Description of problem: RHEL 5.4 machine joined to a Windows 2003 AD environment. Using pam_winbind with default settings. When a user connects and authenticates (correctly), winbind dumps core and dies and the authentication fails. The only way I can get winbindd to consistently stay running is to disable the winbind normalize names option. Version-Release number of selected component (if applicable): samba3x-common-3.3.8-0.46.el5 samba3x-winbind-3.3.8-0.46.el5 How reproducible: Almost always? Steps to Reproduce: 1. Join RHEL 5.4 machine to AD 2. Configure authentication with pam_winbind 3. Enable winbind normalize names = yes 4. Attempt to log in using an AD user account. Actual results: winbindd crashes. Expected results: winbindd doesn't crash. Additional info:
Here is my smb.conf file: [global] workgroup = WORKGROUP password server = passwordserver, * realm = REALM.ESRI.COM security = ads idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 template homedir = /home/%U template shell = /bin/bash winbind use default domain = true winbind offline logon = false winbind enum users = yes winbind enum groups = yes # Uncommenting below seems to crash winbindd on login. winbind normalize names = yes
Created attachment 394592 [details] winbindd crash logs from /var/log/messages
Created attachment 394593 [details] /etc/pam.d/system-auth
I can run winbindd in the foreground, generate some more verbose debug logs, provide core files and install debuginfo RPM's if needed. The user account I am testing _is_ a member of a group with a space in it. As long as no authentication is attempted, I appear to be able to enumerate the group membership for this user just fine -- it shows up with an underscore instead of the space as expected.
I should also note that SELinux is in Enforcing mode on this system using the targeted policy. I was seeing the following in audit.log: avc: denied { name_connect } for pid=25602 comm="winbindd" dest=135 scontext=root:system_r:winbind_t:s0 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket Which I resolved by creating the following policy: module local 1.0; require { type winbind_t; type reserved_port_t; class tcp_socket name_connect; } winbindd still segfaults however. I am going to test with SELinux completely disabled just to be sure it isn't contributing somehow and will also install debuginfo's and get a better traceback.
Updated to using this SELinux policy: module local 1.1; require { type winbind_t; type reserved_port_t; type port_t; class tcp_socket name_connect; } #============= winbind_t ============== allow winbind_t reserved_port_t:tcp_socket name_connect; allow winbind_t port_t:tcp_socket name_connect; Also, have tested with SELinux completely disabled and the crash still occurs.
Created attachment 395848 [details] Backtrace I couldn't find -debuginfo's for the samba3x packages, so built my own samba3x packages from SRPM's and installed the resultant -debuginfo packages. Attached is the backtrace I get.
I built RPM's against Samba 3.3.11[1] and can no longer reproduce the issue above. Now to identify which changesets actually are responsible. :) [1] http://rayvd.fedorapeople.org/samba3x/
This[1] changeset appears to fix the problem. When I rebuild 3.3.8 with the changeset included, I can no longer reproduce the problem. [1] http://gitweb.samba.org/?p=samba.git;a=commit;h=62a1d9101cf0c2d45f81ba703cfdef5f42006b3f
SRPM with patch included is here: http://rayvd.fedorapeople.org/samba3x/samba3x-3.3.8-0.51.esri1.el5.src.rpm
Created attachment 414916 [details] Patch based on commit 62a1d9101cf0c2d45f81ba703cfdef5f42006b3f The diff from commit 62a1d9101cf0c2d45f81ba703cfdef5f42006b3f would not apply cleanly, so I created a gendiff patch based on the diff.
Tested packages provided to me by support (jptest) and they appear to resolve the issue.
Any chance of this making it into RHEL 5.5 errata or RHEL 5.6?
(In reply to comment #20) > Any chance of this making it into RHEL 5.5 errata or RHEL 5.6? Yes 5.6.
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: When the 'normalize names' setting was enabled, the winbindd service could have failed after user authentication. With this update, authentication is successful.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0054.html