[Pkg-samba-maint] Bug#774514: winbind crashes when a user with an expired password logs in
Jason Gunthorpe
jgunthorpe at obsidianresearch.com
Sat Jan 3 18:51:00 UTC 2015
Package: winbind
Version: 2:4.1.13+dfsg-2
Severity: important
Pretty simple, if the password has expired in AD then at login a
winbind process begins looping with 100% CPU and all of winbind
becomes unusable, which basically crashes the OS since nss hangs.
Further, 'systemctl restart winbindd' doesn't actually kill the
looping winbind (!?! I thought systemd gurenteed that?) a kill -9 is
needed to recover from this.
gdb says the backtrace is:
#0 0x00007f7b059013cf in krb5_get_init_creds_password () from /usr/lib/x86_64-linux-gnu/libkrb5.so.26
#1 0x00007f7b0797f969 in kerberos_kinit_password_ext () from /usr/lib/x86_64-linux-gnu/samba/libgse.so.0
#2 0x00007f7b0b995959 in kerberos_return_pac ()
#3 0x00007f7b0b9bb530 in winbindd_dual_pam_auth ()
#4 0x00007f7b0b9cfcec in ?? ()
#5 0x00007f7b04e402cb in ?? () from /usr/lib/x86_64-linux-gnu/libtevent.so.0
#6 0x00007f7b04e3e797 in ?? () from /usr/lib/x86_64-linux-gnu/libtevent.so.0
#7 0x00007f7b04e3af9d in _tevent_loop_once () from /usr/lib/x86_64-linux-gnu/libtevent.so.0
#8 0x00007f7b0b9d2068 in ?? ()
#9 0x00007f7b0b9d2765 in ?? ()
#10 0x00007f7b04e3b7c4 in tevent_common_loop_immediate () from /usr/lib/x86_64-linux-gnu/libtevent.so.0
#11 0x00007f7b04e4008e in ?? () from /usr/lib/x86_64-linux-gnu/libtevent.so.0
#12 0x00007f7b04e3e797 in ?? () from /usr/lib/x86_64-linux-gnu/libtevent.so.0
#13 0x00007f7b04e3af9d in _tevent_loop_once () from /usr/lib/x86_64-linux-gnu/libtevent.so.0
#14 0x00007f7b0b994fac in main ()
The internet has a few notes about something that sounds very similar:
https://bugzilla.samba.org/show_bug.cgi?id=8747
The prompter only returns the password once, so the Kerberos library
sees that the entered passwords don't match. MIT Kerberos only tries
again three times, but Heimdal loops forever (in init_creds_pw.c).
The above is a backport from Samba 4 - and the Samba 4 fix is included
in Debian's version:
http://anonscm.debian.org/cgit/pkg-samba/samba.git/commit/?id=10989431e533bd60de242dbd78c4b62c4ace7812
However, for some reason, Samba 4 has two copies of that function, one
in source4/auth/kerberos/kerberos.c (addressed by above) and one
here:
http://anonscm.debian.org/cgit/pkg-samba/samba.git/tree/source3/libads/kerberos.c
Looking at the backtrace we can see winbind calls
kerberos_kinit_password_ext, which is only present in
source3/libads/kerberos.c which seems to strongly suggest it is this bug.
At the very least it doesn't make alot of sense to apply 10989431 to only
one of the two locations in the source tree.
Jason
More information about the Pkg-samba-maint
mailing list