samba - Sep 2016 - Segmentation fault in samba_upgradedns - Samba 4.4.5

On Fri, 2 Sep 2016 13:03:05 +0100
Rowland Penny via samba <samba at lists.samba.org> wrote:
> On Fri, 2 Sep 2016 12:41:47 +0100
> Cameron Murdoch via samba <samba at lists.samba.org> wrote:
> 
> > On 2 September 2016 at 12:21, Rowland Penny via samba
> > <samba at lists.samba.org
> > > wrote:
> > 
> > > On Fri, 2 Sep 2016 11:51:02 +0100
> > > Cameron Murdoch <cam at macaroon.net> wrote:
> > >
> > > > On 2 September 2016 at 09:53, Rowland Penny via samba
> > > > <samba at lists.samba.org
> > > > > wrote:
> > > >
> > > > > On Thu, 1 Sep 2016 14:12:21 +0100
> > > > > Rowland Penny via samba <samba at
lists.samba.org> wrote:
> > > > >
> > > > > >
> > > > >
> > > > > Trying to understand why you are getting the segfault,
I set
> > > > > up freebsd 11.0rc2 in a VM and then installed samba44,
I now
> > > > > know where Gentoo gets its ideas from :)
> > > > >
> > > > > After freebsd built everything in the chain of required
> > > > > packages, it finally built Samba, I did notice two
things, one
> > > > > it built part (or perhaps the whole) of Bind 9.8.6 to
get
> > > > > nsupdate and it also used Samba 4.3.11 for various
libraries.
> > > > >
> > > > > I then tried to provision Samba, big failure, ZFS
doesn't seem
> > > > > to like ACLs, so if somebody could tell me how to get
past
> > > > > this, I would be very much obliged.
> > > > >
> > > > > Rowland
> > > > >
> > > > >
> > > > Hi Rowland,
> > > >
> > > > I also had issues provisioning (well classicupgrade
actually)
> > > > Samba44. I got segfaults from samba-tool. I did a little bit
of
> > > > debugging, but due to work time pressures I couldn't
submit a
> > > > bug report at the time. From memory I think the python code
in
> > > > samba-tool was crashing when accessing code from
security.so,
> > > > but that might be wrong.
> > >
> > > I tried to provision first as I would normally i.e.
> > > non-interacively but this wouldn't even run, so I tried
> > > provisioning interactively and this ran up to the point where it
> > > checks if a simple ACL can be set, I then get this:
> > >
> > > ERROR(<class 'samba.provision.ProvisioningError'>):
Provision
> > > failed - ProvisioningError: Your filesystem or build does not
> > > support posix ACLs, which s3fs requires.  Try the mounting the
> > > filesystem with the 'acl' option.
> > >
> > >
> > > >
> > > > To provision/upgrade the domain I had to install samba43
which
> > > > worked first time, however I had to specify --use-ntvfs to
> > > > classicupgrade. I am unsure if this has caused any issues,
but
> > > > as domain controllers they seem to work find, etc.
> > >
> > > Well, yes it will work, but ntvfs is deprecated and could be
> > > removed, it also doesn't get much work done on it, hence why
I
> > > don't/won't use it.
> > >
> > >
> > I didn't want to use ntvfs but was desperate at the time :-)
> > What is the penalty of using ntvfs? Once provisioned with this flag
> > are you then stuck with it, or can you then use s3fs?
> > 
> 
> This may be a way forward, see here:
> 
> https://wiki.samba.org/index.php/Samba4/s3fs
> 
> It talks about moving from s3fs to ntvfs, but is should also be
> possible to go the other way, I will try it and let you know.
> 
> Rowland
> 
I have now found out why you had to provision with samba43,
the '--use-ntvfs' option is gone from Samba 4.4.x. I never noticed
because, as I said, I never used it.
This does of course mean that you cannot use the latest versions of
Samba as an AD DC with freebsd unless somehow either samba-tool or
freebsd is changed.

Rowland

On 2 September 2016 at 13:19, Rowland Penny via samba <samba at
lists.samba.org
> wrote:
> On Fri, 2 Sep 2016 13:03:05 +0100
> Rowland Penny via samba <samba at lists.samba.org> wrote:
>
> > On Fri, 2 Sep 2016 12:41:47 +0100
> > Cameron Murdoch via samba <samba at lists.samba.org> wrote:
> >
> > > On 2 September 2016 at 12:21, Rowland Penny via samba
> > > <samba at lists.samba.org
> > > > wrote:
> > >
> > > > On Fri, 2 Sep 2016 11:51:02 +0100
> > > > Cameron Murdoch <cam at macaroon.net> wrote:
> > > >
> > > > > On 2 September 2016 at 09:53, Rowland Penny via samba
> > > > > <samba at lists.samba.org
> > > > > > wrote:
> > > > >
> > > > > > On Thu, 1 Sep 2016 14:12:21 +0100
> > > > > > Rowland Penny via samba <samba at
lists.samba.org> wrote:
> > > > > >
> > > > > > >
> > > > > >
> > > > > > Trying to understand why you are getting the
segfault, I set
> > > > > > up freebsd 11.0rc2 in a VM and then installed
samba44, I now
> > > > > > know where Gentoo gets its ideas from :)
> > > > > >
> > > > > > After freebsd built everything in the chain of
required
> > > > > > packages, it finally built Samba, I did notice two
things, one
> > > > > > it built part (or perhaps the whole) of Bind 9.8.6
to get
> > > > > > nsupdate and it also used Samba 4.3.11 for various
libraries.
> > > > > >
> > > > > > I then tried to provision Samba, big failure, ZFS
doesn't seem
> > > > > > to like ACLs, so if somebody could tell me how to
get past
> > > > > > this, I would be very much obliged.
> > > > > >
> > > > > > Rowland
> > > > > >
> > > > > >
> > > > > Hi Rowland,
> > > > >
> > > > > I also had issues provisioning (well classicupgrade
actually)
> > > > > Samba44. I got segfaults from samba-tool. I did a
little bit of
> > > > > debugging, but due to work time pressures I
couldn't submit a
> > > > > bug report at the time. From memory I think the python
code in
> > > > > samba-tool was crashing when accessing code from
security.so,
> > > > > but that might be wrong.
> > > >
> > > > I tried to provision first as I would normally i.e.
> > > > non-interacively but this wouldn't even run, so I tried
> > > > provisioning interactively and this ran up to the point
where it
> > > > checks if a simple ACL can be set, I then get this:
> > > >
> > > > ERROR(<class
'samba.provision.ProvisioningError'>): Provision
> > > > failed - ProvisioningError: Your filesystem or build does
not
> > > > support posix ACLs, which s3fs requires.  Try the mounting
the
> > > > filesystem with the 'acl' option.
> > > >
> > > >
> > > > >
> > > > > To provision/upgrade the domain I had to install
samba43 which
> > > > > worked first time, however I had to specify --use-ntvfs
to
> > > > > classicupgrade. I am unsure if this has caused any
issues, but
> > > > > as domain controllers they seem to work find, etc.
> > > >
> > > > Well, yes it will work, but ntvfs is deprecated and could be
> > > > removed, it also doesn't get much work done on it, hence
why I
> > > > don't/won't use it.
> > > >
> > > >
> > > I didn't want to use ntvfs but was desperate at the time :-)
> > > What is the penalty of using ntvfs? Once provisioned with this
flag
> > > are you then stuck with it, or can you then use s3fs?
> > >
> >
> > This may be a way forward, see here:
> >
> > https://wiki.samba.org/index.php/Samba4/s3fs
> >
> > It talks about moving from s3fs to ntvfs, but is should also be
> > possible to go the other way, I will try it and let you know.
> >
> > Rowland
> >
>
> I have now found out why you had to provision with samba43,
> the '--use-ntvfs' option is gone from Samba 4.4.x. I never noticed
> because, as I said, I never used it.
> This does of course mean that you cannot use the latest versions of
> Samba as an AD DC with freebsd unless somehow either samba-tool or
> freebsd is changed.
>
> Rowland
>
Once the classicupgrade had completed using samba43, (with --use-ntvfs) and
both the  first DC and a second were working and authenticating clients,
etc I upgraded them both to samba44. Everything seems to work, although I
have issues with dynamic dns updates, and a couple of other small things. I
think that switching to bind might help with some of this.

To confirm, I now have two AD DCs running samba44 on zfs and they mostly
seems to work. I can us ADUC, and other windows tools, clients authenticate
correctly, and I have a Samba44 member server that is serving files
correctly and with zfs nfsv4 acls all working.
Thanks
C

On Fri, 2 Sep 2016 13:49:50 +0100
Cameron Murdoch via samba <samba at lists.samba.org> wrote:
> On 2 September 2016 at 13:19, Rowland Penny via samba
> <samba at lists.samba.org
> > wrote:
> 
> > On Fri, 2 Sep 2016 13:03:05 +0100
> > Rowland Penny via samba <samba at lists.samba.org> wrote:
> >
> > > On Fri, 2 Sep 2016 12:41:47 +0100
> > > Cameron Murdoch via samba <samba at lists.samba.org> wrote:
> > >
> > > > On 2 September 2016 at 12:21, Rowland Penny via samba
> > > > <samba at lists.samba.org
> > > > > wrote:
> > > >
> > > > > On Fri, 2 Sep 2016 11:51:02 +0100
> > > > > Cameron Murdoch <cam at macaroon.net> wrote:
> > > > >
> > > > > > On 2 September 2016 at 09:53, Rowland Penny via
samba
> > > > > > <samba at lists.samba.org
> > > > > > > wrote:
> > > > > >
> > > > > > > On Thu, 1 Sep 2016 14:12:21 +0100
> > > > > > > Rowland Penny via samba <samba at
lists.samba.org> wrote:
> > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > > Trying to understand why you are getting the
segfault, I
> > > > > > > set up freebsd 11.0rc2 in a VM and then
installed
> > > > > > > samba44, I now know where Gentoo gets its
ideas from :)
> > > > > > >
> > > > > > > After freebsd built everything in the chain
of required
> > > > > > > packages, it finally built Samba, I did
notice two
> > > > > > > things, one it built part (or perhaps the
whole) of Bind
> > > > > > > 9.8.6 to get nsupdate and it also used Samba
4.3.11 for
> > > > > > > various libraries.
> > > > > > >
> > > > > > > I then tried to provision Samba, big failure,
ZFS doesn't
> > > > > > > seem to like ACLs, so if somebody could tell
me how to
> > > > > > > get past this, I would be very much obliged.
> > > > > > >
> > > > > > > Rowland
> > > > > > >
> > > > > > >
> > > > > > Hi Rowland,
> > > > > >
> > > > > > I also had issues provisioning (well
classicupgrade
> > > > > > actually) Samba44. I got segfaults from
samba-tool. I did a
> > > > > > little bit of debugging, but due to work time
pressures I
> > > > > > couldn't submit a bug report at the time. From
memory I
> > > > > > think the python code in samba-tool was crashing
when
> > > > > > accessing code from security.so, but that might be
wrong.
> > > > >
> > > > > I tried to provision first as I would normally i.e.
> > > > > non-interacively but this wouldn't even run, so I
tried
> > > > > provisioning interactively and this ran up to the point
where
> > > > > it checks if a simple ACL can be set, I then get this:
> > > > >
> > > > > ERROR(<class
'samba.provision.ProvisioningError'>): Provision
> > > > > failed - ProvisioningError: Your filesystem or build
does not
> > > > > support posix ACLs, which s3fs requires.  Try the
mounting the
> > > > > filesystem with the 'acl' option.
> > > > >
> > > > >
> > > > > >
> > > > > > To provision/upgrade the domain I had to install
samba43
> > > > > > which worked first time, however I had to specify
> > > > > > --use-ntvfs to classicupgrade. I am unsure if this
has
> > > > > > caused any issues, but as domain controllers they
seem to
> > > > > > work find, etc.
> > > > >
> > > > > Well, yes it will work, but ntvfs is deprecated and
could be
> > > > > removed, it also doesn't get much work done on it,
hence why I
> > > > > don't/won't use it.
> > > > >
> > > > >
> > > > I didn't want to use ntvfs but was desperate at the time
:-)
> > > > What is the penalty of using ntvfs? Once provisioned with
this
> > > > flag are you then stuck with it, or can you then use s3fs?
> > > >
> > >
> > > This may be a way forward, see here:
> > >
> > > https://wiki.samba.org/index.php/Samba4/s3fs
> > >
> > > It talks about moving from s3fs to ntvfs, but is should also be
> > > possible to go the other way, I will try it and let you know.
> > >
> > > Rowland
> > >
> >
> > I have now found out why you had to provision with samba43,
> > the '--use-ntvfs' option is gone from Samba 4.4.x. I never
noticed
> > because, as I said, I never used it.
> > This does of course mean that you cannot use the latest versions of
> > Samba as an AD DC with freebsd unless somehow either samba-tool or
> > freebsd is changed.
> >
> > Rowland
> >
> 
> Once the classicupgrade had completed using samba43, (with
> --use-ntvfs) and both the  first DC and a second were working and
> authenticating clients, etc I upgraded them both to samba44.
> Everything seems to work, although I have issues with dynamic dns
> updates, and a couple of other small things. I think that switching
> to bind might help with some of this.
It probably will, I have always used Bind9 and never had any problems.
> 
> To confirm, I now have two AD DCs running samba44 on zfs and they
> mostly seems to work. I can us ADUC, and other windows tools, clients
> authenticate correctly, and I have a Samba44 member server that is
> serving files correctly and with zfs nfsv4 acls all working.
> Thanks
> C
As I said, I know very little about freebsd, but you should be aware
that Samba only supports the last three major versions i.e. at the
moment 4.2.X, 4.3.x and 4.4.x
They are supported in three ways, the oldest version (now 4.2.x) only
gets security fixes, the middle version (4.3.x) gets bug and
security fixes, just not all that the current release (4.4.x) does.

Minor releases are approx every six weeks and major approx every six
months. The next major release is scheduled for this month, at which
point 4.2.x will go EOL, 4.3.x will move to security fixes only and
4.4.x will move to Maintenance mode. It is explained here:

https://wiki.samba.org/index.php/Samba_Release_Planning

What this means is, approx 6 months from now, to set up an AD DC
on freebsd, you will have to install an EOL version and then upgrade
to a supported version.

Rowland

On Fri, 2016-09-02 at 13:19 +0100, Rowland Penny via samba
wrote:
> 
> 
> I have now found out why you had to provision with samba43,
> the '--use-ntvfs' option is gone from Samba 4.4.x. I never noticed
> because, as I said, I never used it.
> This does of course mean that you cannot use the latest versions of
> Samba as an AD DC with freebsd unless somehow either samba-tool or
> freebsd is changed.
BTW, just to be clear for those on the list:

--use-ntvfs is gone by default, because we don't build it by default.
To re-enable it if you have a really important use case you use --with-
ntvfs-fileserver at configure time.

The main reason for that is so that when a security hole is found in
the NTVFS file server (as all C code is prone to), that we don't have
to make the NAS vendors and major linux distros upgrade their packages,
as the code won't be in their binaries. 

(However we would really like to know if that is really needed, as the
code will probably go away at some point). 

Andrew Bartlett

-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba

On Thu, 08 Sep 2016 12:58:18 +1200
Andrew Bartlett <abartlet at samba.org> wrote:
> On Fri, 2016-09-02 at 13:19 +0100, Rowland Penny via samba wrote:
> > 
> > 
> > I have now found out why you had to provision with samba43,
> > the '--use-ntvfs' option is gone from Samba 4.4.x. I never
noticed
> > because, as I said, I never used it.
> > This does of course mean that you cannot use the latest versions of
> > Samba as an AD DC with freebsd unless somehow either samba-tool or
> > freebsd is changed.
> 
> BTW, just to be clear for those on the list:
> 
> --use-ntvfs is gone by default, because we don't build it by default.
> To re-enable it if you have a really important use case you use
> --with- ntvfs-fileserver at configure time.
> 
> The main reason for that is so that when a security hole is found in
> the NTVFS file server (as all C code is prone to), that we don't have
> to make the NAS vendors and major linux distros upgrade their
> packages, as the code won't be in their binaries. 
> 
> (However we would really like to know if that is really needed, as the
> code will probably go away at some point). 
> 
> Andrew Bartlett
> 
It would seem that it is accepted practice to use '--use-ntvfs' on
Freebsd with zfs if you want an AD DC. I have some ideas on how to fix
this, but it depends on being able to build Samba on freebsd,
something I am struggling with, so bear with me.

Rowland