samba - Apr 2020 - pad length mismatch error message

Hi Louis,

it happens on the AC-DC nodes on Debian 10, running with BIND9_DLZ backend...

dpkg -l |grep bind9
ii  bind9                              1:9.11.5.P4+dfsg-5.1        amd64       
Internet Domain Name Server
ii  bind9-host                      1:9.11.5.P4+dfsg-5.1        amd64        DNS
lookup utility (deprecated)
ii  bind9utils                        1:9.11.5.P4+dfsg-5.1        amd64       
Utilities for BIND
ii  libbind9-161:amd64       1:9.11.5.P4+dfsg-5.1        amd64        BIND9
Shared Library used by BIND


smb.conf:

# Global parameters
[global]
        netbios name = DC3
        realm = AD.EXAMPLE.NET
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
        workgroup = AD
        interfaces = IP
        bind interfaces only = yes
        load printers = no
        printing = bsd
        printcap name = /dev/null
        disable spoolss = yes
        log level = 1 auth_audit:2@/var/log/samba/auth-audit.log
        ldap server require strong auth = no
        tls verify peer = no_check
        tls enabled = yes
        tls keyfile = /path/key.pem
        tls certfile = /path/fullcert.pem
        tls cafile = /etc/ssl/certs/ca-certificates.crt

[sysvol]
        path = /var/lib/samba/sysvol
        read only = yes

[netlogon]
        path = /var/lib/samba/sysvol/ad.example.net/scripts
        read only = yes


Best regards
Daniel


Am Mittwoch, den 22.04.2020 um 14:40 schrieb L.P.H. van Belle via
samba:
> Hai, 
> 
> I might be handy to tell us a bit more. 
> 
> Like AD-DC or member. 
> content smb.conf ?  
> If AD-DC, are you running with or without bind. 
> with bind? show : dpkg -l |grep bind9 
> 
> Greetz, 
> 
> Louis
> 
> 
> 
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens von 
> > Obernitz, Daniel via samba
> > Verzonden: woensdag 22 april 2020 14:18
> > Aan: samba at lists.samba.org
> > Onderwerp: [Samba] pad length mismatch error message
> > 
> > Hi,
> > 
> > I found the following error message in the log.samba:
> > 
> > [2020/04/20 16:32:33.168921, 1] 
> > ../../librpc/rpc/dcerpc_util.c:373(dcerpc_pull_auth_trailer)
> > ../../librpc/rpc/dcerpc_util.c:373: ERROR: pad length 
> > mismatch. Calculated 44 got 0
> > 
> > It happens on all nodes on different times, but unfortunately 
> > I have no specific situation or action which causes this.
> > 
> > We are currently using Samba version 4.12.1-SerNet-Debian-5.buster.
> > 
> > Do you have any idea what could cause this so I can try to 
> > replicate it?
> > 
> > Best regards
> > Daniel
> > 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6098 bytes
Desc: not available
URL:
<http://lists.samba.org/pipermail/samba/attachments/20200422/751fe459/smime.bin>

On Wed, 2020-04-22 at 14:49 +0200, von Obernitz, Daniel via samba
wrote:
> Hi Louis,
> 
> it happens on the AC-DC nodes on Debian 10, running with BIND9_DLZ
> backend...
> > > -----Oorspronkelijk bericht-----
> > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens von 
> > > Obernitz, Daniel via samba
> > > Verzonden: woensdag 22 april 2020 14:18
> > > Aan: samba at lists.samba.org
> > > Onderwerp: [Samba] pad length mismatch error message
> > > 
> > > Hi,
> > > 
> > > I found the following error message in the log.samba:
> > > 
> > > [2020/04/20 16:32:33.168921, 1] 
> > > ../../librpc/rpc/dcerpc_util.c:373(dcerpc_pull_auth_trailer)
> > > ../../librpc/rpc/dcerpc_util.c:373: ERROR: pad length 
> > > mismatch. Calculated 44 got 0
> > > 
> > > It happens on all nodes on different times, but unfortunately 
> > > I have no specific situation or action which causes this.
Thanks for reporting this. Firstly, don't worry about 'attr'
packages
or how Bind9 or DNS is configured etc, this is an error in our core RPC
server, and not something that is able to be configured (neither at
build nor runtime).

A client, and we don't include enough information in the message as to
which, so you will need to turn up the log level, is sending an RPC
packet that we don't like the end of.  

In particular, we expected 44 bytes of authentication trailer (the
authentication data in RPC is not in a header, but a trailer at the end
of the packet), probably enough to contain the signature for the
packet, but the client sent nothing. 

We need to work out why that was, and if it matters.  
> > > We are currently using Samba version 4.12.1-SerNet-Debian-
> > > 5.buster.
Thanks.  This may have been caused by a recent rework of our RPC
server.  
> > > Do you have any idea what could cause this so I can try to 
> > > replicate it?
> > > 
> > > Best regards
> > > Daniel
> > > 
Once you work out what client is changing this, then send me a network
capture and matching Samba log (use "debug hires timestamp = Yes",
"log
level = 4") and I'll add it to my backlog to look into.  If you are
able to trigger it on demand, and have time, please do confirm if this
is Samba 4.12 regression by trying Samba 4.11.

Thanks for reporting this and I hope we can figure it out together.

Andrew Bartlett

-- 
Andrew Bartlett                       https://samba.org/~abartlet/
Authentication Developer, Samba Team  https://samba.org
Samba Developer, Catalyst IT          
https://catalyst.net.nz/services/samba

Hi Andrew,
> Thanks for reporting this. Firstly, don't worry about 'attr'
packages
> or how Bind9 or DNS is configured etc, this is an error in our core RPC
> server, and not something that is able to be configured (neither at
> build nor runtime).
> 
> A client, and we don't include enough information in the message as to
> which, so you will need to turn up the log level, is sending an RPC
> packet that we don't like the end of.  
> 
> In particular, we expected 44 bytes of authentication trailer (the
> authentication data in RPC is not in a header, but a trailer at the end
> of the packet), probably enough to contain the signature for the
> packet, but the client sent nothing. 
> 
> We need to work out why that was, and if it matters.  
> 
Thanks for the clarification and explanation what's causing this in general.
I will keep monitoring and looking for the client to replicate it.

> Once you work out what client is changing this, then send me a network
> capture and matching Samba log (use "debug hires timestamp =
Yes", "log
> level = 4") and I'll add it to my backlog to look into.  If you
are
> able to trigger it on demand, and have time, please do confirm if this
> is Samba 4.12 regression by trying Samba 4.11.
We have updated to Samba 4.12. last friday and I checked the old logs before
that.
The error message also appeared with Samba 4.11, which we had before.

Best regards
Daniel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6098 bytes
Desc: not available
URL:
<http://lists.samba.org/pipermail/samba/attachments/20200423/659c06e1/smime.bin>