd_ads.c:query_user_list(209)
? Not a user account? atype=0x30000000
[2008/06/01 00:16:31, 1] nsswitch/winbindd_ads.c:query_user_list(209)
? Not a user account? atype=0x30000000
[2008/06/01 00:16:31, 1] nsswitch/winbindd_ads.c:query_user_list(209)
? Not a user account? atype=0x30000000
[2008/06/01 00:16:31, 1] nsswitch/winbindd_ads.c:query_user_list(209)
? Not a user account? atype=0x30000000
[2008/06/01 00:16:31, 1] nsswitch/winbindd_ads.c:query_user_list(209)
? Not a user account? atype=0x30000000
[2008/06/01 00:16:31, 1] nsswitch/winbindd_ads.c:query_user_list(209)
? Not a user account? atype=0x30000000
[2008/06/01 00:16:31, 1] nsswitch/winbindd_ads.c:query_user_list(209)
? Not a user account? atype=0x30000000
[2008/06/01 00:16:31, 1] nsswitch/winbindd_ads.c:query_user_list(209)
? Not a user account? atype=0x30000000
[2008/06/01 00:16:31, 1] nsswitch/winbindd_ads.c:query_user_list(209)
? Not a user account? atype=0x30000000
[2008/06/01 00:16:31, 1] nsswitch/winbindd_ads.c:query_user_list(209)
? Not a user account? atype=0x30000000
[2008/06/01 00:16:31, 1] nsswitch/winbindd_ads.c:query_user_list(209)
? Not a user account? atype=0x30000000
[2008/06/01 00:16:31, 1] nsswitch/winbindd_ads.c:query_user_list(209)
? Not a user account? atype=0x30000000
[2008/06/01 00:17:53, 1] nsswitch/idmap.c:idmap_init(377)
? Initializing idmap domains
[2008/06/01 00:17:53, 1] libads/ldap_utils.c:ads_do_search_retry_internal(115)
? ads reopen failed after error Referral
[2008/06/01 00:17:53, 1] libads/ldap_utils.c:ads_do_search_retry_internal(115)
? ads reopen failed after error Referral
[2008/06/01 00:17:54, 1] libads/ldap_utils.c:ads_do_search_retry_internal(115)
? ads reopen failed after error Referral
[2008/06/01 00:17:54, 1] libads/ldap_utils.c:ads_do_search_retry_internal(115)
? ads reopen failed after error Referral
[2008/06/01 00:17:54, 1] libads/ldap_utils.c:ads_do_search_retry_internal(115)
? ads reopen failed after error Referral
[2008/06/01 00:17:54, 1] libads/ldap_utils.c:ads_do_search_retry_internal(115)
? ads reopen failed after error Referral
.
.
.
.
<snip>

---


Cheers,
Rob

On Sun, Jun 01, 2008 at 12:52:32PM +1000, Robert Mattson
wrote:
> All,
> 
> After upgrading to samba 3.0.30 on gentoo amd64 because of my recent
> best friend CVE-2008-1105
> 
>  
> 
> My winbind daemon is 'hanging up', and refusing to respond to pings
> after a few minutes of activity.
> 
> Wbinfo -u, getent passwd all work successfully, then after a bit wbinfo
> -p just tells me winbind dies.
I'm pretty sure you're running into a bug I just fixed in
the 3.0.x source tree. Patch is attached. We'll be doing a
bugfix release this coming week because of this.

Jeremy.
-------------- next part --------------
diff --git a/source/nsswitch/winbindd.c b/source/nsswitch/winbindd.c
index 636d635..c79bb46 100644
--- a/source/nsswitch/winbindd.c
+++ b/source/nsswitch/winbindd.c
@@ -117,14 +117,21 @@ static void flush_caches(void)
 
 /* Handle the signal by unlinking socket and exiting */
 
-static void terminate(void)
+static void terminate(bool in_parent)
 {
-	pstring path;
-
-	/* Remove socket file */
-	pstr_sprintf(path, "%s/%s", 
-		 WINBINDD_SOCKET_DIR, WINBINDD_SOCKET_NAME);
-	unlink(path);
+	if (in_parent) {
+		/* When parent goes away we should
+		 * remove the socket file. Not so
+		 * when children terminate.
+		 */ 
+
+		pstring path;
+
+		/* Remove socket file */
+		pstr_sprintf(path, "%s/%s", 
+			WINBINDD_SOCKET_DIR, WINBINDD_SOCKET_NAME);
+		unlink(path);
+	}
 
 	idmap_close();
 	
@@ -731,10 +738,10 @@ void winbind_check_sighup(void)
 }
 
 /* check if TERM has been received */
-void winbind_check_sigterm(void)
+void winbind_check_sigterm(bool in_parent)
 {
 	if (do_sigterm)
-		terminate();
+		terminate(in_parent);
 }
 
 /* Process incoming clients on listen_sock.  We use a tricky non-blocking,
@@ -901,7 +908,7 @@ static void process_loop(void)
 
 	/* Check signal handling things */
 
-	winbind_check_sigterm();
+	winbind_check_sigterm(true);
 	winbind_check_sighup();
 
 	if (do_sigusr2) {
diff --git a/source/nsswitch/winbindd_dual.c b/source/nsswitch/winbindd_dual.c
index 7176a25..7b79734 100644
--- a/source/nsswitch/winbindd_dual.c
+++ b/source/nsswitch/winbindd_dual.c
@@ -1005,7 +1005,7 @@ static BOOL fork_domain_child(struct winbindd_child
*child)
 		main_loop_TALLOC_FREE();
 
 		/* check for signals */
-		winbind_check_sigterm();
+		winbind_check_sigterm(false);
 		winbind_check_sighup();
 
 		run_events(winbind_event_context(), 0, NULL, NULL);