Bug 565915
Summary: | winbindd dumps core after authentication when normalize names is enabled. | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Ray Van Dolson <rvandolson> | ||||||||||
Component: | samba3x | Assignee: | Guenther Deschner <gdeschner> | ||||||||||
Status: | CLOSED ERRATA | QA Contact: | qe-baseos-daemons | ||||||||||
Severity: | high | Docs Contact: | |||||||||||
Priority: | high | ||||||||||||
Version: | 5.4 | CC: | azelinka, dpal, jpayne, tao, theo_nra, troels | ||||||||||
Target Milestone: | rc | ||||||||||||
Target Release: | --- | ||||||||||||
Hardware: | All | ||||||||||||
OS: | Linux | ||||||||||||
Whiteboard: | |||||||||||||
Fixed In Version: | samba3x-3.3.12-0.52.el5 | Doc Type: | Bug Fix | ||||||||||
Doc Text: |
When the 'normalize names' setting was enabled, the winbindd service could have failed after user authentication. With this update, authentication is successful.
|
Story Points: | --- | ||||||||||
Clone Of: | Environment: | ||||||||||||
Last Closed: | 2011-01-13 22:47:23 UTC | Type: | --- | ||||||||||
Regression: | --- | Mount Type: | --- | ||||||||||
Documentation: | --- | CRM: | |||||||||||
Verified Versions: | Category: | --- | |||||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||||
Embargoed: | |||||||||||||
Attachments: |
|
Description
Ray Van Dolson
2010-02-16 17:29:32 UTC
Here is my smb.conf file: [global] workgroup = WORKGROUP password server = passwordserver, * realm = REALM.ESRI.COM security = ads idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 template homedir = /home/%U template shell = /bin/bash winbind use default domain = true winbind offline logon = false winbind enum users = yes winbind enum groups = yes # Uncommenting below seems to crash winbindd on login. winbind normalize names = yes Created attachment 394592 [details]
winbindd crash logs from /var/log/messages
Created attachment 394593 [details]
/etc/pam.d/system-auth
I can run winbindd in the foreground, generate some more verbose debug logs, provide core files and install debuginfo RPM's if needed. The user account I am testing _is_ a member of a group with a space in it. As long as no authentication is attempted, I appear to be able to enumerate the group membership for this user just fine -- it shows up with an underscore instead of the space as expected. I should also note that SELinux is in Enforcing mode on this system using the targeted policy. I was seeing the following in audit.log: avc: denied { name_connect } for pid=25602 comm="winbindd" dest=135 scontext=root:system_r:winbind_t:s0 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket Which I resolved by creating the following policy: module local 1.0; require { type winbind_t; type reserved_port_t; class tcp_socket name_connect; } winbindd still segfaults however. I am going to test with SELinux completely disabled just to be sure it isn't contributing somehow and will also install debuginfo's and get a better traceback. Updated to using this SELinux policy: module local 1.1; require { type winbind_t; type reserved_port_t; type port_t; class tcp_socket name_connect; } #============= winbind_t ============== allow winbind_t reserved_port_t:tcp_socket name_connect; allow winbind_t port_t:tcp_socket name_connect; Also, have tested with SELinux completely disabled and the crash still occurs. Created attachment 395848 [details]
Backtrace
I couldn't find -debuginfo's for the samba3x packages, so built my own samba3x packages from SRPM's and installed the resultant -debuginfo packages.
Attached is the backtrace I get.
I built RPM's against Samba 3.3.11[1] and can no longer reproduce the issue above. Now to identify which changesets actually are responsible. :) [1] http://rayvd.fedorapeople.org/samba3x/ This[1] changeset appears to fix the problem. When I rebuild 3.3.8 with the changeset included, I can no longer reproduce the problem. [1] http://gitweb.samba.org/?p=samba.git;a=commit;h=62a1d9101cf0c2d45f81ba703cfdef5f42006b3f SRPM with patch included is here: http://rayvd.fedorapeople.org/samba3x/samba3x-3.3.8-0.51.esri1.el5.src.rpm Created attachment 414916 [details]
Patch based on commit 62a1d9101cf0c2d45f81ba703cfdef5f42006b3f
The diff from commit 62a1d9101cf0c2d45f81ba703cfdef5f42006b3f would not apply cleanly, so I created a gendiff patch based on the diff.
Tested packages provided to me by support (jptest) and they appear to resolve the issue. Any chance of this making it into RHEL 5.5 errata or RHEL 5.6? (In reply to comment #20) > Any chance of this making it into RHEL 5.5 errata or RHEL 5.6? Yes 5.6. Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: When the 'normalize names' setting was enabled, the winbindd service could have failed after user authentication. With this update, authentication is successful. An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0054.html |