One way to force this to happen (for me atleast) is to simply kill winbindd and
restart it (without restarting smbd).
A wild guess is that the pipe between smbd & winbindd being used for the
communication gets closed prematurely and then some buffer that was supposed to
contain some result from winbindd contains just NUL?s - which matches
ID_TYPE_NOT_SPECIFIED (0)?
Anyway, I?ve uploaded a small patch that makes this function a bit more robust
and so far my sambas behave better..
It?s available in the bugzilla:
https://bugzilla.samba.org/show_bug.cgi?id=14571
<https://bugzilla.samba.org/show_bug.cgi?id=14571>
- Peter
> On 26 Jan 2021, at 14:32, Peter Eriksson via samba <samba at
lists.samba.org <mailto:samba at lists.samba.org>> wrote:
>
> Added an assert that checks if we over-run the wbc_sids[] array and now
4.13.4 dies immediately when I try it.
>
> Looking at the code, the suspicious code is around line 1277 in
source3/passwd/lookup_sid.c:
>
>
> if (sid_peek_check_rid(&global_sid_Unix_Groups,
> &sids[i], &rid)) {
> ids[i].type = ID_TYPE_GID;
> ids[i].id = rid;
> continue;
> }
> ?> if (idmap_cache_find_sid2unixid(&sids[I], &ids[i],
&expired)
> && !expired)
> {
> continue;
> }
> ids[i].type = ID_TYPE_NOT_SPECIFIED;
> memcpy(&wbc_sids[num_not_cached], &sids[i],
> ndr_size_dom_sid(&sids[i], 0));
> num_not_cached += 1;
>
> If that idmap_cache_find() call, or !expired is true - and ids[I].type
happens to already be ID_TYPE_NOT_SPECIFIED then num_not_cached will not be
incremented, but the loop further down will detect it and then the buffer
overrun will happen?
>
> - Peter
>
>
>
>> On 26 Jan 2021, at 13:04, Peter Eriksson via samba <samba at
lists.samba.org <mailto:samba at lists.samba.org> <mailto:samba at
lists.samba.org <mailto:samba at lists.samba.org>>> wrote:
>>
>> It seems to be crashing in source3/passwd/lookup_sids.c line 1307:
>>
>>> switch (wbc_ids[num_not_cached].type) {
>>
>> Due it trying to access outside the allocated data area?
>>
>> (gdb) print num_not_cached
>> $23 = 68
>> (gdb) print num_sids
>> $24 = 245
>> (gdb) print wbc_ids[66]
>> $21 = {type = WBC_ID_TYPE_NOT_SPECIFIED, id = {uid = 0, gid = 0}}
>> (gdb) print wbc_ids[67]
>> $22 = {type = WBC_ID_TYPE_NOT_SPECIFIED, id = {uid = 48, gid = 48}}
>> (gdb) print wbc_ids[68]
>> Cannot access memory at address 0x81b339000
>>
>> wbc_ids is talloc_array():n at line 1290, but unfortunately the
num_not_cached variable is reused so I can?t in the core dump see how many
entries actually was allocated there. I?ll recompile add a debugging assertion
check to see what?s happening there.
>>
>> The user that was connected to the smbd at the time of the crash is a
member of some 90 AD groups, of which 24 has gidNumber set. Dunno if that?s
relevant for this case but anyway.
>>
>> I?ll try to do some more debugging.
>>
>> https://bugzilla.samba.org/show_bug.cgi?id=14571
<https://bugzilla.samba.org/show_bug.cgi?id=14571>
<https://bugzilla.samba.org/show_bug.cgi?id=14571
<https://bugzilla.samba.org/show_bug.cgi?id=14571>>
<https://bugzilla.samba.org/show_bug.cgi?id=14571
<https://bugzilla.samba.org/show_bug.cgi?id=14571>
<https://bugzilla.samba.org/show_bug.cgi?id=14571
<https://bugzilla.samba.org/show_bug.cgi?id=14571>>>
>>
>> - Peter
>>
>>
>>
>>> On 11 Nov 2020, at 12:43, Andrew Walker via samba <samba at
lists.samba.org <mailto:samba at lists.samba.org> <mailto:samba at
lists.samba.org <mailto:samba at lists.samba.org>> <mailto:samba at
lists.samba.org <mailto:samba at lists.samba.org> <mailto:samba at
lists.samba.org <mailto:samba at lists.samba.org>>>> wrote:
>>
>>> On Tue, Nov 10, 2020 at 5:01 PM Peter Eriksson via samba <
>>> samba at lists.samba.org <mailto:samba at lists.samba.org>
<mailto:samba at lists.samba.org <mailto:samba at lists.samba.org>>
<mailto:samba at lists.samba.org <mailto:samba at lists.samba.org>
<mailto:samba at lists.samba.org <mailto:samba at
lists.samba.org>>>> wrote:
>>>
>>>> I just got an INTERNAL ERROR: Signal 11 in smbd (4.12.10) in
something
>>>> that sids_to_unixids() in
source3/winbindd/idmap_hash/idmap_has.c calls and
>>>> 3 levels down - unfortunately the stack trace doesn?t say what
it is -
>>>> probably optimised into inline code or something.
>>>>
>>>> Recently upgraded from Samba 4.12.5 to 4.12.10 (self-compiled).
FreeBSD
>>>> 12.2
>>>>
>>>> It happened right after 10 hours since that smbd processes
started so the
>>>> 10 hours Kerberos ticket lifetime is probably involved somehow?
>>>>
>>>> Nov 10 21:39:11 runur01 smbd_audit[23768]: #3 sig_fault +
0x6c
>>>> [ip=0x80129a7a9] [sp=0x7fffffffcbb0]
>>>> Nov 10 21:39:11 runur01 smbd_audit[23768]: #4 <unknown
symbol>
>>>> [ip=0x801517b70] [sp=0x7fffffffcbc0]
>>>> Nov 10 21:39:12 runur01 smbd_audit[23768]: #5 <unknown
symbol>
>>>> [ip=0x80151713f] [sp=0x7fffffffcf80]
>>>> Nov 10 21:39:12 runur01 smbd_audit[23768]: #6 <unknown
symbol>
>>>> [ip=0x7ffffffff003] [sp=0x7fffffffcff0]
>>>> Nov 10 21:39:12 runur01 smbd_audit[23768]: #7
sids_to_unixids + 0x25d
>>>>
>>>> Unfortunately no core dump :-(
>>>>
>>> You may need to run the command "sysctl
kern.sugid_coredump=1" and also set
>>> kern.corefile to an appropriate path (for example /tmp/%N_%P.core
-- this
>>> ensures program name and pid are in corefile name). If possible
compile
>>> without optimizations and with debugging symbols (this will improve
>>> visibility of error).
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
<https://lists.samba.org/mailman/options/samba>
<https://lists.samba.org/mailman/options/samba
<https://lists.samba.org/mailman/options/samba>>
<https://lists.samba.org/mailman/options/samba
<https://lists.samba.org/mailman/options/samba>
<https://lists.samba.org/mailman/options/samba
<https://lists.samba.org/mailman/options/samba>>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
<https://lists.samba.org/mailman/options/samba>
<https://lists.samba.org/mailman/options/samba
<https://lists.samba.org/mailman/options/samba>>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
<https://lists.samba.org/mailman/options/samba>