Bug 229863

Summary: Segfault using "write list" setting
Product: Red Hat Enterprise Linux 5 Reporter: Dax Kelson <dkelson>
Component: sambaAssignee: Simo Sorce <ssorce>
Status: CLOSED CURRENTRELEASE QA Contact: David Lawrence <dkl>
Severity: medium Docs Contact:
Priority: medium    
Version: 5.0   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: RHEL5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-02-23 21:57:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dax Kelson 2007-02-23 20:53:33 UTC 
Description of problem:
On RHEL5b2 and stock FC6 using samba-3.0.23c-2 (I also tried 3.0.24-1.fc6) I can
cause a crash every time when trying to connect to the following share:

[global]
workgroup = EXAMPLE
netbios name = station10
map archive = yes
map system = yes
map hidden = yes
follow symlinks = no
security = user
encrypt passwords = yes
smb passwd file = /etc/samba/smbpasswd

[sales]
comment = Sales department files
path = /srv/samba/sales
guest ok = no
read only = yes
force create mode = 0660
force directory mode = 2770
force group = sales
write list = @sales 

If I comment out the "write list", no crash.

To connect to the share I use:
$ smbclient  //station10/sales -U guru
Password: <thepass>
Domain=[STATION10] OS=[Unix] Server=[Samba 3.0.23c-2]
tree connect failed: Call returned zero bytes (EOF)
$


Here is the log output from Samba:
[2007/02/23 13:43:11, 1] smbd/service.c:make_connection_snum(941)
  station10 (10.100.0.10) connect to service sales initially as user guru
(uid=500, gid=503) (pid 3069)
[2007/02/23 13:43:12, 1] smbd/service.c:close_cnum(1141)
  station10 (10.100.0.10) closed connection to service sales
[2007/02/23 13:43:23, 0] lib/fault.c:fault_report(41)
  ===============================================================
[2007/02/23 13:43:23, 0] lib/fault.c:fault_report(42)
  INTERNAL ERROR: Signal 11 in pid 3072 (3.0.23c-2)
  Please read the Trouble-Shooting section of the Samba3-HOWTO
[2007/02/23 13:43:23, 0] lib/fault.c:fault_report(44)
  
  From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf
[2007/02/23 13:43:23, 0] lib/fault.c:fault_report(45)
  ===============================================================
[2007/02/23 13:43:23, 0] lib/util.c:smb_panic(1614)
  PANIC (pid 3072): internal error
[2007/02/23 13:43:23, 0] lib/util.c:log_stack_trace(1721)
  BACKTRACE: 21 stack frames:
   #0 smbd(log_stack_trace+0x2d) [0xe0125d]
   #1 smbd(smb_panic+0x5d) [0xe0138d]
   #2 smbd [0xdecd7a]
   #3 [0x53e420]
   #4 /lib/libc.so.6(strlen+0x33) [0x8822e3]
   #5 /lib/libc.so.6(__strdup+0x25) [0x882025]
   #6 /lib/libnsl.so.1(nis_list+0x62f) [0x99ec5f]
   #7 /lib/libnss_nisplus.so.2(_nss_nisplus_setnetgrent+0x94) [0xa177c4]
   #8 /lib/libc.so.6(innetgr+0xb6) [0x9003c6]
   #9 smbd(user_in_netgroup+0x65) [0xc37a65]
   #10 smbd(token_contains_name_in_list+0x23d) [0xc3a46d]
   #11 smbd(is_share_read_only_for_token+0x98) [0xc3a768]
   #12 smbd(change_to_user+0x442) [0xc78eb2]
   #13 smbd [0xc984a8]
   #14 smbd(make_connection+0x194) [0xc99914]
   #15 smbd(reply_tcon_and_X+0x217) [0xc5d1d7]
   #16 smbd [0xc94a70]
   #17 smbd(smbd_process+0x7ab) [0xc95b9b]
   #18 smbd(main+0xbd0) [0xeaf8e0]
   #19 /lib/libc.so.6(__libc_start_main+0xdc) [0x82bf2c]
   #20 smbd [0xc1ffb1]
[2007/02/23 13:43:23, 0] lib/fault.c:dump_core(173)
  dumping core in /var/log/samba/cores/smbd
Comment 1 Simo Sorce 2007-02-23 21:16:35 UTC 
This seems to be a bug in libnss_nisplus not in samba.

To workaround it you can use + instead of @ in the write list, unless you really
want to check a NIS netgroup there.
Comment 2 Simo Sorce 2007-02-23 21:57:48 UTC 
Should be fixed in latest rhel5, this bug seem to be fixed in glibc-2.5-7 and
latest rhel5 have 2.5-12