[Pkg-samba-maint] talloc null pointer memory leak / local user in domain error

Andrew Bartlett abartlet at samba.org
Tue Jun 25 22:28:36 UTC 2013 

On Mon, 2013-06-24 at 18:27 -0500, Mike Ray wrote:
> If this would be better served in just [Samba] or perhaps
> [Samba-Technical] as opposed to the maintainers list, my apologies and
> I'll route all similar things there in the future.
> 
> Using the latest debian, I've noticed odd behavior after provisioning:
> 
> The local user is seemingly added to the AD instance; even after
> reverting changes to PAM, logging in as the user who was active during
> provisioning gives this:
> "Failed to modify entry for user <localuser>"
> 
> Invoking sudo gives the following:
> "no talloc stackframe at ../source3/lib/util.c:1493, leaking memory
> Failed to modify account record
> CN=<localuser>,CN=Users,DC=fake,DC=test to set user attributes:
> 0000052D: Constraint violation - check_password_restrictions: the
> password is too short. It should be equal or longer than 7
> characters!"
> 
> Using ldbdel to remove the user returns a success, but subsequent
> logins seem to re-add the user (no replication -- only 1 DC in these
> test cases) to the AD instance, and the errors crop up again.

So, what happens here is that nobody ever envisioned that pam_smbpasswd
would ever be used in connection with the AD DC.  That it works this
much is really neat however :-)

>From there there is one bug:
 - we don't currently implement talloc_stackframe() correctly in
pam_smbpasswd

There is also missing features:
 - we don't make any attempt to migrate the user's uid/gid or groups

On your side, you are hitting up against Samba's default password
polices, which match the defaults in AD and can be set using 'samba-tool
domain pwsettings'.  

Being able to migrate from a pure unix environment to AD is neat, and
probably should be retained, but most users migrate from a Samba 3.x
setup, and so don't need or want this tool. 

Once set up with Samba as an AD DC, pam_winbind and nss_winbind is
probably more appropriate, as otherwise users would need to remain
duplicated in the /etc/passwd file. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the Pkg-samba-maint mailing list