Here's Samba 4.3.6-0.fc23 successfully authenticating: $ /usr/bin/ntlm_auth --helper-protocol ntlmssp-client-1 --use-cached-creds --username dwoodhou YR Got 'YR' from squid (length: 2). got NTLMSSP packet: YR TlRMTVNTUAABAAAABYIIYAMAAwAgAAAADgAOACMAAABHRVJEV09PREhPVS1MSU5VWA== NTLMSSP challenge TT TlRMTVNTUAACAAAAAAAAACgAAAABggAA5lNkQwhRf+wAAAAAAAAAAA== Got 'TT TlRMTVNTUAACAAAAAAAAACgAAAABggAA5lNkQwhRf+wAAAAAAAAAAA==' from squid (length: 59). got NTLMSSP packet: KK TlRMTVNTUAADAAAAAAAAAEAAAAAYABgAQAAAAAYABgBYAAAAEAAQAF4AAAAcABwAbgAAAAAAAACKAAAABYIAAB9CuUv36kuvVB4Lg+72fp/DAzZlrNntekcARQBSAGQAdwBvAG8AZABoAG8AdQBEAFcATwBPAEQASABPAFUALQBMAEkATgBVAFgA NTLMSSP challenge Here's 4.3.[89]: YR Got 'YR' from squid (length: 2). YR TlRMTVNTUAABAAAABYIIYgAAAAAoAAAAAAAAACgAAAAGAQAAAAAADw== TT TlRMTVNTUAACAAAAAAAAACgAAAABggAA5lNkQwhRf+wAAAAAAAAAAA== Got 'TT TlRMTVNTUAACAAAAAAAAACgAAAABggAA5lNkQwhRf+wAAAAAAAAAAA==' from squid (length: 59). Program received signal SIGSEGV, Segmentation fault. 0x00007ffff511e38f in _IO_vfprintf_internal (s=s@entry=0x7fffffffca60, format=<optimized out>, format@entry=0x7ffff56b0988 "talloc: access after free error - first free may be at %s\n", ap=ap@entry=0x7fffffffcbf8) at vfprintf.c:1631 1631 process_string_arg (((struct printf_spec *) NULL)); (gdb) (gdb) bt #0 0x00007ffff511e38f in _IO_vfprintf_internal (s=s@entry=0x7fffffffca60, format=<optimized out>, format@entry=0x7ffff56b0988 "talloc: access after free error - first free may be at %s\n", ap=ap@entry=0x7fffffffcbf8) at vfprintf.c:1631 #1 0x00007ffff51e3e76 in ___vsnprintf_chk ( s=s@entry=0x7fffffffcc10 "talloc: access after free error - first free may be at ed symbol: gconv_end", maxlen=<optimized out>, maxlen@entry=1024, flags=flags@entry=1, slen=slen@entry=1024, format=format@entry=0x7ffff56b0988 "talloc: access after free error - first free may be at %s\n", args=args@entry=0x7fffffffcbf8) at vsnprintf_chk.c:63 #2 0x00007ffff56a8dbe in vsnprintf (__ap=0x7fffffffcbf8, __fmt=<optimized out>, __n=1024, __s=0x7fffffffcc10 "talloc: access after free error - first free may be at ed symbol: gconv_end") at /usr/include/bits/stdio2.h:77 #3 talloc_vasprintf (t=t@entry=0x0, fmt=fmt@entry=0x7ffff56b0988 "talloc: access after free error - first free may be at %s\n", ap=ap@entry=0x7fffffffd068) at ../talloc.c:2440 #4 0x00007ffff56a477c in talloc_log ( fmt=fmt@entry=0x7ffff56b0988 "talloc: access after free error - first free may be at %s\n") at ../talloc.c:370 #5 0x00007ffff56aab5a in talloc_chunk_from_ptr (ptr=0x7ffff673d9c3) at ../talloc.c:432 #6 _talloc_steal_loc (new_ctx=0x5555557928b0, ptr=0x7ffff673d9c3, ---Type <return> to continue, or q <return> to quit--- location=location@entry=0x7ffff56b0cef "../talloc.c:1927") at ../talloc.c:1219 #7 0x00007ffff56aab93 in _talloc_move (new_ctx=<optimized out>, _pptr=0x7fffffffd218) at ../talloc.c:1927 #8 0x00007ffff7374e2e in ntlmssp_client_challenge () from /lib64/libgensec.so.0 #9 0x00007ffff737375f in gensec_ntlmssp_update () from /lib64/libgensec.so.0 #10 0x00007ffff737d7f2 in gensec_update_ev () from /lib64/libgensec.so.0 #11 0x00007ffff737d837 in gensec_update () from /lib64/libgensec.so.0 #12 0x000055555555bbfe in manage_gensec_request.isra () #13 0x00005555555593b3 in manage_squid_request () #14 0x0000555555558d5b in main ()
Hello David, I tried to reproduce this today (with samba-4.3.8-0.fc23.x86_64) but I couldn't. Can you share your config and describe briefly your setup? Thanks! Guenther
client NTLMv2 auth = no
Here's 4.3.8-0.fc23 (the above was 4.3.9-0.fc23) with debuginfo: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff511e38f in _IO_vfprintf_internal (s=s@entry=0x7fffffffca60, format=<optimized out>, format@entry=0x7ffff56b0988 "talloc: access after free error - first free may be at %s\n", ap=ap@entry=0x7fffffffcbf8) at vfprintf.c:1631 1631 process_string_arg (((struct printf_spec *) NULL)); (gdb) bt #0 0x00007ffff511e38f in _IO_vfprintf_internal (s=s@entry=0x7fffffffca60, format=<optimized out>, format@entry=0x7ffff56b0988 "talloc: access after free error - first free may be at %s\n", ap=ap@entry=0x7fffffffcbf8) at vfprintf.c:1631 #1 0x00007ffff51e3e76 in ___vsnprintf_chk ( s=s@entry=0x7fffffffcc10 "talloc: access after free error - first free may be at ed symbol: gconv_end", maxlen=<optimized out>, maxlen@entry=1024, flags=flags@entry=1, slen=slen@entry=1024, format=format@entry=0x7ffff56b0988 "talloc: access after free error - first free may be at %s\n", args=args@entry=0x7fffffffcbf8) at vsnprintf_chk.c:63 #2 0x00007ffff56a8dbe in vsnprintf (__ap=0x7fffffffcbf8, __fmt=<optimized out>, __n=1024, __s=0x7fffffffcc10 "talloc: access after free error - first free may be at ed symbol: gconv_end") at /usr/include/bits/stdio2.h:77 #3 talloc_vasprintf (t=t@entry=0x0, fmt=fmt@entry=0x7ffff56b0988 "talloc: access after free error - first free may be at %s\n", ap=ap@entry=0x7fffffffd068) at ../talloc.c:2440 #4 0x00007ffff56a477c in talloc_log ( fmt=fmt@entry=0x7ffff56b0988 "talloc: access after free error - first free may be at %s\n") at ../talloc.c:370 #5 0x00007ffff56aab5a in talloc_chunk_from_ptr (ptr=0x7ffff673d9c3) at ../talloc.c:432 #6 _talloc_steal_loc (new_ctx=new_ctx@entry=0x5555557928b0, ---Type <return> to continue, or q <return> to quit--- ptr=0x7ffff673d9c3, location=location@entry=0x7ffff56b0cef "../talloc.c:1927") at ../talloc.c:1219 #7 0x00007ffff56aab93 in _talloc_move (new_ctx=new_ctx@entry=0x5555557928b0, _pptr=_pptr@entry=0x7fffffffd218) at ../talloc.c:1927 #8 0x00007ffff7374cfe in ntlmssp_client_challenge ( gensec_security=0x555555792310, out_mem_ctx=0x555555791c40, in=..., out=0x7fffffffd580) at ../auth/ntlmssp/ntlmssp_client.c:354 #9 0x00007ffff737360f in gensec_ntlmssp_update ( gensec_security=0x555555792310, out_mem_ctx=0x555555791c40, ev=<optimized out>, input=..., out=0x7fffffffd580) at ../auth/ntlmssp/ntlmssp.c:176 #10 0x00007ffff737d612 in gensec_update_ev (gensec_security=0x555555792310, out_mem_ctx=0x555555791c40, ev=0x555555792dc0, ev@entry=0x0, in=..., out=0x7fffffffd580) at ../auth/gensec/gensec.c:303 #11 0x00007ffff737d657 in gensec_update (gensec_security=<optimized out>, out_mem_ctx=<optimized out>, in=..., out=<optimized out>) at ../auth/gensec/gensec.c:372 #12 0x000055555555bbfe in manage_gensec_request ( stdio_helper_mode=NTLMSSP_CLIENT_1, lp_ctx=<optimized out>, buf=<optimized out>, private1=<optimized out>, length=<optimized out>) at ../source3/utils/ntlm_auth.c:1467 #13 0x00005555555593b3 in manage_squid_request ( ---Type <return> to continue, or q <return> to quit--- stdio_helper_mode=NTLMSSP_CLIENT_1, lp_ctx=0x555555784050, state=0x555555791800, fn=0x55555555c8d0 <manage_client_ntlmssp_request>, private2=0x0) at ../source3/utils/ntlm_auth.c:2040 #14 0x0000555555558d5b in squid_stream ( fn=0x55555555c8d0 <manage_client_ntlmssp_request>, lp_ctx=0x555555784050, stdio_mode=NTLMSSP_CLIENT_1) at ../source3/utils/ntlm_auth.c:2074 #15 main (argc=<optimized out>, argv=<optimized out>) at ../source3/utils/ntlm_auth.c:2317
(Not the same run...) #8 0x00007ffff7374cfe in ntlmssp_client_challenge ( gensec_security=0x555555792360, out_mem_ctx=0x555555791470, in=..., out=0x7fffffffd570) at ../auth/ntlmssp/ntlmssp_client.c:354 354 ntlmssp_state->server.netbios_domain = talloc_move(ntlmssp_state, &server_domain); (gdb) p server_domain $3 = 0x7ffff673d9c3 "" In /proc/$pid/maps it seems that server_domain is pointing to a static "" string in libcliauth-samba4.so, instead of something that was allocated. We probably weren't expecting msrpc_parse() to do that? The talloc library crapping itself when trying to report this, is obviously a separate issue.
Right, have it reproduced and a possible fix, hold on.
Created attachment 1155392 [details] possible fix
The upstream bug is https://bugzilla.samba.org/show_bug.cgi?id=11912
Thanks Stefan, just saw I came up with the exact same patch 45 minutes later than yours :-)
Scratch build at http://koji.fedoraproject.org/koji/taskinfo?taskID=13991277
And for f24 at http://koji.fedoraproject.org/koji/taskinfo?taskID=14166983
samba-4.3.10-0.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-de8ba50085
samba-4.3.10-0.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-de8ba50085
samba-4.3.10-0.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.