Re: [Bug 489201] Re: smbd crashes when connection status changes
Excellent. I did not see the (crash) behavior in Ubuntu 9.10 (which uses
3.4).
Thanks,
Eric Peterson
- Original Message -
From: Volker launch...@lendecke.de
To: ericrpeter...@sbcglobal.net
Sent: Sunday, December 06, 2009 3:47 PM
Subject: [Bug 489201] Re: smbd crashes when connection status changes
This was fixed for 3.3.4.
--
smbd crashes when connection status changes
https://bugs.launchpad.net/bugs/489201
You received this bug notification because you are a direct subscriber
of the bug.
Status in Samba: Confirmed
Status in “samba” package in Ubuntu: Triaged
Bug description:
Binary package hint: samba
Crash and core dump occurs in smbd on server when accessing Samba share in
XP Samba client.
Server is using AD credentials for XP users to access shares. As part of
this pam_winbind.so modules are specified in /etc/pam.d/common-* files.
Fault appears to occur in the static routine _pam_delete_cred() which is
located at line 2420 of the file
./samba-3.3.2/source/nsswitch/pam_winbind.c:
out:
if (logoff.blobs) {
wbcFreeMemory(logoff.blobs);
}
It appears clear to me there are two logic paths that lead to this memory
getting freed from a field in an uninitialized data structure (logoff).
Additional information about the system configuration is below.
e...@tedstestsvr:~$ lsb_release -rd
Description:Ubuntu 9.04
Release:9.04
e...@tedstestsvr:~$ sudo apt-cache policy samba
samba:
Installed: 2:3.3.2-1ubuntu3.2
Candidate: 2:3.3.2-1ubuntu3.2
Version table:
*** 2:3.3.2-1ubuntu3.2 0
500 http://us.archive.ubuntu.com jaunty-updates/main Packages
500 http://security.ubuntu.com jaunty-security/main Packages
100 /var/lib/dpkg/status
2:3.3.2-1ubuntu3 0
500 http://us.archive.ubuntu.com jaunty/main Packages
===Output from /var/log/samba/log.tedstestwxp (The Samba client is
tedstestwxp)
[2009/11/27 07:12:31, 3] smbd/sec_ctx.c:set_sec_ctx(324)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/11/27 07:12:31, 3] smbd/sec_ctx.c:set_sec_ctx(324)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/11/27 07:12:31, 3] smbd/service.c:close_cnum(1327)
tedstestwxp (10.0.0.203) closed connection to service IPC$
[2009/11/27 07:12:31, 3] smbd/connection.c:yield_connection(31)
Yielding connection to IPC$
[2009/11/27 07:12:31, 3] smbd/sec_ctx.c:set_sec_ctx(324)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/11/27 07:12:31, 3] smbd/sec_ctx.c:set_sec_ctx(324)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/11/27 07:12:31, 1] smbd/service.c:close_cnum(1327)
tedstestwxp (10.0.0.203) closed connection to service klpeterson
[2009/11/27 07:12:31, 3] smbd/connection.c:yield_connection(31)
Yielding connection to klpeterson
[2009/11/27 07:12:31, 3] smbd/sec_ctx.c:set_sec_ctx(324)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/11/27 07:12:32, 0] lib/fault.c:fault_report(40)
===
[2009/11/27 07:12:32, 0] lib/fault.c:fault_report(41)
INTERNAL ERROR: Signal 6 in pid 3080 (3.3.2)
Please read the Trouble-Shooting section of the Samba3-HOWTO
[2009/11/27 07:12:32, 0] lib/fault.c:fault_report(43)
From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf
[2009/11/27 07:12:32, 0] lib/fault.c:fault_report(44)
===
[2009/11/27 07:12:32, 0] lib/util.c:smb_panic(1673)
PANIC (pid 3080): internal error
[2009/11/27 07:12:32, 0] lib/util.c:log_stack_trace(1777)
BACKTRACE: 22 stack frames:
#0 /usr/sbin/smbd(log_stack_trace+0x2d) [0xb7bac25c]
#1 /usr/sbin/smbd(smb_panic+0x80) [0xb7bac3b9]
#2 /usr/sbin/smbd [0xb7b97d5e]
#3 [0xb79df400]
#4 /lib/tls/i686/cmov/libc.so.6(abort+0x188) [0xb759c098]
#5 /usr/lib/libtalloc.so.1(talloc_free+0x22d) [0xb76e35dd]
#6 /usr/lib/libwbclient.so.0(wbcFreeMemory+0x21) [0xb76d3d93]
#7 /lib/security/pam_winbind.so(pam_sm_setcred+0x3cb) [0xb7267092]
#8 /lib/libpam.so.0 [0xb773b3b1]
#9 /lib/libpam.so.0(pam_setcred+0x3f) [0xb773ab4f]
#10 /usr/sbin/smbd [0xb7bf98f6]
#11 /usr/sbin/smbd(smb_pam_close_session+0x81) [0xb7bf99b0]
#12 /usr/sbin/smbd(session_yield+0x13e) [0xb7a82692]
#13 /usr/sbin/smbd(invalidate_vuid+0x48) [0xb7a86ffd]
#14 /usr/sbin/smbd(invalidate_all_vuids+0x2b) [0xb7a87620]
#15 /usr/sbin/smbd [0xb7a6eb28]
#16 /usr/sbin/smbd [0xb7a6ed33]
#17 /usr/sbin/smbd [0xb7aa7452]
#18 /usr/sbin/smbd(smbd_process+0x61a) [0xb7aa938e]
#19 /usr/sbin/smbd(main+0x1126) [0xb7a712ff]
#20 /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe5) [0xb7585775]
#21 /usr/sbin/smbd [0xb7a6e071]
[2009/11/27 07:12:32, 0] lib/util.c:smb_panic(1678)
smb_panic(): calling panic action [/usr/share/samba/panic-action 3080]
Cannot access memory at address 0xc08
[2009/11/27 07:12:33, 0] lib/util.c:smb_panic(1686)
smb_panic(): action returned status 0
[2009/11/27 07:12:33, 0] lib/fault.c:dump_core(231)
Re: [Bug 489201] Re: smbd crashes when connection status changes
Excellent. I did not see the (crash) behavior in Ubuntu 9.10 (which uses
3.4).
Thanks,
Eric Peterson
- Original Message -
From: Volker launch...@lendecke.de
To: ericrpeter...@sbcglobal.net
Sent: Sunday, December 06, 2009 3:47 PM
Subject: [Bug 489201] Re: smbd crashes when connection status changes
This was fixed for 3.3.4.
--
smbd crashes when connection status changes
https://bugs.launchpad.net/bugs/489201
You received this bug notification because you are a direct subscriber
of the bug.
Status in Samba: Confirmed
Status in “samba” package in Ubuntu: Triaged
Bug description:
Binary package hint: samba
Crash and core dump occurs in smbd on server when accessing Samba share in
XP Samba client.
Server is using AD credentials for XP users to access shares. As part of
this pam_winbind.so modules are specified in /etc/pam.d/common-* files.
Fault appears to occur in the static routine _pam_delete_cred() which is
located at line 2420 of the file
./samba-3.3.2/source/nsswitch/pam_winbind.c:
out:
if (logoff.blobs) {
wbcFreeMemory(logoff.blobs);
}
It appears clear to me there are two logic paths that lead to this memory
getting freed from a field in an uninitialized data structure (logoff).
Additional information about the system configuration is below.
e...@tedstestsvr:~$ lsb_release -rd
Description:Ubuntu 9.04
Release:9.04
e...@tedstestsvr:~$ sudo apt-cache policy samba
samba:
Installed: 2:3.3.2-1ubuntu3.2
Candidate: 2:3.3.2-1ubuntu3.2
Version table:
*** 2:3.3.2-1ubuntu3.2 0
500 http://us.archive.ubuntu.com jaunty-updates/main Packages
500 http://security.ubuntu.com jaunty-security/main Packages
100 /var/lib/dpkg/status
2:3.3.2-1ubuntu3 0
500 http://us.archive.ubuntu.com jaunty/main Packages
===Output from /var/log/samba/log.tedstestwxp (The Samba client is
tedstestwxp)
[2009/11/27 07:12:31, 3] smbd/sec_ctx.c:set_sec_ctx(324)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/11/27 07:12:31, 3] smbd/sec_ctx.c:set_sec_ctx(324)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/11/27 07:12:31, 3] smbd/service.c:close_cnum(1327)
tedstestwxp (10.0.0.203) closed connection to service IPC$
[2009/11/27 07:12:31, 3] smbd/connection.c:yield_connection(31)
Yielding connection to IPC$
[2009/11/27 07:12:31, 3] smbd/sec_ctx.c:set_sec_ctx(324)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/11/27 07:12:31, 3] smbd/sec_ctx.c:set_sec_ctx(324)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/11/27 07:12:31, 1] smbd/service.c:close_cnum(1327)
tedstestwxp (10.0.0.203) closed connection to service klpeterson
[2009/11/27 07:12:31, 3] smbd/connection.c:yield_connection(31)
Yielding connection to klpeterson
[2009/11/27 07:12:31, 3] smbd/sec_ctx.c:set_sec_ctx(324)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/11/27 07:12:32, 0] lib/fault.c:fault_report(40)
===
[2009/11/27 07:12:32, 0] lib/fault.c:fault_report(41)
INTERNAL ERROR: Signal 6 in pid 3080 (3.3.2)
Please read the Trouble-Shooting section of the Samba3-HOWTO
[2009/11/27 07:12:32, 0] lib/fault.c:fault_report(43)
From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf
[2009/11/27 07:12:32, 0] lib/fault.c:fault_report(44)
===
[2009/11/27 07:12:32, 0] lib/util.c:smb_panic(1673)
PANIC (pid 3080): internal error
[2009/11/27 07:12:32, 0] lib/util.c:log_stack_trace(1777)
BACKTRACE: 22 stack frames:
#0 /usr/sbin/smbd(log_stack_trace+0x2d) [0xb7bac25c]
#1 /usr/sbin/smbd(smb_panic+0x80) [0xb7bac3b9]
#2 /usr/sbin/smbd [0xb7b97d5e]
#3 [0xb79df400]
#4 /lib/tls/i686/cmov/libc.so.6(abort+0x188) [0xb759c098]
#5 /usr/lib/libtalloc.so.1(talloc_free+0x22d) [0xb76e35dd]
#6 /usr/lib/libwbclient.so.0(wbcFreeMemory+0x21) [0xb76d3d93]
#7 /lib/security/pam_winbind.so(pam_sm_setcred+0x3cb) [0xb7267092]
#8 /lib/libpam.so.0 [0xb773b3b1]
#9 /lib/libpam.so.0(pam_setcred+0x3f) [0xb773ab4f]
#10 /usr/sbin/smbd [0xb7bf98f6]
#11 /usr/sbin/smbd(smb_pam_close_session+0x81) [0xb7bf99b0]
#12 /usr/sbin/smbd(session_yield+0x13e) [0xb7a82692]
#13 /usr/sbin/smbd(invalidate_vuid+0x48) [0xb7a86ffd]
#14 /usr/sbin/smbd(invalidate_all_vuids+0x2b) [0xb7a87620]
#15 /usr/sbin/smbd [0xb7a6eb28]
#16 /usr/sbin/smbd [0xb7a6ed33]
#17 /usr/sbin/smbd [0xb7aa7452]
#18 /usr/sbin/smbd(smbd_process+0x61a) [0xb7aa938e]
#19 /usr/sbin/smbd(main+0x1126) [0xb7a712ff]
#20 /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe5) [0xb7585775]
#21 /usr/sbin/smbd [0xb7a6e071]
[2009/11/27 07:12:32, 0] lib/util.c:smb_panic(1678)
smb_panic(): calling panic action [/usr/share/samba/panic-action 3080]
Cannot access memory at address 0xc08
[2009/11/27 07:12:33, 0] lib/util.c:smb_panic(1686)
smb_panic(): action returned status 0
[2009/11/27 07:12:33, 0] lib/fault.c:dump_core(231)
Re: [Bug 489201] Re: smbd crashes when connection status changes
Hi Chuck,
I've just started using Samba and this is my first bug report so I will be
interested to see how the process works.
My application is using Samba to provide shares to users on XP that connect
via AD (Active Directory) credentials.
In case it was not clear from my report, smb dumps core every time a user
connects to a share (and I think when they disconnect).
Given the core dumps, it would seem to me that the importance should be
higher than medium.
Of course I do not have insight into what other problems need to be fixed.
Should I also make this comment on the link provided below?
Thanks,
Eric
- Original Message -
From: Chuck Short chuck.sh...@canonical.com
To: ericrpeter...@sbcglobal.net
Sent: Monday, November 30, 2009 7:08 AM
Subject: [Bug 489201] Re: smbd crashes when connection status changes
Thank you for your bug report. This bug has been reported to the
developers of the software. You can track it and make comments at:
https://bugzilla.samba.org/show_bug.cgi?id=6940
** Bug watch added: Samba Bugzilla #6940
https://bugzilla.samba.org/show_bug.cgi?id=6940
** Changed in: samba (Ubuntu)
Importance: Undecided = Medium
** Changed in: samba (Ubuntu)
Status: New = Triaged
--
smbd crashes when connection status changes
https://bugs.launchpad.net/bugs/489201
You received this bug notification because you are a direct subscriber
of the bug.
Status in “samba” package in Ubuntu: Triaged
Bug description:
Binary package hint: samba
Crash and core dump occurs in smbd on server when accessing Samba share in
XP Samba client.
Server is using AD credentials for XP users to access shares. As part of
this pam_winbind.so modules are specified in /etc/pam.d/common-* files.
Fault appears to occur in the static routine _pam_delete_cred() which is
located at line 2420 of the file
./samba-3.3.2/source/nsswitch/pam_winbind.c:
out:
if (logoff.blobs) {
wbcFreeMemory(logoff.blobs);
}
It appears clear to me there are two logic paths that lead to this memory
getting freed from a field in an uninitialized data structure (logoff).
Additional information about the system configuration is below.
e...@tedstestsvr:~$ lsb_release -rd
Description:Ubuntu 9.04
Release:9.04
e...@tedstestsvr:~$ sudo apt-cache policy samba
samba:
Installed: 2:3.3.2-1ubuntu3.2
Candidate: 2:3.3.2-1ubuntu3.2
Version table:
*** 2:3.3.2-1ubuntu3.2 0
500 http://us.archive.ubuntu.com jaunty-updates/main Packages
500 http://security.ubuntu.com jaunty-security/main Packages
100 /var/lib/dpkg/status
2:3.3.2-1ubuntu3 0
500 http://us.archive.ubuntu.com jaunty/main Packages
===Output from /var/log/samba/log.tedstestwxp (The Samba client is
tedstestwxp)
[2009/11/27 07:12:31, 3] smbd/sec_ctx.c:set_sec_ctx(324)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/11/27 07:12:31, 3] smbd/sec_ctx.c:set_sec_ctx(324)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/11/27 07:12:31, 3] smbd/service.c:close_cnum(1327)
tedstestwxp (10.0.0.203) closed connection to service IPC$
[2009/11/27 07:12:31, 3] smbd/connection.c:yield_connection(31)
Yielding connection to IPC$
[2009/11/27 07:12:31, 3] smbd/sec_ctx.c:set_sec_ctx(324)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/11/27 07:12:31, 3] smbd/sec_ctx.c:set_sec_ctx(324)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/11/27 07:12:31, 1] smbd/service.c:close_cnum(1327)
tedstestwxp (10.0.0.203) closed connection to service klpeterson
[2009/11/27 07:12:31, 3] smbd/connection.c:yield_connection(31)
Yielding connection to klpeterson
[2009/11/27 07:12:31, 3] smbd/sec_ctx.c:set_sec_ctx(324)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/11/27 07:12:32, 0] lib/fault.c:fault_report(40)
===
[2009/11/27 07:12:32, 0] lib/fault.c:fault_report(41)
INTERNAL ERROR: Signal 6 in pid 3080 (3.3.2)
Please read the Trouble-Shooting section of the Samba3-HOWTO
[2009/11/27 07:12:32, 0] lib/fault.c:fault_report(43)
From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf
[2009/11/27 07:12:32, 0] lib/fault.c:fault_report(44)
===
[2009/11/27 07:12:32, 0] lib/util.c:smb_panic(1673)
PANIC (pid 3080): internal error
[2009/11/27 07:12:32, 0] lib/util.c:log_stack_trace(1777)
BACKTRACE: 22 stack frames:
#0 /usr/sbin/smbd(log_stack_trace+0x2d) [0xb7bac25c]
#1 /usr/sbin/smbd(smb_panic+0x80) [0xb7bac3b9]
#2 /usr/sbin/smbd [0xb7b97d5e]
#3 [0xb79df400]
#4 /lib/tls/i686/cmov/libc.so.6(abort+0x188) [0xb759c098]
#5 /usr/lib/libtalloc.so.1(talloc_free+0x22d) [0xb76e35dd]
#6 /usr/lib/libwbclient.so.0(wbcFreeMemory+0x21) [0xb76d3d93]
#7 /lib/security/pam_winbind.so(pam_sm_setcred+0x3cb) [0xb7267092]
#8 /lib/libpam.so.0 [0xb773b3b1]
#9 /lib/libpam.so.0(pam_setcred+0x3f) [0xb773ab4f]
#10 /usr/sbin/smbd [0xb7bf98f6]
Re: [Bug 489201] Re: smbd crashes when connection status changes
Hi Chuck,
I've just started using Samba and this is my first bug report so I will be
interested to see how the process works.
My application is using Samba to provide shares to users on XP that connect
via AD (Active Directory) credentials.
In case it was not clear from my report, smb dumps core every time a user
connects to a share (and I think when they disconnect).
Given the core dumps, it would seem to me that the importance should be
higher than medium.
Of course I do not have insight into what other problems need to be fixed.
Should I also make this comment on the link provided below?
Thanks,
Eric
- Original Message -
From: Chuck Short chuck.sh...@canonical.com
To: ericrpeter...@sbcglobal.net
Sent: Monday, November 30, 2009 7:08 AM
Subject: [Bug 489201] Re: smbd crashes when connection status changes
Thank you for your bug report. This bug has been reported to the
developers of the software. You can track it and make comments at:
https://bugzilla.samba.org/show_bug.cgi?id=6940
** Bug watch added: Samba Bugzilla #6940
https://bugzilla.samba.org/show_bug.cgi?id=6940
** Changed in: samba (Ubuntu)
Importance: Undecided = Medium
** Changed in: samba (Ubuntu)
Status: New = Triaged
--
smbd crashes when connection status changes
https://bugs.launchpad.net/bugs/489201
You received this bug notification because you are a direct subscriber
of the bug.
Status in “samba” package in Ubuntu: Triaged
Bug description:
Binary package hint: samba
Crash and core dump occurs in smbd on server when accessing Samba share in
XP Samba client.
Server is using AD credentials for XP users to access shares. As part of
this pam_winbind.so modules are specified in /etc/pam.d/common-* files.
Fault appears to occur in the static routine _pam_delete_cred() which is
located at line 2420 of the file
./samba-3.3.2/source/nsswitch/pam_winbind.c:
out:
if (logoff.blobs) {
wbcFreeMemory(logoff.blobs);
}
It appears clear to me there are two logic paths that lead to this memory
getting freed from a field in an uninitialized data structure (logoff).
Additional information about the system configuration is below.
e...@tedstestsvr:~$ lsb_release -rd
Description:Ubuntu 9.04
Release:9.04
e...@tedstestsvr:~$ sudo apt-cache policy samba
samba:
Installed: 2:3.3.2-1ubuntu3.2
Candidate: 2:3.3.2-1ubuntu3.2
Version table:
*** 2:3.3.2-1ubuntu3.2 0
500 http://us.archive.ubuntu.com jaunty-updates/main Packages
500 http://security.ubuntu.com jaunty-security/main Packages
100 /var/lib/dpkg/status
2:3.3.2-1ubuntu3 0
500 http://us.archive.ubuntu.com jaunty/main Packages
===Output from /var/log/samba/log.tedstestwxp (The Samba client is
tedstestwxp)
[2009/11/27 07:12:31, 3] smbd/sec_ctx.c:set_sec_ctx(324)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/11/27 07:12:31, 3] smbd/sec_ctx.c:set_sec_ctx(324)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/11/27 07:12:31, 3] smbd/service.c:close_cnum(1327)
tedstestwxp (10.0.0.203) closed connection to service IPC$
[2009/11/27 07:12:31, 3] smbd/connection.c:yield_connection(31)
Yielding connection to IPC$
[2009/11/27 07:12:31, 3] smbd/sec_ctx.c:set_sec_ctx(324)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/11/27 07:12:31, 3] smbd/sec_ctx.c:set_sec_ctx(324)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/11/27 07:12:31, 1] smbd/service.c:close_cnum(1327)
tedstestwxp (10.0.0.203) closed connection to service klpeterson
[2009/11/27 07:12:31, 3] smbd/connection.c:yield_connection(31)
Yielding connection to klpeterson
[2009/11/27 07:12:31, 3] smbd/sec_ctx.c:set_sec_ctx(324)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/11/27 07:12:32, 0] lib/fault.c:fault_report(40)
===
[2009/11/27 07:12:32, 0] lib/fault.c:fault_report(41)
INTERNAL ERROR: Signal 6 in pid 3080 (3.3.2)
Please read the Trouble-Shooting section of the Samba3-HOWTO
[2009/11/27 07:12:32, 0] lib/fault.c:fault_report(43)
From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf
[2009/11/27 07:12:32, 0] lib/fault.c:fault_report(44)
===
[2009/11/27 07:12:32, 0] lib/util.c:smb_panic(1673)
PANIC (pid 3080): internal error
[2009/11/27 07:12:32, 0] lib/util.c:log_stack_trace(1777)
BACKTRACE: 22 stack frames:
#0 /usr/sbin/smbd(log_stack_trace+0x2d) [0xb7bac25c]
#1 /usr/sbin/smbd(smb_panic+0x80) [0xb7bac3b9]
#2 /usr/sbin/smbd [0xb7b97d5e]
#3 [0xb79df400]
#4 /lib/tls/i686/cmov/libc.so.6(abort+0x188) [0xb759c098]
#5 /usr/lib/libtalloc.so.1(talloc_free+0x22d) [0xb76e35dd]
#6 /usr/lib/libwbclient.so.0(wbcFreeMemory+0x21) [0xb76d3d93]
#7 /lib/security/pam_winbind.so(pam_sm_setcred+0x3cb) [0xb7267092]
#8 /lib/libpam.so.0 [0xb773b3b1]
#9 /lib/libpam.so.0(pam_setcred+0x3f) [0xb773ab4f]
#10 /usr/sbin/smbd [0xb7bf98f6]
[Bug 489201] [NEW] smbd crashes when connection status changes
Public bug reported:
Binary package hint: samba
Crash and core dump occurs in smbd on server when accessing Samba share in XP
Samba client.
Server is using AD credentials for XP users to access shares. As part of this
pam_winbind.so modules are specified in /etc/pam.d/common-* files.
Fault appears to occur in the static routine _pam_delete_cred() which is
located at line 2420 of the file ./samba-3.3.2/source/nsswitch/pam_winbind.c:
out:
if (logoff.blobs) {
wbcFreeMemory(logoff.blobs);
}
It appears clear to me there are two logic paths that lead to this memory
getting freed from a field in an uninitialized data structure (logoff).
Additional information about the system configuration is below.
e...@tedstestsvr:~$ lsb_release -rd
Description:Ubuntu 9.04
Release:9.04
e...@tedstestsvr:~$ sudo apt-cache policy samba
samba:
Installed: 2:3.3.2-1ubuntu3.2
Candidate: 2:3.3.2-1ubuntu3.2
Version table:
*** 2:3.3.2-1ubuntu3.2 0
500 http://us.archive.ubuntu.com jaunty-updates/main Packages
500 http://security.ubuntu.com jaunty-security/main Packages
100 /var/lib/dpkg/status
2:3.3.2-1ubuntu3 0
500 http://us.archive.ubuntu.com jaunty/main Packages
===Output from /var/log/samba/log.tedstestwxp (The Samba client is tedstestwxp)
[2009/11/27 07:12:31, 3] smbd/sec_ctx.c:set_sec_ctx(324)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/11/27 07:12:31, 3] smbd/sec_ctx.c:set_sec_ctx(324)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/11/27 07:12:31, 3] smbd/service.c:close_cnum(1327)
tedstestwxp (10.0.0.203) closed connection to service IPC$
[2009/11/27 07:12:31, 3] smbd/connection.c:yield_connection(31)
Yielding connection to IPC$
[2009/11/27 07:12:31, 3] smbd/sec_ctx.c:set_sec_ctx(324)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/11/27 07:12:31, 3] smbd/sec_ctx.c:set_sec_ctx(324)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/11/27 07:12:31, 1] smbd/service.c:close_cnum(1327)
tedstestwxp (10.0.0.203) closed connection to service klpeterson
[2009/11/27 07:12:31, 3] smbd/connection.c:yield_connection(31)
Yielding connection to klpeterson
[2009/11/27 07:12:31, 3] smbd/sec_ctx.c:set_sec_ctx(324)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/11/27 07:12:32, 0] lib/fault.c:fault_report(40)
===
[2009/11/27 07:12:32, 0] lib/fault.c:fault_report(41)
INTERNAL ERROR: Signal 6 in pid 3080 (3.3.2)
Please read the Trouble-Shooting section of the Samba3-HOWTO
[2009/11/27 07:12:32, 0] lib/fault.c:fault_report(43)
From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf
[2009/11/27 07:12:32, 0] lib/fault.c:fault_report(44)
===
[2009/11/27 07:12:32, 0] lib/util.c:smb_panic(1673)
PANIC (pid 3080): internal error
[2009/11/27 07:12:32, 0] lib/util.c:log_stack_trace(1777)
BACKTRACE: 22 stack frames:
#0 /usr/sbin/smbd(log_stack_trace+0x2d) [0xb7bac25c]
#1 /usr/sbin/smbd(smb_panic+0x80) [0xb7bac3b9]
#2 /usr/sbin/smbd [0xb7b97d5e]
#3 [0xb79df400]
#4 /lib/tls/i686/cmov/libc.so.6(abort+0x188) [0xb759c098]
#5 /usr/lib/libtalloc.so.1(talloc_free+0x22d) [0xb76e35dd]
#6 /usr/lib/libwbclient.so.0(wbcFreeMemory+0x21) [0xb76d3d93]
#7 /lib/security/pam_winbind.so(pam_sm_setcred+0x3cb) [0xb7267092]
#8 /lib/libpam.so.0 [0xb773b3b1]
#9 /lib/libpam.so.0(pam_setcred+0x3f) [0xb773ab4f]
#10 /usr/sbin/smbd [0xb7bf98f6]
#11 /usr/sbin/smbd(smb_pam_close_session+0x81) [0xb7bf99b0]
#12 /usr/sbin/smbd(session_yield+0x13e) [0xb7a82692]
#13 /usr/sbin/smbd(invalidate_vuid+0x48) [0xb7a86ffd]
#14 /usr/sbin/smbd(invalidate_all_vuids+0x2b) [0xb7a87620]
#15 /usr/sbin/smbd [0xb7a6eb28]
#16 /usr/sbin/smbd [0xb7a6ed33]
#17 /usr/sbin/smbd [0xb7aa7452]
#18 /usr/sbin/smbd(smbd_process+0x61a) [0xb7aa938e]
#19 /usr/sbin/smbd(main+0x1126) [0xb7a712ff]
#20 /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe5) [0xb7585775]
#21 /usr/sbin/smbd [0xb7a6e071]
[2009/11/27 07:12:32, 0] lib/util.c:smb_panic(1678)
smb_panic(): calling panic action [/usr/share/samba/panic-action 3080]
Cannot access memory at address 0xc08
[2009/11/27 07:12:33, 0] lib/util.c:smb_panic(1686)
smb_panic(): action returned status 0
[2009/11/27 07:12:33, 0] lib/fault.c:dump_core(231)
dumping core in /var/log/samba/cores/smbd
Output from email sent to root:
The Samba 'panic action' script, /usr/share/samba/panic-action,
was called for PID 3080 (/usr/sbin/smbd).
This means there was a problem with the program, such as a segfault.
Below is a backtrace for this process generated with gdb, which shows
the state of the program at the time the error occurred. The Samba log
files may contain additional information about the problem.
If the problem persists, you are encouraged to first install the
samba-dbg package, which contains the debugging symbols for the
[Bug 489201] [NEW] smbd crashes when connection status changes
Public bug reported:
Binary package hint: samba
Crash and core dump occurs in smbd on server when accessing Samba share in XP
Samba client.
Server is using AD credentials for XP users to access shares. As part of this
pam_winbind.so modules are specified in /etc/pam.d/common-* files.
Fault appears to occur in the static routine _pam_delete_cred() which is
located at line 2420 of the file ./samba-3.3.2/source/nsswitch/pam_winbind.c:
out:
if (logoff.blobs) {
wbcFreeMemory(logoff.blobs);
}
It appears clear to me there are two logic paths that lead to this memory
getting freed from a field in an uninitialized data structure (logoff).
Additional information about the system configuration is below.
e...@tedstestsvr:~$ lsb_release -rd
Description:Ubuntu 9.04
Release:9.04
e...@tedstestsvr:~$ sudo apt-cache policy samba
samba:
Installed: 2:3.3.2-1ubuntu3.2
Candidate: 2:3.3.2-1ubuntu3.2
Version table:
*** 2:3.3.2-1ubuntu3.2 0
500 http://us.archive.ubuntu.com jaunty-updates/main Packages
500 http://security.ubuntu.com jaunty-security/main Packages
100 /var/lib/dpkg/status
2:3.3.2-1ubuntu3 0
500 http://us.archive.ubuntu.com jaunty/main Packages
===Output from /var/log/samba/log.tedstestwxp (The Samba client is tedstestwxp)
[2009/11/27 07:12:31, 3] smbd/sec_ctx.c:set_sec_ctx(324)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/11/27 07:12:31, 3] smbd/sec_ctx.c:set_sec_ctx(324)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/11/27 07:12:31, 3] smbd/service.c:close_cnum(1327)
tedstestwxp (10.0.0.203) closed connection to service IPC$
[2009/11/27 07:12:31, 3] smbd/connection.c:yield_connection(31)
Yielding connection to IPC$
[2009/11/27 07:12:31, 3] smbd/sec_ctx.c:set_sec_ctx(324)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/11/27 07:12:31, 3] smbd/sec_ctx.c:set_sec_ctx(324)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/11/27 07:12:31, 1] smbd/service.c:close_cnum(1327)
tedstestwxp (10.0.0.203) closed connection to service klpeterson
[2009/11/27 07:12:31, 3] smbd/connection.c:yield_connection(31)
Yielding connection to klpeterson
[2009/11/27 07:12:31, 3] smbd/sec_ctx.c:set_sec_ctx(324)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/11/27 07:12:32, 0] lib/fault.c:fault_report(40)
===
[2009/11/27 07:12:32, 0] lib/fault.c:fault_report(41)
INTERNAL ERROR: Signal 6 in pid 3080 (3.3.2)
Please read the Trouble-Shooting section of the Samba3-HOWTO
[2009/11/27 07:12:32, 0] lib/fault.c:fault_report(43)
From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf
[2009/11/27 07:12:32, 0] lib/fault.c:fault_report(44)
===
[2009/11/27 07:12:32, 0] lib/util.c:smb_panic(1673)
PANIC (pid 3080): internal error
[2009/11/27 07:12:32, 0] lib/util.c:log_stack_trace(1777)
BACKTRACE: 22 stack frames:
#0 /usr/sbin/smbd(log_stack_trace+0x2d) [0xb7bac25c]
#1 /usr/sbin/smbd(smb_panic+0x80) [0xb7bac3b9]
#2 /usr/sbin/smbd [0xb7b97d5e]
#3 [0xb79df400]
#4 /lib/tls/i686/cmov/libc.so.6(abort+0x188) [0xb759c098]
#5 /usr/lib/libtalloc.so.1(talloc_free+0x22d) [0xb76e35dd]
#6 /usr/lib/libwbclient.so.0(wbcFreeMemory+0x21) [0xb76d3d93]
#7 /lib/security/pam_winbind.so(pam_sm_setcred+0x3cb) [0xb7267092]
#8 /lib/libpam.so.0 [0xb773b3b1]
#9 /lib/libpam.so.0(pam_setcred+0x3f) [0xb773ab4f]
#10 /usr/sbin/smbd [0xb7bf98f6]
#11 /usr/sbin/smbd(smb_pam_close_session+0x81) [0xb7bf99b0]
#12 /usr/sbin/smbd(session_yield+0x13e) [0xb7a82692]
#13 /usr/sbin/smbd(invalidate_vuid+0x48) [0xb7a86ffd]
#14 /usr/sbin/smbd(invalidate_all_vuids+0x2b) [0xb7a87620]
#15 /usr/sbin/smbd [0xb7a6eb28]
#16 /usr/sbin/smbd [0xb7a6ed33]
#17 /usr/sbin/smbd [0xb7aa7452]
#18 /usr/sbin/smbd(smbd_process+0x61a) [0xb7aa938e]
#19 /usr/sbin/smbd(main+0x1126) [0xb7a712ff]
#20 /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe5) [0xb7585775]
#21 /usr/sbin/smbd [0xb7a6e071]
[2009/11/27 07:12:32, 0] lib/util.c:smb_panic(1678)
smb_panic(): calling panic action [/usr/share/samba/panic-action 3080]
Cannot access memory at address 0xc08
[2009/11/27 07:12:33, 0] lib/util.c:smb_panic(1686)
smb_panic(): action returned status 0
[2009/11/27 07:12:33, 0] lib/fault.c:dump_core(231)
dumping core in /var/log/samba/cores/smbd
Output from email sent to root:
The Samba 'panic action' script, /usr/share/samba/panic-action,
was called for PID 3080 (/usr/sbin/smbd).
This means there was a problem with the program, such as a segfault.
Below is a backtrace for this process generated with gdb, which shows
the state of the program at the time the error occurred. The Samba log
files may contain additional information about the problem.
If the problem persists, you are encouraged to first install the
samba-dbg package, which contains the debugging symbols for the
