L.P.H. van Belle
2021-Sep-01 07:48 UTC
[Samba] samba-ad-dc.service: Got notification message from PID 27448, but reception only permitted for main PID 27410
Gooe morning, I'll CC Alexander Bokovoy in this on, i think he can tell us more on this. Before this ends up in a bloodbath ;-) No, joking her, but i think these guys can tell us. Rowland, Why do you think that we should not set Type. SystemD cant deteriming what type of program is running. Type must be set and if its not set, type is "simple" ( as Roy also noticed ) If type is simple, it just used /etc/init.d/samba start/stop But simple is wrong, just because it wont catch errors when starting up.. Quote: systemctl start command lines for simple services will report success even if the service's binary cannot be invoked successfully All i can say is, the Samba team is using "notify" some time. And only somehere in Samba 4.12/4.13 NotifyAccess= is removed from all service files in the samba sources. And after this CVE fix in systemd, its not correct anymore in my opionion If NotifyAccess= isnt defined, then NotifyAccess=main and main isnt correct for samba-ad-dc, because of the extra processes starting. I dont know how its exact implemeted in samba, i leave that to the devs. And lets keek the focus on this that it ONLY involves samba-ad-dc.service So NotifyAccess=all was removed in this commit https://gitlab.com/thctlo1/samba/-/commit/d1740fb3d5a72cb49e30b330bb0b01e7ef3e09cc Which was correct at that time, but things changed. Lets wait what Alexander or Andreas can tell us on this. So far, Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland Penny via samba > Verzonden: dinsdag 31 augustus 2021 22:50 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] samba-ad-dc.service: Got notification > message from PID 27448, but reception only permitted for main > PID 27410 > > On Tue, 2021-08-31 at 21:18 +0100, Roy Eastwood via samba wrote: > > I agree, now works. Which leaves the WiKi incorrect as it still > > recommends Type=forking etc. I assume this should be updated to > > (adapted for self-compiled version)?: > > > > I am going to throw a hand grenade in here, after reading 'man > systemd.service , I now think that 'Type' shouldn't be set at all! > > With this samba-ad-dc.service file: > > [Unit] > Description=Samba AD Daemon > Documentation=man:samba(8) man:samba(7) man:smb.conf(5) > Wants=network-online.target > After=network.target network-online.target > > [Service] > PIDFile=/run/samba/samba.pid > LimitNOFILE=16384 > EnvironmentFile=-/etc/default/samba > ExecStart=/usr/sbin/samba --foreground --no-process-group > $SAMBAOPTIONS > ExecReload=/bin/kill -HUP $MAINPID > > > [Install] > WantedBy=multi-user.target > > Results in this: > > ??? samba-ad-dc.service - Samba AD Daemon > Loaded: loaded (/lib/systemd/system/samba-ad-dc.service; enabled; > vendor preset: enabled) > Active: active (running) since Tue 2021-08-31 21:38:06 BST; 8s ago > Docs: man:samba(8) > man:samba(7) > man:smb.conf(5) > Main PID: 15307 (samba) > Tasks: 57 (limit: 4915) > CGroup: /system.slice/samba-ad-dc.service > ??????15307 samba: root process > ??????15309 samba: tfork waiter process(15310) > ??????15310 samba: task[s3fs] pre-fork master > ??????15311 samba: tfork waiter process(15313) > ??????15312 samba: tfork waiter process(15314) > ??????15313 samba: task[rpc] pre-fork master > ??????15314 /usr/sbin/smbd -D --option=server role > check:inhibit=yes --foreground > ??????15315 samba: tfork waiter process(15316) > ??????15316 samba: task[nbt] pre-fork master > ??????15317 samba: tfork waiter process(15319) > ??????15318 samba: tfork waiter process(15320) > ??????15319 samba: task[rpc] pre-forked worker(0) > ??????15320 samba: task[wrepl] pre-fork master > ??????15321 samba: tfork waiter process(15325) > ??????15322 samba: tfork waiter process(15323) > ??????15323 samba: task[ldap] pre-fork master > ??????15324 samba: tfork waiter process(15326) > ??????15325 samba: task[rpc] pre-forked worker(1) > ??????15326 samba: task[cldap] pre-fork master > ??????15327 samba: tfork waiter process(15330) > ??????15328 samba: tfork waiter process(15329) > ??????15329 samba: task[rpc] pre-forked worker(2) > ??????15330 samba: task[kdc] pre-fork master > ??????15331 samba: tfork waiter process(15334) > ??????15332 samba: tfork waiter process(15333) > ??????15333 samba: task[drepl] pre-fork master > ??????15334 samba: task[rpc] pre-forked worker(3) > ??????15335 samba: tfork waiter process(15338) > ??????15336 samba: tfork waiter process(15337) > ??????15337 samba: task[kdc] pre-forked worker(0) > ??????15338 samba: task[winbindd] pre-fork master > ??????15339 samba: tfork waiter process(15342) > ??????15340 samba: tfork waiter process(15343) > ??????15341 samba: tfork waiter process(15348) > ??????15342 samba: task[kdc] pre-forked worker(1) > ??????15343 samba: task[ntp_signd] pre-fork master > ??????15344 samba: tfork waiter process(15346) > ??????15345 samba: tfork waiter process(15349) > ??????15346 samba: task[kcc] pre-fork master > ??????15347 samba: tfork waiter process(15350) > ??????15348 /usr/sbin/winbindd -D --option=server role > check:inhibit=yes --foreground > ??????15349 samba: task[kdc] pre-forked worker(2) > ??????15350 samba: task[dnsupdate] pre-fork master > ??????15351 samba: tfork waiter process(15352) > ??????15352 samba: task[kdc] pre-forked worker(3) > ??????15359 /usr/sbin/smbd -D --option=server role > check:inhibit=yes --foreground > ??????15360 /usr/sbin/smbd -D --option=server role > check:inhibit=yes --foreground > ??????15361 /usr/sbin/smbd -D --option=server role > check:inhibit=yes --foreground > ??????15363 winbindd: domain child [SAMDOM] > ??????15364 samba: tfork waiter process(15365) > ??????15365 samba: task[ldap] pre-forked worker(0) > ??????15366 samba: tfork waiter process(15367) > ??????15367 samba: task[ldap] pre-forked worker(1) > ??????15368 samba: tfork waiter process(15369) > ??????15369 samba: task[ldap] pre-forked worker(2) > ??????15370 samba: tfork waiter process(15371) > ??????15371 samba: task[ldap] pre-forked worker(3) > > Aug 31 21:38:07 rpidc2 samba[15307]: [2021/08/31 21:38:07.380345, 0] > ../../source4/samba/server.c:920(binary_smbd_main) > Aug 31 21:38:07 rpidc2 samba[15307]: binary_smbd_main: samba: using > 'prefork' process model > Aug 31 21:38:07 rpidc2 samba[15307]: [2021/08/31 21:38:07.609089, 0] > ../../lib/util/become_daemon.c:136(daemon_ready) > Aug 31 21:38:07 rpidc2 samba[15307]: daemon_ready: daemon 'samba' > finished starting up and ready to serve connections > Aug 31 21:38:08 rpidc2 smbd[15314]: [2021/08/31 21:38:08.245451, 0] > ../../lib/util/become_daemon.c:136(daemon_ready) > Aug 31 21:38:08 rpidc2 smbd[15314]: daemon_ready: daemon 'smbd' > finished starting up and ready to serve connections > Aug 31 21:38:08 rpidc2 winbindd[15348]: [2021/08/31 > 21:38:08.338432, 0] > ../../source3/winbindd/winbindd_cache.c:3206(initialize_winbin > dd_cache) > Aug 31 21:38:08 rpidc2 winbindd[15348]: initialize_winbindd_cache: > clearing cache and re-creating with version number 2 > Aug 31 21:38:08 rpidc2 winbindd[15348]: [2021/08/31 > 21:38:08.343985, 0] ../../lib/util/become_daemon.c:136(daemon_ready) > Aug 31 21:38:08 rpidc2 winbindd[15348]: daemon_ready: daemon > 'winbindd' finished starting up and ready to serve connections > > And 'pstree' shows this: > > systemd?????????agetty > > ??????samba?????????tfork(15310)?????????s3fs[master]????????? > tfork(15314)?????????smbd?????????c > leanupd > ??? ??? > ??????l > pqd > ??? ??? > ??????s > mbd-notifyd > ??? > ??????tfork(15313)?????????rpc[master]?????????tfork(15319)?????????rpc(0)> ??? ??? > ??????tfork(15325)?????????rpc(1) > ??? ??? > ??????tfork(15329)?????????rpc(2) > ??? ??? > ??????tfork(15334)?????????rpc(3) > ??? ??????tfork(15316)?????????nbt[master] > ??? ??????tfork(15320)?????????wrepl[master] > ??? > ??????tfork(15323)?????????ldap[master]?????????tfork(15365)?????????ldap(0)> ??? ??? > ??????tfork(15367)?????????ldap(1) > ??? ??? > ??????tfork(15369)?????????ldap(2) > ??? ??? > ??????tfork(15371)?????????ldap(3) > ??? ??????tfork(15326)?????????cldap[master] > ??? > ??????tfork(15330)?????????kdc[master]?????????tfork(15337)?????????kdc(0)> ??? ??? > ??????tfork(15342)?????????kdc(1) > ??? ??? > ??????tfork(15349)?????????kdc(2) > ??? ??? > ??????tfork(15352)?????????kdc(3) > ??? ??????tfork(15333)?????????drepl[master] > ??? > ??????tfork(15338)?????????winbindd[master?????????tfork(15348)?????????winbi> ndd?????????winbindd > ??? ??????tfork(15343)?????????ntp_signd[master] > ??? ??????tfork(15346)?????????kcc[master] > ??? ??????tfork(15350)?????????dnsupdate[master] > > It is all working for myself. > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Rowland Penny
2021-Sep-01 08:14 UTC
[Samba] samba-ad-dc.service: Got notification message from PID 27448, but reception only permitted for main PID 27410
On Wed, 2021-09-01 at 09:48 +0200, L.P.H. van Belle via samba wrote:> Gooe morning, > > I'll CC Alexander Bokovoy in this on, i think he can tell us more on > this. > Before this ends up in a bloodbath ;-) > > No, joking her, but i think these guys can tell us. > > Rowland, Why do you think that we should not set Type. > SystemD cant deteriming what type of program is running.I am not a systemd expert (I tend towards not using it, but will use it if I have to), but I can read manpages> > Type must be set and if its not set, type is "simple" ( as Roy also > noticed ) > If type is simple, it just used /etc/init.d/samba start/stopSo, 'Type' doesn't need to be set.> > But simple is wrong, just because it wont catch errors when starting > up.. > Quote: systemctl start command lines for simple services will > report > success even if the service's binary cannot be invoked successfullyNot a problem, systemd might not catch the errors, but the samba logs will.> > All i can say is, the Samba team is using "notify" some time. > And only somehere in Samba 4.12/4.13 NotifyAccess= is removed from > all service files in the samba sources.Perhaps, but from my understanding of systemd, 'notify' expects just the main program to notify it, not sub programs.> > And after this CVE fix in systemd, its not correct anymore in my > opionion > If NotifyAccess= isnt defined, then NotifyAccess=main and > main isnt correct for samba-ad-dc, because of the extra processes > starting.No it has been going on for some time.> > I dont know how its exact implemeted in samba, i leave that to the > devs. > > And lets keek the focus on this that it ONLY involves samba-ad- > dc.service > > So NotifyAccess=all was removed in this commit > https://gitlab.com/thctlo1/samba/-/commit/d1740fb3d5a72cb49e30b330bb0b01e7ef3e09cc > Which was correct at that time, but things changed. > > Lets wait what Alexander or Andreas can tell us on this.I am open to persuasion on this, so lets wait until someone can explain why not having 'Type' is a bad idea. Lets be honest, starting a Samba DC from an init script worked well for years. Rowland
Norbert Hanke
2021-Sep-01 08:15 UTC
[Samba] samba-ad-dc.service: Got notification message from PID 27448, but reception only permitted for main PID 27410
On 01.09.2021 09:48, L.P.H. van Belle via samba wrote:> Gooe morning, > > I'll CC Alexander Bokovoy in this on, i think he can tell us more on this. > Before this ends up in a bloodbath ;-) > > No, joking her, but i think these guys can tell us. > > Rowland, Why do you think that we should not set Type. > SystemD cant deteriming what type of program is running. > > Type must be set and if its not set, type is "simple" ( as Roy also noticed ) > If type is simple, it just used /etc/init.d/samba start/stop > > But simple is wrong, just because it wont catch errors when starting up.. > Quote: systemctl start command lines for simple services will report > success even if the service's binary cannot be invoked successfully > > All i can say is, the Samba team is using "notify" some time. > And only somehere in Samba 4.12/4.13 NotifyAccess= is removed from > all service files in the samba sources. > > And after this CVE fix in systemd, its not correct anymore in my opionion > If NotifyAccess= isnt defined, then NotifyAccess=main and > main isnt correct for samba-ad-dc, because of the extra processes starting. > > I dont know how its exact implemeted in samba, i leave that to the devs. > > And lets keek the focus on this that it ONLY involves samba-ad-dc.service > > So NotifyAccess=all was removed in this commit > https://gitlab.com/thctlo1/samba/-/commit/d1740fb3d5a72cb49e30b330bb0b01e7ef3e09cc > Which was correct at that time, but things changed. > > Lets wait what Alexander or Andreas can tell us on this. > > > So far, > > Greetz, > > Louis > > > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> Rowland Penny via samba >> Verzonden: dinsdag 31 augustus 2021 22:50 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] samba-ad-dc.service: Got notification >> message from PID 27448, but reception only permitted for main >> PID 27410 >> >> On Tue, 2021-08-31 at 21:18 +0100, Roy Eastwood via samba wrote: >>> I agree, now works. Which leaves the WiKi incorrect as it still >>> recommends Type=forking etc. I assume this should be updated to >>> (adapted for self-compiled version)?: >>> >> I am going to throw a hand grenade in here, after reading 'man >> systemd.service , I now think that 'Type' shouldn't be set at all! >> >> With this samba-ad-dc.service file: >> >> [Unit] >> Description=Samba AD Daemon >> Documentation=man:samba(8) man:samba(7) man:smb.conf(5) >> Wants=network-online.target >> After=network.target network-online.target >> >> [Service] >> PIDFile=/run/samba/samba.pid >> LimitNOFILE=16384 >> EnvironmentFile=-/etc/default/samba >> ExecStart=/usr/sbin/samba --foreground --no-process-group >> $SAMBAOPTIONS >> ExecReload=/bin/kill -HUP $MAINPID >> >> >> [Install] >> WantedBy=multi-user.target >> >> Results in this: >> >> ??? samba-ad-dc.service - Samba AD Daemon >> Loaded: loaded (/lib/systemd/system/samba-ad-dc.service; enabled; >> vendor preset: enabled) >> Active: active (running) since Tue 2021-08-31 21:38:06 BST; 8s ago >> Docs: man:samba(8) >> man:samba(7) >> man:smb.conf(5) >> Main PID: 15307 (samba) >> Tasks: 57 (limit: 4915) >> CGroup: /system.slice/samba-ad-dc.service >> ??????15307 samba: root process >> ??????15309 samba: tfork waiter process(15310) >> ??????15310 samba: task[s3fs] pre-fork master >> ??????15311 samba: tfork waiter process(15313) >> ??????15312 samba: tfork waiter process(15314) >> ??????15313 samba: task[rpc] pre-fork master >> ??????15314 /usr/sbin/smbd -D --option=server role >> check:inhibit=yes --foreground >> ??????15315 samba: tfork waiter process(15316) >> ??????15316 samba: task[nbt] pre-fork master >> ??????15317 samba: tfork waiter process(15319) >> ??????15318 samba: tfork waiter process(15320) >> ??????15319 samba: task[rpc] pre-forked worker(0) >> ??????15320 samba: task[wrepl] pre-fork master >> ??????15321 samba: tfork waiter process(15325) >> ??????15322 samba: tfork waiter process(15323) >> ??????15323 samba: task[ldap] pre-fork master >> ??????15324 samba: tfork waiter process(15326) >> ??????15325 samba: task[rpc] pre-forked worker(1) >> ??????15326 samba: task[cldap] pre-fork master >> ??????15327 samba: tfork waiter process(15330) >> ??????15328 samba: tfork waiter process(15329) >> ??????15329 samba: task[rpc] pre-forked worker(2) >> ??????15330 samba: task[kdc] pre-fork master >> ??????15331 samba: tfork waiter process(15334) >> ??????15332 samba: tfork waiter process(15333) >> ??????15333 samba: task[drepl] pre-fork master >> ??????15334 samba: task[rpc] pre-forked worker(3) >> ??????15335 samba: tfork waiter process(15338) >> ??????15336 samba: tfork waiter process(15337) >> ??????15337 samba: task[kdc] pre-forked worker(0) >> ??????15338 samba: task[winbindd] pre-fork master >> ??????15339 samba: tfork waiter process(15342) >> ??????15340 samba: tfork waiter process(15343) >> ??????15341 samba: tfork waiter process(15348) >> ??????15342 samba: task[kdc] pre-forked worker(1) >> ??????15343 samba: task[ntp_signd] pre-fork master >> ??????15344 samba: tfork waiter process(15346) >> ??????15345 samba: tfork waiter process(15349) >> ??????15346 samba: task[kcc] pre-fork master >> ??????15347 samba: tfork waiter process(15350) >> ??????15348 /usr/sbin/winbindd -D --option=server role >> check:inhibit=yes --foreground >> ??????15349 samba: task[kdc] pre-forked worker(2) >> ??????15350 samba: task[dnsupdate] pre-fork master >> ??????15351 samba: tfork waiter process(15352) >> ??????15352 samba: task[kdc] pre-forked worker(3) >> ??????15359 /usr/sbin/smbd -D --option=server role >> check:inhibit=yes --foreground >> ??????15360 /usr/sbin/smbd -D --option=server role >> check:inhibit=yes --foreground >> ??????15361 /usr/sbin/smbd -D --option=server role >> check:inhibit=yes --foreground >> ??????15363 winbindd: domain child [SAMDOM] >> ??????15364 samba: tfork waiter process(15365) >> ??????15365 samba: task[ldap] pre-forked worker(0) >> ??????15366 samba: tfork waiter process(15367) >> ??????15367 samba: task[ldap] pre-forked worker(1) >> ??????15368 samba: tfork waiter process(15369) >> ??????15369 samba: task[ldap] pre-forked worker(2) >> ??????15370 samba: tfork waiter process(15371) >> ??????15371 samba: task[ldap] pre-forked worker(3) >> >> Aug 31 21:38:07 rpidc2 samba[15307]: [2021/08/31 21:38:07.380345, 0] >> ../../source4/samba/server.c:920(binary_smbd_main) >> Aug 31 21:38:07 rpidc2 samba[15307]: binary_smbd_main: samba: using >> 'prefork' process model >> Aug 31 21:38:07 rpidc2 samba[15307]: [2021/08/31 21:38:07.609089, 0] >> ../../lib/util/become_daemon.c:136(daemon_ready) >> Aug 31 21:38:07 rpidc2 samba[15307]: daemon_ready: daemon 'samba' >> finished starting up and ready to serve connections >> Aug 31 21:38:08 rpidc2 smbd[15314]: [2021/08/31 21:38:08.245451, 0] >> ../../lib/util/become_daemon.c:136(daemon_ready) >> Aug 31 21:38:08 rpidc2 smbd[15314]: daemon_ready: daemon 'smbd' >> finished starting up and ready to serve connections >> Aug 31 21:38:08 rpidc2 winbindd[15348]: [2021/08/31 >> 21:38:08.338432, 0] >> ../../source3/winbindd/winbindd_cache.c:3206(initialize_winbin >> dd_cache) >> Aug 31 21:38:08 rpidc2 winbindd[15348]: initialize_winbindd_cache: >> clearing cache and re-creating with version number 2 >> Aug 31 21:38:08 rpidc2 winbindd[15348]: [2021/08/31 >> 21:38:08.343985, 0] ../../lib/util/become_daemon.c:136(daemon_ready) >> Aug 31 21:38:08 rpidc2 winbindd[15348]: daemon_ready: daemon >> 'winbindd' finished starting up and ready to serve connections >> >> And 'pstree' shows this: >> >> systemd?????????agetty >> >> ??????samba?????????tfork(15310)?????????s3fs[master]????????? >> tfork(15314)?????????smbd?????????c >> leanupd >> ??? ??? >> ??????l >> pqd >> ??? ??? >> ??????s >> mbd-notifyd >> ??? >> ??????tfork(15313)?????????rpc[master]?????????tfork(15319)??? > ??????rpc(0) >> ??? ??? >> ??????tfork(15325)?????????rpc(1) >> ??? ??? >> ??????tfork(15329)?????????rpc(2) >> ??? ??? >> ??????tfork(15334)?????????rpc(3) >> ??? ??????tfork(15316)?????????nbt[master] >> ??? ??????tfork(15320)?????????wrepl[master] >> ??? >> ??????tfork(15323)?????????ldap[master]?????????tfork(15365)?? > ???????ldap(0) >> ??? ??? >> ??????tfork(15367)?????????ldap(1) >> ??? ??? >> ??????tfork(15369)?????????ldap(2) >> ??? ??? >> ??????tfork(15371)?????????ldap(3) >> ??? ??????tfork(15326)?????????cldap[master] >> ??? >> ??????tfork(15330)?????????kdc[master]?????????tfork(15337)??? > ??????kdc(0) >> ??? ??? >> ??????tfork(15342)?????????kdc(1) >> ??? ??? >> ??????tfork(15349)?????????kdc(2) >> ??? ??? >> ??????tfork(15352)?????????kdc(3) >> ??? ??????tfork(15333)?????????drepl[master] >> ??? >> ??????tfork(15338)?????????winbindd[master?????????tfork(15348 > )?????????winbi >> ndd?????????winbindd >> ??? ??????tfork(15343)?????????ntp_signd[master] >> ??? ??????tfork(15346)?????????kcc[master] >> ??? ??????tfork(15350)?????????dnsupdate[master] >> >> It is all working for myself. >> >> Rowland >> >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >>Type=forking works for me with the samba domain controller, ever since, on debian buster, both raspbian and "native" arm64. build samba with ./configure --with-shared-modules='!vfs_snapper' --with-systemd --systemd-install-services and use service description > more /etc/systemd/system/samba-ad-dc.service [Unit] Description=Samba Active Directory Domain Controller Documentation=man:samba(8) man:samba(7) man:smb.conf(5) After=network.target remote-fs.target nss-lookup.target [Service] Type=forking PIDFile=/usr/local/samba/var/run/samba.pid LimitNOFILE=16384 ExecStart=/usr/local/samba/sbin/samba -D ExecReload=/bin/kill -HUP $MAINPID [Install] WantedBy=multi-user.target
L.P.H. van Belle
2021-Sep-01 14:35 UTC
[Samba] samba-ad-dc.service: Got notification message from PID 27448, but reception only permitted for main PID 27410
On this :> Type=notify changes NotifyAccess forcibly to 'main' if > NotifyAccess is not set (our case). Are you claiming this has > changed in systemd?Yes, that is correct, this something related to changes in systemd. I suspect its this one: https://www.qualys.com/2021/07/20/cve-2021-33910/denial-of-service-systemd.txt In debian this change passed on : [20 Jul 2021] DSA-4942 systemd - security update And NotifyAccess=main wont work correctly for samba-ad-dc. At least on samba-ad-dc works but we see : Got notification message from PID 27448, but reception only permitted for main PID 27410 Which didnt not look good. So i asked the debian maintainer about this. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993347 Where we first suggested to change back to "Fork" because wiki says so.. But he pointed out. To use NotifyAccess=all So, this is the change i would like to see in samba back again. https://bugzilla.samba.org/show_bug.cgi?id=14814 And i saw you guys made this change between 4.12/4.13. The "why" i dont know.. Maybe this needs more research, but the suggested fix works and did work since 4.4.x So far, and thanks for the reply :-) Im all ears for what best as fix. Greetz, Louis Ps. Historical info : https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=740942 samba 4.1.x https://lists.samba.org/archive/samba/2016-July/201197.html samba 4.4.x> -----Oorspronkelijk bericht----- > Van: Alexander Bokovoy [mailto:ab at samba.org] > Verzonden: woensdag 1 september 2021 16:06 > Aan: L.P.H. van Belle > CC: samba at lists.samba.org; Andreas Schneider > Onderwerp: Re: [Samba] samba-ad-dc.service: Got notification > message from PID 27448, but reception only permitted for main > PID 27410 > > On ke, 01 syys 2021, L.P.H. van Belle wrote: > > Gooe morning, > > > > I'll CC Alexander Bokovoy in this on, i think he can tell > us more on this. > > Before this ends up in a bloodbath ;-) > > > > No, joking her, but i think these guys can tell us. > > > > Rowland, Why do you think that we should not set Type. > > SystemD cant deteriming what type of program is running. > > > > Type must be set and if its not set, type is "simple" ( as > Roy also noticed ) > > If type is simple, it just used /etc/init.d/samba start/stop > > > > But simple is wrong, just because it wont catch errors when > starting up.. > > Quote: systemctl start command lines for simple services > will report > > success even if the service's binary cannot be invoked successfully > > > > All i can say is, the Samba team is using "notify" some time. > > And only somehere in Samba 4.12/4.13 NotifyAccess= is > removed from > > all service files in the samba sources. > > > > And after this CVE fix in systemd, its not correct anymore > in my opionion > > If NotifyAccess= isnt defined, then NotifyAccess=main and > > main isnt correct for samba-ad-dc, because of the extra > processes starting. > > > > I dont know how its exact implemeted in samba, i leave that > to the devs. > > > > And lets keek the focus on this that it ONLY involves > samba-ad-dc.service > > > > So NotifyAccess=all was removed in this commit > > > https://gitlab.com/thctlo1/samba/-/commit/d1740fb3d5a72cb49e30 > b330bb0b01e7ef3e09cc > > Which was correct at that time, but things changed. > > > > Lets wait what Alexander or Andreas can tell us on this. > > Hi. We use Type=notify for samba/smbd/winbindd when they run > separately > because they are set up to provide notifications. Thus, > Type=notify has > to be present in samba.service. Internally, smbd and winbindd will not > do notifications if they were started by 'samba' daemon so there would > be only a single process reporting its status. > > Also, Type=notify changes NotifyAccess forcibly to 'main' if > NotifyAccess is not set (our case). Are you claiming this has > changed in > systemd? > > > > > > > > > So far, > > > > Greetz, > > > > Louis > > > > > > > > > > > -----Oorspronkelijk bericht----- > > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > > > Rowland Penny via samba > > > Verzonden: dinsdag 31 augustus 2021 22:50 > > > Aan: samba at lists.samba.org > > > Onderwerp: Re: [Samba] samba-ad-dc.service: Got notification > > > message from PID 27448, but reception only permitted for main > > > PID 27410 > > > > > > On Tue, 2021-08-31 at 21:18 +0100, Roy Eastwood via samba wrote: > > > > I agree, now works. Which leaves the WiKi incorrect > as it still > > > > recommends Type=forking etc. I assume this should be > updated to > > > > (adapted for self-compiled version)?: > > > > > > > > > > I am going to throw a hand grenade in here, after reading 'man > > > systemd.service , I now think that 'Type' shouldn't be set at all! > > > > > > With this samba-ad-dc.service file: > > > > > > [Unit] > > > Description=Samba AD Daemon > > > Documentation=man:samba(8) man:samba(7) man:smb.conf(5) > > > Wants=network-online.target > > > After=network.target network-online.target > > > > > > [Service] > > > PIDFile=/run/samba/samba.pid > > > LimitNOFILE=16384 > > > EnvironmentFile=-/etc/default/samba > > > ExecStart=/usr/sbin/samba --foreground --no-process-group > > > $SAMBAOPTIONS > > > ExecReload=/bin/kill -HUP $MAINPID > > > > > > > > > [Install] > > > WantedBy=multi-user.target > > > > > > Results in this: > > > > > > ??? samba-ad-dc.service - Samba AD Daemon > > > Loaded: loaded > (/lib/systemd/system/samba-ad-dc.service; enabled; > > > vendor preset: enabled) > > > Active: active (running) since Tue 2021-08-31 21:38:06 > BST; 8s ago > > > Docs: man:samba(8) > > > man:samba(7) > > > man:smb.conf(5) > > > Main PID: 15307 (samba) > > > Tasks: 57 (limit: 4915) > > > CGroup: /system.slice/samba-ad-dc.service > > > ??????15307 samba: root process > > > ??????15309 samba: tfork waiter process(15310) > > > ??????15310 samba: task[s3fs] pre-fork master > > > ??????15311 samba: tfork waiter process(15313) > > > ??????15312 samba: tfork waiter process(15314) > > > ??????15313 samba: task[rpc] pre-fork master > > > ??????15314 /usr/sbin/smbd -D --option=server role > > > check:inhibit=yes --foreground > > > ??????15315 samba: tfork waiter process(15316) > > > ??????15316 samba: task[nbt] pre-fork master > > > ??????15317 samba: tfork waiter process(15319) > > > ??????15318 samba: tfork waiter process(15320) > > > ??????15319 samba: task[rpc] pre-forked worker(0) > > > ??????15320 samba: task[wrepl] pre-fork master > > > ??????15321 samba: tfork waiter process(15325) > > > ??????15322 samba: tfork waiter process(15323) > > > ??????15323 samba: task[ldap] pre-fork master > > > ??????15324 samba: tfork waiter process(15326) > > > ??????15325 samba: task[rpc] pre-forked worker(1) > > > ??????15326 samba: task[cldap] pre-fork master > > > ??????15327 samba: tfork waiter process(15330) > > > ??????15328 samba: tfork waiter process(15329) > > > ??????15329 samba: task[rpc] pre-forked worker(2) > > > ??????15330 samba: task[kdc] pre-fork master > > > ??????15331 samba: tfork waiter process(15334) > > > ??????15332 samba: tfork waiter process(15333) > > > ??????15333 samba: task[drepl] pre-fork master > > > ??????15334 samba: task[rpc] pre-forked worker(3) > > > ??????15335 samba: tfork waiter process(15338) > > > ??????15336 samba: tfork waiter process(15337) > > > ??????15337 samba: task[kdc] pre-forked worker(0) > > > ??????15338 samba: task[winbindd] pre-fork master > > > ??????15339 samba: tfork waiter process(15342) > > > ??????15340 samba: tfork waiter process(15343) > > > ??????15341 samba: tfork waiter process(15348) > > > ??????15342 samba: task[kdc] pre-forked worker(1) > > > ??????15343 samba: task[ntp_signd] pre-fork master > > > ??????15344 samba: tfork waiter process(15346) > > > ??????15345 samba: tfork waiter process(15349) > > > ??????15346 samba: task[kcc] pre-fork master > > > ??????15347 samba: tfork waiter process(15350) > > > ??????15348 /usr/sbin/winbindd -D --option=server role > > > check:inhibit=yes --foreground > > > ??????15349 samba: task[kdc] pre-forked worker(2) > > > ??????15350 samba: task[dnsupdate] pre-fork master > > > ??????15351 samba: tfork waiter process(15352) > > > ??????15352 samba: task[kdc] pre-forked worker(3) > > > ??????15359 /usr/sbin/smbd -D --option=server role > > > check:inhibit=yes --foreground > > > ??????15360 /usr/sbin/smbd -D --option=server role > > > check:inhibit=yes --foreground > > > ??????15361 /usr/sbin/smbd -D --option=server role > > > check:inhibit=yes --foreground > > > ??????15363 winbindd: domain child [SAMDOM] > > > ??????15364 samba: tfork waiter process(15365) > > > ??????15365 samba: task[ldap] pre-forked worker(0) > > > ??????15366 samba: tfork waiter process(15367) > > > ??????15367 samba: task[ldap] pre-forked worker(1) > > > ??????15368 samba: tfork waiter process(15369) > > > ??????15369 samba: task[ldap] pre-forked worker(2) > > > ??????15370 samba: tfork waiter process(15371) > > > ??????15371 samba: task[ldap] pre-forked worker(3) > > > > > > Aug 31 21:38:07 rpidc2 samba[15307]: [2021/08/31 > 21:38:07.380345, 0] > > > ../../source4/samba/server.c:920(binary_smbd_main) > > > Aug 31 21:38:07 rpidc2 samba[15307]: binary_smbd_main: > samba: using > > > 'prefork' process model > > > Aug 31 21:38:07 rpidc2 samba[15307]: [2021/08/31 > 21:38:07.609089, 0] > > > ../../lib/util/become_daemon.c:136(daemon_ready) > > > Aug 31 21:38:07 rpidc2 samba[15307]: daemon_ready: > daemon 'samba' > > > finished starting up and ready to serve connections > > > Aug 31 21:38:08 rpidc2 smbd[15314]: [2021/08/31 > 21:38:08.245451, 0] > > > ../../lib/util/become_daemon.c:136(daemon_ready) > > > Aug 31 21:38:08 rpidc2 smbd[15314]: daemon_ready: daemon 'smbd' > > > finished starting up and ready to serve connections > > > Aug 31 21:38:08 rpidc2 winbindd[15348]: [2021/08/31 > > > 21:38:08.338432, 0] > > > ../../source3/winbindd/winbindd_cache.c:3206(initialize_winbin > > > dd_cache) > > > Aug 31 21:38:08 rpidc2 winbindd[15348]: > initialize_winbindd_cache: > > > clearing cache and re-creating with version number 2 > > > Aug 31 21:38:08 rpidc2 winbindd[15348]: [2021/08/31 > > > 21:38:08.343985, 0] > ../../lib/util/become_daemon.c:136(daemon_ready) > > > Aug 31 21:38:08 rpidc2 winbindd[15348]: daemon_ready: daemon > > > 'winbindd' finished starting up and ready to serve connections > > > > > > And 'pstree' shows this: > > > > > > systemd?????????agetty > > > > > > ??????samba?????????tfork(15310)?????????s3fs[master]????????? > > > tfork(15314)?????????smbd?????????c > > > leanupd > > > ??? ??? > > > ??????l > > > pqd > > > ??? ??? > > > ??????s > > > mbd-notifyd > > > ??? > > > ??????tfork(15313)?????????rpc[master]?????????tfork(15319)??? > > ??????rpc(0) > > > ??? ??? > > > ??????tfork(15325)?????????rpc(1) > > > ??? ??? > > > ??????tfork(15329)?????????rpc(2) > > > ??? ??? > > > ??????tfork(15334)?????????rpc(3) > > > ??? ??????tfork(15316)?????????nbt[master] > > > ??? ??????tfork(15320)?????????wrepl[master] > > > ??? > > > ??????tfork(15323)?????????ldap[master]?????????tfork(15365)?? > > ???????ldap(0) > > > ??? ??? > > > ??????tfork(15367)?????????ldap(1) > > > ??? ??? > > > ??????tfork(15369)?????????ldap(2) > > > ??? ??? > > > ??????tfork(15371)?????????ldap(3) > > > ??? ??????tfork(15326)?????????cldap[master] > > > ??? > > > ??????tfork(15330)?????????kdc[master]?????????tfork(15337)??? > > ??????kdc(0) > > > ??? ??? > > > ??????tfork(15342)?????????kdc(1) > > > ??? ??? > > > ??????tfork(15349)?????????kdc(2) > > > ??? ??? > > > ??????tfork(15352)?????????kdc(3) > > > ??? ??????tfork(15333)?????????drepl[master] > > > ??? > > > ??????tfork(15338)?????????winbindd[master?????????tfork(15348 > > )?????????winbi > > > ndd?????????winbindd > > > ??? ??????tfork(15343)?????????ntp_signd[master] > > > ??? ??????tfork(15346)?????????kcc[master] > > > ??? ??????tfork(15350)?????????dnsupdate[master] > > > > > > It is all working for myself. > > > > > > Rowland > > > > > > > > > > > > -- > > > To unsubscribe from this list go to the following URL and read the > > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > > > > > -- > / Alexander Bokovoy > >