Cameron Murdoch
2016-Sep-10 14:56 UTC
[Samba] Segmentation fault in samba_upgradedns - Samba 4.4.5
On 8 September 2016 at 08:17, Rowland Penny via samba <samba at lists.samba.org> wrote:> On Thu, 08 Sep 2016 12:58:18 +1200 > Andrew Bartlett <abartlet at samba.org> wrote: > > > On Fri, 2016-09-02 at 13:19 +0100, Rowland Penny via samba wrote: > > > > > > > > > I have now found out why you had to provision with samba43, > > > the '--use-ntvfs' option is gone from Samba 4.4.x. I never noticed > > > because, as I said, I never used it. > > > This does of course mean that you cannot use the latest versions of > > > Samba as an AD DC with freebsd unless somehow either samba-tool or > > > freebsd is changed. > > > > BTW, just to be clear for those on the list: > > > > --use-ntvfs is gone by default, because we don't build it by default. > > To re-enable it if you have a really important use case you use > > --with- ntvfs-fileserver at configure time. > > > > The main reason for that is so that when a security hole is found in > > the NTVFS file server (as all C code is prone to), that we don't have > > to make the NAS vendors and major linux distros upgrade their > > packages, as the code won't be in their binaries. > > > > (However we would really like to know if that is really needed, as the > > code will probably go away at some point). > > > > Andrew Bartlett > > > > It would seem that it is accepted practice to use '--use-ntvfs' on > Freebsd with zfs if you want an AD DC. I have some ideas on how to fix > this, but it depends on being able to build Samba on freebsd, > something I am struggling with, so bear with me. > > Rowland >Regardless of --use-ntvfs I still can't upgrade to the bind9 backend due to the segfault in samba_upgradedns. I've tried to add a new domain controllor to the domain, and I get a the following segfault in samba-tool: [root at dc3 ~]# samba-tool domain join mbok.co.uk DC -Umbok\setup --realmMBOK.CO.UK --dns-backend=BIND9_DLZ Finding a writeable DC for domain 'mbok.co.uk' Found DC dc1.mbok.co.uk Password for [WORKGROUP\mboksetup]: [root at dc3 ~]# samba-tool domain join mbok.co.uk DC -Usetup --realmMBOK.CO.UK --dns-backend=BIND9_DLZ Finding a writeable DC for domain 'mbok.co.uk' Found DC dc1.mbok.co.uk Password for [WORKGROUP\setup]: workgroup is MBOK realm is mbok.co.uk checking sAMAccountName Adding CN=DC3,OU=Domain Controllers,DC=mbok,DC=co,DC=uk Adding CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mbok,DC=co,DC=uk Adding CN=NTDS Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mbok,DC=co,DC=uk Adding SPNs to CN=DC3,OU=Domain Controllers,DC=mbok,DC=co,DC=uk Setting account password for DC3$ Enabling account Adding DNS account CN=dns-DC3,CN=Users,DC=mbok,DC=co,DC=uk with dns/ SPN Setting account password for dns-DC3 Calling bare provision Looking up IPv4 addresses Looking up IPv6 addresses No IPv6 address will be assigned Setting up share.ldb Setting up secrets.ldb Setting up the registry Setting up the privileges database Setting up idmap db Setting up SAM db Setting up sam.ldb partitions and settings Setting up sam.ldb rootDSE Pre-loading the Samba 4 and AD schema A Kerberos configuration suitable for Samba 4 has been generated at /var/db/samba4/private/krb5.conf Provision OK for domain DN DC=mbok,DC=co,DC=uk Starting replication Schema-DN[CN=Schema,CN=Configuration,DC=mbok,DC=co,DC=uk] objects[402/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=mbok,DC=co,DC=uk] objects[804/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=mbok,DC=co,DC=uk] objects[1206/1550] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=mbok,DC=co,DC=uk] objects[1550/1550] linked_values[0/0] Analyze and apply schema objects Partition[CN=Configuration,DC=mbok,DC=co,DC=uk] objects[402/1619] linked_values[0/0] Partition[CN=Configuration,DC=mbok,DC=co,DC=uk] objects[804/1619] linked_values[0/0] Partition[CN=Configuration,DC=mbok,DC=co,DC=uk] objects[1206/1619] linked_values[0/0] Partition[CN=Configuration,DC=mbok,DC=co,DC=uk] objects[1608/1619] linked_values[0/0] Partition[CN=Configuration,DC=mbok,DC=co,DC=uk] objects[1619/1619] linked_values[39/0] Replicating critical objects from the base DN of the domain Partition[DC=mbok,DC=co,DC=uk] objects[98/98] linked_values[26/0] Partition[DC=mbok,DC=co,DC=uk] objects[464/366] linked_values[52/0] Done with always replicated NC (base, config, schema) Replicating DC=DomainDnsZones,DC=mbok,DC=co,DC=uk Partition[DC=DomainDnsZones,DC=mbok,DC=co,DC=uk] objects[87/87] linked_values[0/0] Replicating DC=ForestDnsZones,DC=mbok,DC=co,DC=uk Partition[DC=ForestDnsZones,DC=mbok,DC=co,DC=uk] objects[19/19] linked_values[0/0] Committing SAM database Sending DsReplicaUpdateRefs for all the replicated partitions Setting isSynchronized and dsServiceName Setting up secrets database Segmentation fault (core dumped) Thanks for your help Cameron
Rowland Penny
2016-Sep-10 18:07 UTC
[Samba] Segmentation fault in samba_upgradedns - Samba 4.4.5
On Sat, 10 Sep 2016 15:56:50 +0100 Cameron Murdoch via samba <samba at lists.samba.org> wrote:> On 8 September 2016 at 08:17, Rowland Penny via samba > <samba at lists.samba.org > > wrote: > > > On Thu, 08 Sep 2016 12:58:18 +1200 > > Andrew Bartlett <abartlet at samba.org> wrote: > > > > > On Fri, 2016-09-02 at 13:19 +0100, Rowland Penny via samba wrote: > > > > > > > > > > > > I have now found out why you had to provision with samba43, > > > > the '--use-ntvfs' option is gone from Samba 4.4.x. I never > > > > noticed because, as I said, I never used it. > > > > This does of course mean that you cannot use the latest > > > > versions of Samba as an AD DC with freebsd unless somehow > > > > either samba-tool or freebsd is changed. > > > > > > BTW, just to be clear for those on the list: > > > > > > --use-ntvfs is gone by default, because we don't build it by > > > default. To re-enable it if you have a really important use case > > > you use --with- ntvfs-fileserver at configure time. > > > > > > The main reason for that is so that when a security hole is found > > > in the NTVFS file server (as all C code is prone to), that we > > > don't have to make the NAS vendors and major linux distros > > > upgrade their packages, as the code won't be in their binaries. > > > > > > (However we would really like to know if that is really needed, > > > as the code will probably go away at some point). > > > > > > Andrew Bartlett > > > > > > > It would seem that it is accepted practice to use '--use-ntvfs' on > > Freebsd with zfs if you want an AD DC. I have some ideas on how to > > fix this, but it depends on being able to build Samba on freebsd, > > something I am struggling with, so bear with me. > > > > Rowland > > > > Regardless of --use-ntvfs I still can't upgrade to the bind9 backend > due to the segfault in samba_upgradedns. > > I've tried to add a new domain controllor to the domain, and I get a > the following segfault in samba-tool: > > [root at dc3 ~]# samba-tool domain join mbok.co.uk DC -Umbok\setup > --realm= MBOK.CO.UK --dns-backend=BIND9_DLZ > Finding a writeable DC for domain 'mbok.co.uk' > Found DC dc1.mbok.co.uk > Password for [WORKGROUP\mboksetup]: > [root at dc3 ~]# samba-tool domain join mbok.co.uk DC -Usetup --realm> MBOK.CO.UK --dns-backend=BIND9_DLZ > Finding a writeable DC for domain 'mbok.co.uk' > Found DC dc1.mbok.co.uk > Password for [WORKGROUP\setup]: > workgroup is MBOK > realm is mbok.co.uk > checking sAMAccountName > Adding CN=DC3,OU=Domain Controllers,DC=mbok,DC=co,DC=uk > Adding > CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mbok,DC=co,DC=uk > Adding CN=NTDS > Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mbok,DC=co,DC=uk > Adding SPNs to CN=DC3,OU=Domain Controllers,DC=mbok,DC=co,DC=uk > Setting account password for DC3$ > Enabling account > Adding DNS account CN=dns-DC3,CN=Users,DC=mbok,DC=co,DC=uk with dns/ > SPN Setting account password for dns-DC3 > Calling bare provision > Looking up IPv4 addresses > Looking up IPv6 addresses > No IPv6 address will be assigned > Setting up share.ldb > Setting up secrets.ldb > Setting up the registry > Setting up the privileges database > Setting up idmap db > Setting up SAM db > Setting up sam.ldb partitions and settings > Setting up sam.ldb rootDSE > Pre-loading the Samba 4 and AD schema > A Kerberos configuration suitable for Samba 4 has been generated at > /var/db/samba4/private/krb5.conf > Provision OK for domain DN DC=mbok,DC=co,DC=uk > Starting replication > Schema-DN[CN=Schema,CN=Configuration,DC=mbok,DC=co,DC=uk] > objects[402/1550] linked_values[0/0] > Schema-DN[CN=Schema,CN=Configuration,DC=mbok,DC=co,DC=uk] > objects[804/1550] linked_values[0/0] > Schema-DN[CN=Schema,CN=Configuration,DC=mbok,DC=co,DC=uk] > objects[1206/1550] linked_values[0/0] > Schema-DN[CN=Schema,CN=Configuration,DC=mbok,DC=co,DC=uk] > objects[1550/1550] linked_values[0/0] > Analyze and apply schema objects > Partition[CN=Configuration,DC=mbok,DC=co,DC=uk] objects[402/1619] > linked_values[0/0] > Partition[CN=Configuration,DC=mbok,DC=co,DC=uk] objects[804/1619] > linked_values[0/0] > Partition[CN=Configuration,DC=mbok,DC=co,DC=uk] objects[1206/1619] > linked_values[0/0] > Partition[CN=Configuration,DC=mbok,DC=co,DC=uk] objects[1608/1619] > linked_values[0/0] > Partition[CN=Configuration,DC=mbok,DC=co,DC=uk] objects[1619/1619] > linked_values[39/0] > Replicating critical objects from the base DN of the domain > Partition[DC=mbok,DC=co,DC=uk] objects[98/98] linked_values[26/0] > Partition[DC=mbok,DC=co,DC=uk] objects[464/366] linked_values[52/0] > Done with always replicated NC (base, config, schema) > Replicating DC=DomainDnsZones,DC=mbok,DC=co,DC=uk > Partition[DC=DomainDnsZones,DC=mbok,DC=co,DC=uk] objects[87/87] > linked_values[0/0] > Replicating DC=ForestDnsZones,DC=mbok,DC=co,DC=uk > Partition[DC=ForestDnsZones,DC=mbok,DC=co,DC=uk] objects[19/19] > linked_values[0/0] > Committing SAM database > Sending DsReplicaUpdateRefs for all the replicated partitions > Setting isSynchronized and dsServiceName > Setting up secrets database > Segmentation fault (core dumped) > > Thanks for your help > CameronOK, I think I know what is going on here, this is only a guess and a wild one at that. The secrets database (secrets.ldb) has been changed, it now adds a 'saltPrincipal' attribute to the 'dns-*' user that is created for Bind9. I am not entirely sure why this is failing, more info is needed, can you try again, but add '-d10' Hopefully this will find what is going on. Rowland