Bug 52859

Summary: Samba 2.2.8a (2.2.8)- broken support for password changing via CTRL-ALT-DEL on Windows client
Product: Ports & Packages Reporter: Przemyslaw Plaskowicki <plex>
Component: Individual Port(s)Assignee: Dirk Meyer <dinoex>
Status: Closed FIXED    
Severity: Affects Only Me CC: plex
Priority: Normal    
Version: Latest   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
util_sec.c.patch none

Description Przemyslaw Plaskowicki 2003-06-02 14:20:16 UTC
	It is possible to change password via CTRL-ALT-DEL combination on Windows 
	2000 client machine. Changed password is passed by Samba to program or 
	script defined by 'passwd program' parameter in smb.conf which should de facto 
	chang password. That program is normally run with root privileges. However 
	normally samba process does not run with root privilege. In order to 
	change password samba need to swich back to root. That does not work in 
	2.2.8a, Windows return error message and logs are containing following 
	lines:
		[2003/06/02 14:48:03, 1, effective(0, 0), real(0, 0)] 
		rpc_server/srv_pipe.c:api_pipe_ntlms sp_verify(366)
  		api_pipe_ntlmssp_verify: User PLEX-WIN2K\plex from machine PLEX-WIN2K failed 
		authentication on named pipe samr.
		[2003/06/02 14:48:03, 0, effective(65534, 65534), real(0, 65534)] 
		lib/util_sec.c:assert_gid(114)
 		Failed to set gid privileges to (0,65534) now set to (65534,65534) uid=(0,65534)
		[2003/06/02 14:48:03, 0, effective(65534, 65534), real(0, 65534)] 
		lib/util.c:smb_panic(1094)
  		PANIC: failed to set gid

		[2003/06/02 14:48:03, 0, effective(65534, 65534), real(0, 65534)] 
		lib/util_sec.c:assert_gid(114)
		Failed to set gid privileges to (0,65534) now set to (65534,65534) uid=(0,65534)
		[2003/06/02 14:48:03, 0, effective(65534, 65534), real(0, 65534)] 
		lib/util.c:smb_panic(1094)
		PANIC: failed to set gid
	/var/messages states:
		Jun  2 14:48:03 grasshopper /kernel: pid 8690 (smbd), uid 65534: exited on signal 6
		Jun  2 14:48:03 grasshopper /kernel: pid 11791 (smbd), uid 65534: exited on signal 6

	
	This bug was also reported by these users:

	http://groups.google.com/groups?selm=16e27602.0303181027.67d96b05%40posting.google.com
	[...]
	This is running on a FreeBSD 4.6-RELEASE box.
	[...]


	[2003/03/17 13:53:07, 3] smbd/sec_ctx.c:get_current_groups(172)
 	  get_current_groups: user is in 5 groups: 1005, 1005, 0, 1010, 1015
	[2003/03/17 13:53:07, 3] smbd/sec_ctx.c:pop_sec_ctx(436)
	  pop_sec_ctx (1001, 1005) - sec_ctx_stack_ndx = 0
	[2003/03/17 13:53:07, 0] lib/util_sec.c:assert_gid(114)
	  Failed to set gid privileges to (0,1005) now set to (1005,1005) uid=(0,1001)
	[2003/03/17 13:53:07, 0] lib/util.c:smb_panic(1094)
	  PANIC: failed to set gid

	[...]  
	
	http://groups.google.com/groups?selm=20030413114009%245af7%40gated-at.bofh.it

	[...]
	i have running samba 2.2.8a from the ports on the system:
	FreeBSD bingo.ru 4.7-STABLE FreeBSD 4.7-STABLE #2: Tue Mar 25 20:30:51 YEKT
	2003 root@bingo.ru:/usr/obj/usr/src/sys/bingo  i386
	
	[...]
	my samba is primary domain controller for my microsoft network with windowzes.
	all was well, but from some time my users cannot change their passwords in
	domain. windows reports about domain is not available and the smbd writes to
	log:

	=== cut ===
	[2003/04/13 16:39:39, 0] lib/util_sec.c:assert_gid(114)
	  Failed to set gid privileges to (0,1666) now set to (1666,1666) uid=(0,1666)
	[2003/04/13 16:39:39, 0] lib/util.c:smb_panic(1094)
	  PANIC: failed to set gid

	[2003/04/13 16:39:39, 0] smbd/password.c:domain_client_validate(1558)
	  domain_client_validate: could not fetch trust account password for domain BINGO
	[2003/04/13 16:39:39, 0] lib/util_sec.c:assert_gid(114)
	  Failed to set gid privileges to (0,1666) now set to (1666,1666) uid=(0,1666)
	[2003/04/13 16:39:39, 0] lib/util.c:smb_panic(1094)
	  PANIC: failed to set gid

	[2003/04/13 16:39:39, 0] lib/util_sec.c:assert_gid(114)
	  Failed to set gid privileges to (0,31) now set to (31,31) uid=(0,2048)
	[2003/04/13 16:39:39, 0] lib/util.c:smb_panic(1094)
	  PANIC: failed to set gid

	[2003/04/13 16:39:39, 0] lib/util_sec.c:assert_gid(114)
	  Failed to set gid privileges to (0,31) now set to (31,31) uid=(0,2048)
	[2003/04/13 16:39:39, 0] lib/util.c:smb_panic(1094)
	  PANIC: failed to set gid

	[2003/04/13 16:39:39, 0] smbd/password.c:domain_client_validate(1558)
	  domain_client_validate: could not fetch trust account password for domain BINGO
	[2003/04/13 16:39:40, 0] lib/util_sec.c:assert_gid(114)
	  Failed to set gid privileges to (0,1666) now set to (1666,1666) uid=(0,1666)
	[2003/04/13 16:39:40, 0] lib/util.c:smb_panic(1094)
	  PANIC: failed to set gid

	[2003/04/13 16:39:40, 0] smbd/password.c:domain_client_validate(1558)
	  domain_client_validate: could not fetch trust account password for domain BINGO
	[2003/04/13 16:39:40, 0] lib/util_sec.c:assert_gid(114)
	  Failed to set gid privileges to (0,1666) now set to (1666,1666) uid=(0,1666)
	[2003/04/13 16:39:40, 0] lib/util.c:smb_panic(1094)
	  PANIC: failed to set gid

	[2003/04/13 16:39:40, 0] smbd/password.c:domain_client_validate(1558)
	  domain_client_validate: could not fetch trust account password for domain BINGO
	[2003/04/13 16:39:40, 0] lib/util_sec.c:assert_gid(114)
	  Failed to set gid privileges to (0,31) now set to (31,31) uid=(0,2048)
	[2003/04/13 16:39:40, 0] lib/util.c:smb_panic(1094)
	  PANIC: failed to set gid

	[2003/04/13 16:39:40, 0] smbd/password.c:domain_client_validate(1558)
	  domain_client_validate: could not fetch trust account password for domain BINGO
	[2003/04/13 16:39:40, 0] lib/util_sec.c:assert_gid(114)
	  Failed to set gid privileges to (0,31) now set to (31,31) uid=(0,2048)
	[2003/04/13 16:39:40, 0] lib/util.c:smb_panic(1094)
	  PANIC: failed to set gid

	[2003/04/13 16:39:40, 0] smbd/password.c:domain_client_validate(1558)
	  domain_client_validate: could not fetch trust account password for domain BINGO
	[2003/04/13 16:40:06, 0] lib/util_sec.c:assert_gid(114)
	  Failed to set gid privileges to (0,1666) now set to (1666,1666) uid=(0,1666)
	[2003/04/13 16:40:06, 0] lib/util.c:smb_panic(1094)
	  PANIC: failed to set gid

	[2003/04/13 16:40:06, 0] smbd/password.c:domain_client_validate(1558)
	  domain_client_validate: could not fetch trust account password for domain BINGO
	[2003/04/13 16:40:06, 0] lib/util_sec.c:assert_gid(114)
	  Failed to set gid privileges to (0,1666) now set to (1666,1666) uid=(0,1666)
	[2003/04/13 16:40:06, 0] lib/util.c:smb_panic(1094)
	  PANIC: failed to set gid
	
	[2003/04/13 16:40:06, 0] lib/util_sec.c:assert_gid(114)
	  Failed to set gid privileges to (0,31) now set to (31,31) uid=(0,2048)
	[2003/04/13 16:40:06, 0] lib/util.c:smb_panic(1094)
	  PANIC: failed to set gid

	[2003/04/13 16:40:06, 0] lib/util_sec.c:assert_gid(114)
	  Failed to set gid privileges to (0,31) now set to (31,31) uid=(0,2048)
	[2003/04/13 16:40:06, 0] lib/util.c:smb_panic(1094)
	  PANIC: failed to set gid

	[2003/04/13 16:40:06, 0] smbd/password.c:domain_client_validate(1558)
	  domain_client_validate: could not fetch trust account password for domain BINGO
	[2003/04/13 16:40:06, 0] lib/util_sec.c:assert_gid(114)
	  Failed to set gid privileges to (0,1666) now set to (1666,1666) uid=(0,1666)
	[2003/04/13 16:40:06, 0] lib/util.c:smb_panic(1094)
	  PANIC: failed to set gid

	[2003/04/13 16:40:06, 0] smbd/password.c:domain_client_validate(1558)
	  domain_client_validate: could not fetch trust account password for domain BINGO
	[2003/04/13 16:40:06, 0] lib/util_sec.c:assert_gid(114)
	  Failed to set gid privileges to (0,1666) now set to (1666,1666) uid=(0,1666)
	[2003/04/13 16:40:06, 0] lib/util.c:smb_panic(1094)
	  PANIC: failed to set gid

	[2003/04/13 16:40:06, 0] lib/util_sec.c:assert_gid(114)
	  Failed to set gid privileges to (0,31) now set to (31,31) uid=(0,2048)
	[2003/04/13 16:40:06, 0] lib/util.c:smb_panic(1094)
	  PANIC: failed to set gid

	[2003/04/13 16:40:06, 0] lib/util_sec.c:assert_gid(114)
	  Failed to set gid privileges to (0,31) now set to (31,31) uid=(0,2048)
	[2003/04/13 16:40:06, 0] lib/util.c:smb_panic(1094)
	  PANIC: failed to set gid

	[2003/04/13 16:40:06, 0] smbd/password.c:domain_client_validate(1558)
	  domain_client_validate: could not fetch trust account password for domain BINGO
	
	[...]


	http://groups.google.pl/groups?selm=20030527141013%2444c1%40gated-at.bofh.it

	Hi,

	samba 2.2.8 is working on my FreeBSD 4.8 - server. Samba is the PDC and 
	almost everything is working fine.

	When a user wants to change his own samba password, he presses 
	CTRL_ALT_Delete in windows and clicks on "Change Password". After entering 
	the passwords, windows shows a popup which says that it isn't possible to 
	change the password because the domain is not available.

	On the console these errors appear (many times):
	/kernel: pid 94755 (smbd), uid 1010: exited on signal 6
	/kernel: pid 94756 (smbd), uid 65534: exited on signal 6

	in /var/log/log.[PCname] these errors appear:
	[2003/05/27 14:55:08, 0] lib/util_sec.c:assert_gid(114)
	  Failed to set gid privileges to (0,1001) now set to (1001,1001) 
	uid=(0,1001)
	[2003/05/27 14:55:08, 0] lib/util.c:smb_panic(1094)
	  PANIC: failed to set gid

	[...]

	My apologies for excessive quoting, but I find these posts relevant to 
	problem.

Fix: 

Not known.
How-To-Repeat: 	Try to change password using CTRL-ALT-DEL combination on Windows 2000 and 
	samba 2.2.8a.
Comment 1 Tilman Keskinoz freebsd_committer freebsd_triage 2003-06-03 08:48:36 UTC
Responsible Changed
From-To: freebsd-ports-bugs->dwcjr

over to maintainer
Comment 2 Jean Milanez Melo 2003-12-11 21:28:29 UTC
Hi,

I fix this problem in samba 2.2.8a.

Follow the patch attached.

Atenciosamente
Jean Milanez Melo
FreeBSD Brasil LTDA.
http://www.freebsdbrasil.com.br
Comment 3 Mark Linimon freebsd_committer freebsd_triage 2004-03-04 23:19:17 UTC
Responsible Changed
From-To: dwcjr->freebsd-ports-bugs

samba* maintainership was reset to ports@ by marcus on 03/04/2004, 
so return this PR to the pool.
Comment 4 Dirk Meyer freebsd_committer freebsd_triage 2004-08-18 14:53:41 UTC
Responsible Changed
From-To: freebsd-ports-bugs->dinoex

I will take care of it.
Comment 5 Dirk Meyer freebsd_committer freebsd_triage 2004-08-18 15:15:40 UTC
State Changed
From-To: open->closed

committed, thanks.