I seem to have hit the same bug, invalid poiter free()d by gssalloc_free() called by gss_release_buffer() Happens when a program installed on the DC connects to this linux requesting some registry keys (not knowing this is not a windows machine) Here is a stack trace with full symbols Core was generated by `smbd -F'. Program terminated with signal 6, Aborted. #0 0x00007f4458a000d5 in __GI_raise (sig=) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 64 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory. (gdb) bt #0 0x00007f4458a000d5 in __GI_raise (sig=) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 #1 0x00007f4458a0383b in __GI_abort () at abort.c:91 #2 0x00007f445be50eeb in dump_core () at lib/fault.c:391 #3 0x00007f445be5f5d1 in smb_panic (why=) at lib/util.c:1133 #4 0x00007f445be50838 in fault_report (sig=6) at lib/fault.c:53 #5 sig_fault (sig=6) at lib/fault.c:76 #6 #7 0x00007f4458a000d5 in __GI_raise (sig=) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 #8 0x00007f4458a0383b in __GI_abort () at abort.c:91 #9 0x00007f4458a3e04e in __libc_message (do_abort=2, fmt=0x7f4458b485e0 "*** glibc detected *** %s: %s: 0x%s ***\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:201 #10 0x00007f4458a48846 in malloc_printerr (action=3, str=0x7f4458b44ee9 "free(): invalid pointer", ptr=) at malloc.c:5047 #11 0x00007f445b19db78 in gssalloc_free (value=) at ../../../include/gssapi/gssapi_alloc.h:22 #12 gss_release_buffer (minor_status=, buffer=0x7ffffef4b840) at ../../../../src/lib/gssapi/mechglue/g_rel_buffer.c:52 #13 0x00007f445beccca2 in gse_get_pac_blob (gse_ctx=, mem_ctx=0x7f445e2dce70, pac_blob=) at librpc/crypto/gse.c:731 #14 0x00007f445bd63a8b in gssapi_server_get_user_info (gse_ctx=0x7f445e2d8020, mem_ctx=0x7f445e2d7380, client_id=0x7f445e2bd5e8, server_info=0x7f445e2d73a8) at rpc_server/dcesrv_gssapi.c:127 #15 0x00007f445bd57f5d in pipe_gssapi_verify_final (mem_ctx=0x7f445e2d7380, gse_ctx=0x7f445e2d8020, client_id=0x7f445e2bd5e8, session_info=0x7f445e2d73a8) at rpc_server/srv_pipe.c:734 #16 0x00007f445bd5994a in pipe_auth_verify_final (p=0x7f445e2d7380) at rpc_server/srv_pipe.c:814 #17 0x00007f445bd5bb3b in api_pipe_alter_context (pkt=0x7f445e2d3200, p=0x7f445e2d7380) at rpc_server/srv_pipe.c:1403 #18 process_complete_pdu (p=0x7f445e2d7380) at rpc_server/srv_pipe.c:1955 #19 0x00007f445bd5c22b in process_incoming_data (p=0x7f445e2d7380, data=0x7f445e2e4cb4 "\270\020\270\020", n=) at rpc_server/srv_pipe_hnd.c:218 #20 0x00007f445bd5c90e in write_to_internal_pipe (n=216, data=0x7f445e2e4cb4 "\270\020\270\020", p=0x7f445e2d7380) at rpc_server/srv_pipe_hnd.c:244 #21 np_write_send (mem_ctx=, ev=0x7f445e2bd520, handle=, data=, len=216) at rpc_server/srv_pipe_hnd.c:538 #22 0x00007f445bb71177 in reply_pipe_write_and_X (req=0x7f445e2e4dd0) at smbd/pipes.c:322 #23 0x00007f445bb7ab18 in reply_write_and_X (req=0x7f445e2e4dd0) at smbd/reply.c:4529 #24 0x00007f445bbbd9c4 in switch_message (type=47 '/', req=0x7f445e2e4dd0, size=284) at smbd/process.c:1574 #25 0x00007f445bbbdddb in construct_reply (deferred_pcd=0x0, encrypted=false, seqnum=, unread_bytes=0, size=284, inbuf=0x0, sconn=0x7f445e2bd5e0) at smbd/process.c:1610 #26 process_smb (sconn=0x7f445e2bd5e0, inbuf=, nread=284, unread_bytes=0, seqnum=, encrypted=false, deferred_pcd=0x0) at smbd/process.c:1688 #27 0x00007f445bbbe1f3 in smbd_server_connection_read_handler (conn=0x7f445e2bd5e0, fd=24) at smbd/process.c:2317 #28 0x00007f445be6f27e in run_events_poll (num_pfds=2, pfds=0x7f445e2ce2e0, pollrtn=, ev=0x7f445e2bd520) at lib/events.c:286 #29 run_events_poll (ev=0x7f445e2bd520, pollrtn=, pfds=0x7f445e2ce2e0, num_pfds=2) at lib/events.c:184 #30 0x00007f445bbbf962 in smbd_server_connection_loop_once (conn=0x7f445e2bd5e0) at smbd/process.c:1017 #31 smbd_process (sconn=0x7f445e2bd5e0) at smbd/process.c:3158 #32 0x00007f445c0cd21f in smbd_accept_connection (ev=, fde=, flags=, private_data=) at smbd/server.c:511 #33 0x00007f445be6f27e in run_events_poll (num_pfds=5, pfds=0x7f445e2d67c0, pollrtn=, ev=0x7f445e2bd520) at lib/events.c:286 #34 run_events_poll (ev=0x7f445e2bd520, pollrtn=, pfds=0x7f445e2d67c0, num_pfds=5) at lib/events.c:184 #35 0x00007f445be6f41a in s3_event_loop_once (ev=0x7f445e2bd520, location=) at lib/events.c:349 #36 0x00007f445be6ffa0 in _tevent_loop_once (ev=0x7f445e2bd520, location=0x7f445c2d1f37 "smbd/server.c:844") at ../lib/tevent/tevent.c:494 #37 0x00007f445bb3e060 in smbd_parent_loop (parent=) at smbd/server.c:844 #38 main (argc=, argv=) at smbd/server.c:1326