On Tue, 5 Apr 2016, Andrew Bartlett wrote:> On Mon, 2016-04-04 at 14:48 -0600, Ochressandro Rettinger wrote: >> Hi, sorry. I have spent about 4 hours googling, and had no >> luck. >> I'm getting repeat core dumps out of smbd, and nothing I've gotten >> from >> the log file has successfully pointed me at any indication that >> anyone >> else has posted about this problem before. >> >> ------ >> >> libgcrypt selftest: binary (0): Selftest failed >> (/lib64/.libgcrypt.so.11.hmac) >> fatal error in libgcrypt, file visibility.c, line 1250, function >> gcry_create_nonce: called in non-operational state > > This is very interesting. I think you are linking to an older version > of gnutls, perhaps upgrade your OS, as the newer versions use libnettle > and so perhaps that avoids the issue. > > I don't normally suggest changing the OS to fix a Samba issue, but this > is a bid different: > > What is happening here is that when we spawn a child to check the print > queues, that is failing to connect to your cups server over HTTPS > because of some issue inside gcrypt, use by gnutls, used by cups. > > Otherwise, perhaps if CUPS is on the same host, avoid using SSL to talk > to it?I've got the most updated version of RHEL running on that system. So I'm not quite sure what I'd upgrade there. Unless it's RHEL itself that's packaging an older version of gnutls. I continued googling for answers after I wrote, and found a suggestion that it might be related to FIPS mode, and indeed, when I turn off FIPS mode on the OS, it stops doing this. But that's not really a viable long term solution. To be honest, I'm not sure why Samba is trying to connect to a cups server at all, because I thought I had turned printing via Samba *off*... Since I clearly haven't done that, how can I do that? Thanks! -Sandro
On Tue, 5 Apr 2016, Ochressandro Rettinger wrote:> > > On Tue, 5 Apr 2016, Andrew Bartlett wrote: > >> On Mon, 2016-04-04 at 14:48 -0600, Ochressandro Rettinger wrote: >>> Hi, sorry. I have spent about 4 hours googling, and had no >>> luck. >>> I'm getting repeat core dumps out of smbd, and nothing I've gotten >>> from >>> the log file has successfully pointed me at any indication that >>> anyone >>> else has posted about this problem before. >>> >>> ------ >>> >>> libgcrypt selftest: binary (0): Selftest failed >>> (/lib64/.libgcrypt.so.11.hmac) >>> fatal error in libgcrypt, file visibility.c, line 1250, function >>> gcry_create_nonce: called in non-operational state >> >> This is very interesting. I think you are linking to an older version >> of gnutls, perhaps upgrade your OS, as the newer versions use libnettle >> and so perhaps that avoids the issue. >> >> I don't normally suggest changing the OS to fix a Samba issue, but this >> is a bid different: >> >> What is happening here is that when we spawn a child to check the print >> queues, that is failing to connect to your cups server over HTTPS >> because of some issue inside gcrypt, use by gnutls, used by cups. >> >> Otherwise, perhaps if CUPS is on the same host, avoid using SSL to talk >> to it? > > I've got the most updated version of RHEL running on that system. So > I'm not quite sure what I'd upgrade there. Unless it's RHEL itself that's > packaging an older version of gnutls. > > I continued googling for answers after I wrote, and found a > suggestion that it might be related to FIPS mode, and indeed, when I turn off > FIPS mode on the OS, it stops doing this. But that's not really a viable > long term solution. > > To be honest, I'm not sure why Samba is trying to connect to a cups > server at all, because I thought I had turned printing via Samba *off*... > Since I clearly haven't done that, how can I do that?Ok, I found instructions on turning off the printers. Which seems to have stopped my repeated core dump problem which is nice. So is this a bug in cups or libgcrypt or samba or what? -Sandro
On Tue, 2016-04-05 at 08:15 -0600, Ochressandro Rettinger wrote:> > On Tue, 5 Apr 2016, Ochressandro Rettinger wrote: > > > > > > > > > On Tue, 5 Apr 2016, Andrew Bartlett wrote: > > > > > > > > On Mon, 2016-04-04 at 14:48 -0600, Ochressandro Rettinger wrote: > > > > > > > > Hi, sorry. I have spent about 4 hours googling, and > > > > had no > > > > luck. > > > > I'm getting repeat core dumps out of smbd, and nothing I've > > > > gotten > > > > from > > > > the log file has successfully pointed me at any indication that > > > > anyone > > > > else has posted about this problem before. > > > > > > > > ------ > > > > > > > > libgcrypt selftest: binary (0): Selftest failed > > > > (/lib64/.libgcrypt.so.11.hmac) > > > > fatal error in libgcrypt, file visibility.c, line 1250, > > > > function > > > > gcry_create_nonce: called in non-operational state > > > This is very interesting. I think you are linking to an older > > > version > > > of gnutls, perhaps upgrade your OS, as the newer versions use > > > libnettle > > > and so perhaps that avoids the issue. > > > > > > I don't normally suggest changing the OS to fix a Samba issue, > > > but this > > > is a bid different: > > > > > > What is happening here is that when we spawn a child to check the > > > print > > > queues, that is failing to connect to your cups server over HTTPS > > > because of some issue inside gcrypt, use by gnutls, used by cups. > > > > > > Otherwise, perhaps if CUPS is on the same host, avoid using SSL > > > to talk > > > to it? > > I've got the most updated version of RHEL running on that > > system. So > > I'm not quite sure what I'd upgrade there. Unless it's RHEL itself > > that's > > packaging an older version of gnutls. > > > > I continued googling for answers after I wrote, and found a > > suggestion that it might be related to FIPS mode, and indeed, when > > I turn off > > FIPS mode on the OS, it stops doing this. But that's not really a > > viable > > long term solution. > > > > To be honest, I'm not sure why Samba is trying to connect to a > > cups > > server at all, because I thought I had turned printing via Samba > > *off*... > > Since I clearly haven't done that, how can I do that? > Ok, I found instructions on turning off the printers. Which > seems > to have stopped my repeated core dump problem which is nice. > > So is this a bug in cups or libgcrypt or samba or what?If this is real RHEL, then use your subscription and file a bug against libgcrypt in FIPS mode, and they can re-assign to samba if they think we are providing an unreasonable environment for the library. Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Development and Support, Catalyst IT https://catalyst.net.nz/services/samba
On Tue, 2016-04-05 at 08:15 -0600, Ochressandro Rettinger wrote:> > On Tue, 5 Apr 2016, Ochressandro Rettinger wrote: > > > > > > > On Tue, 5 Apr 2016, Andrew Bartlett wrote: > > > > > On Mon, 2016-04-04 at 14:48 -0600, Ochressandro Rettinger wrote: > > > > Hi, sorry. I have spent about 4 hours googling, and > > > > had no > > > > luck. > > > > I'm getting repeat core dumps out of smbd, and nothing I've > > > > gotten > > > > from > > > > the log file has successfully pointed me at any indication that > > > > anyone > > > > else has posted about this problem before. > > > > > > > > ------ > > > > > > > > libgcrypt selftest: binary (0): Selftest failed > > > > (/lib64/.libgcrypt.so.11.hmac) > > > > fatal error in libgcrypt, file visibility.c, line 1250, > > > > function > > > > gcry_create_nonce: called in non-operational state > > > > > > This is very interesting. I think you are linking to an older > > > version > > > of gnutls, perhaps upgrade your OS, as the newer versions use > > > libnettle > > > and so perhaps that avoids the issue. > > > > > > I don't normally suggest changing the OS to fix a Samba issue, > > > but this > > > is a bid different: > > > > > > What is happening here is that when we spawn a child to check the > > > print > > > queues, that is failing to connect to your cups server over HTTPS > > > because of some issue inside gcrypt, use by gnutls, used by cups. > > > > > > Otherwise, perhaps if CUPS is on the same host, avoid using SSL > > > to talk > > > to it? > > > > I've got the most updated version of RHEL running on that > > system. So > > I'm not quite sure what I'd upgrade there. Unless it's RHEL itself > > that's > > packaging an older version of gnutls. > > > > I continued googling for answers after I wrote, and found a > > suggestion that it might be related to FIPS mode, and indeed, when > > I turn off > > FIPS mode on the OS, it stops doing this. But that's not really a > > viable > > long term solution.I would note that Samba is not compatible with FIPS mode, as a concept. We use NTLM authentication, non-FIPS crypto and many other things that just don't pass that set of requirements. Of course, because we simply don't know about any FIPS mode switch, we gladly offer non-complient services, and so you get into issues like this that are just untested normally. I hope this clarifies things as to why you are one of the first to notice this. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba