samba - Aug 2021 - samba-ad-dc.service: Got notification message from PID 27448, but reception only permitted for main PID 27410

Already on it.

Quick (and dirty) fix is : 

sed -i 's/Type=notify/Type=Fork/g'
/usr/lib/systemd/system/samba-ad-dc.service
systemctl daemon-reload
systemctl restart samba-ad-dc


A "better" override fix.. I personaly use this, i try to
"not" touch the original supplied files.

systemctl edit samba-ad-dc.service
[Unit]
# Start bind9 always before samba-ad-dc starts (in case of bind9_dlz)
After=network.target network-online.target bind9.service

[Service]
# Temp fix ad-dc : reception only permitted for main PID
Type=Fork


Save
systemctl daemon-reload
systemctl restart samba-ad-dc

New versions soon. 
Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Roy 
> Eastwood via samba
> Verzonden: maandag 30 augustus 2021 13:01
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] samba-ad-dc.service: Got notification 
> message from PID 27448, but reception only permitted for main 
> PID 27410
> 
> On 30 August 2021 11:17 Rowland Penny via samba wrote:
> > On Mon, 2021-08-30 at 11:00 +0100, Roy Eastwood via samba wrote:
> > > Using Louis' repo I upgraded a samba DC to version 4.14.7 on
a
> > > raspberry pi running Debian Bullseye.   I noticed the 
> above message
> > > when I checked the status of the samba-ad-dc service.   
> The messages
> > > were:
> > >
> > > Aug 30 10:41:48 rpi3-dc systemd[1]: samba-ad-dc.service: Got
> > > notification message from PID 27448, but reception only 
> permitted for
> > > main PID 27410
> > > Aug 30 10:41:48 rpi3-dc systemd[1]: samba-ad-dc.service: Got
> > > notification message from PID 27416, but reception only 
> permitted for
> > > main PID 27410
> > >
> > > The two processes were as follows:
> > > root at rpi3-dc:~# ps ax | egrep '27416 | 27448'
> > >   27416 ?        Ss     0:01 /usr/sbin/smbd -D 
> --option=server role
> > > check:inhibit=yes --foreground
> > >   27448 ?        Ss     0:01 /usr/sbin/winbindd -D
--option=server
> > > role check:inhibit=yes --foreground
> > >   28130 pts/0    S+     0:00 grep -E 27416 | 27448
> > >
> > > Is this to be expected?
> > >
> > 
> > Yes it is, because the 'Type' in samba-ad-dc.service is set to
> > 'notify', try changing it to 'fork'
> > 
> > Rowland
> 
> Ah!   Thanks for that.  Before the upgrade, I had the systemd 
> samba-ad-dc.service file as per the WiKi, but, unknown to me, 
> the upgrade replaced the file: 
> /lib/systemd/system/samba-ad-dc.service with one, which 
> amongst other things, had changed the 'Type' to 'Notify'.
> I changed it to 'Fork' but that resulted in the service 
> timing out and would not start.   Tried 'Forking' with the 
> same result.    So I replaced the file with a backup to 
> restore to that recommended in the WiKi and all is now well.
> 
> Perhaps Louis needs to look at this in his repo?
> 
> Thanks once again Rowland!
> 
> Roy
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

On 30 August 2021 13:09 L.P.H. van Belle wrote:
> Already on it.
> 
> Quick (and dirty) fix is :
> 
> sed -i 's/Type=notify/Type=Fork/g'
/usr/lib/systemd/system/samba-ad-dc.service
> systemctl daemon-reload
> systemctl restart samba-ad-dc
> 
> 
> A "better" override fix.. I personaly use this, i try to
"not" touch the original supplied files.
> 
> systemctl edit samba-ad-dc.service
> [Unit]
> # Start bind9 always before samba-ad-dc starts (in case of bind9_dlz)
> After=network.target network-online.target bind9.service
> 
> [Service]
> # Temp fix ad-dc : reception only permitted for main PID
> Type=Fork
> 
> 
> Save
> systemctl daemon-reload
> systemctl restart samba-ad-dc
> 
> New versions soon.
> Greetz,
> 
> Louis
Thanks Louis.    I took your approach.   Using the supplied samba-ad-dc.service
file I created a file /etc/defaults/samba containing:
SAMBAOPTIONS="--no-process-group --daemon"

and using "systemctl edit samba-ad-dc", I  entered the following:
[Unit]
After=network.target remote-fs.target nss-lookup.target named.service
[Service]
Type=forking
ExecStartExecStart=/usr/sbin/samba $SAMBAOPTIONS

Note that in Bullseye, bind9 service is now the named service.    Also I had to
use "forking" rather than "fork" and I had to have an empty
ExecStart line otherwise it complains about multiple ExecStart lines.  I also
had to remove the option "--foreground" from the ExecStart line
otherwise the service will not start.

After all that the service starts OK without complaining!

Regards,
Roy

Hai Roy, 

Thanks for the feedback, much apriciated. 
Im looking where what has changed, because this is one that hardly changed. 

I suspect the security fix on systemd has something todo with it. 
( see ) 
https://www.qualys.com/2021/07/20/cve-2021-33910/denial-of-service-systemd.txt 

I also saw a recent that abused the Type=notify(-all) 

Is suspect its same in the official debian packages, checking that in few min. 

So far, 

Greetz, 
Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Roy 
> Eastwood via samba
> Verzonden: maandag 30 augustus 2021 20:50
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] samba-ad-dc.service: Got notification 
> message from PID 27448, but reception only permitted for main 
> PID 27410
> 
> On 30 August 2021 13:09 L.P.H. van Belle wrote:
> > Already on it.
> > 
> > Quick (and dirty) fix is :
> > 
> > sed -i 's/Type=notify/Type=Fork/g' 
/usr/lib/systemd/system/samba-ad-dc.service
> > systemctl daemon-reload
> > systemctl restart samba-ad-dc
> > 
> > 
> > A "better" override fix.. I personaly use this, i try to 
> "not" touch the original supplied files.
> > 
> > systemctl edit samba-ad-dc.service
> > [Unit]
> > # Start bind9 always before samba-ad-dc starts (in case of 
> bind9_dlz)
> > After=network.target network-online.target bind9.service
> > 
> > [Service]
> > # Temp fix ad-dc : reception only permitted for main PID
> > Type=Fork
> > 
> > 
> > Save
> > systemctl daemon-reload
> > systemctl restart samba-ad-dc
> > 
> > New versions soon.
> > Greetz,
> > 
> > Louis
> 
> Thanks Louis.    I took your approach.   Using the supplied 
> samba-ad-dc.service file I created a file /etc/defaults/samba 
> containing:
> SAMBAOPTIONS="--no-process-group --daemon"
> 
> and using "systemctl edit samba-ad-dc", I  entered the following:
> [Unit]
> After=network.target remote-fs.target nss-lookup.target named.service
> [Service]
> Type=forking
> ExecStart> ExecStart=/usr/sbin/samba $SAMBAOPTIONS
> 
> Note that in Bullseye, bind9 service is now the named 
> service.    Also I had to use "forking" rather than
"fork"
> and I had to have an empty ExecStart line otherwise it 
> complains about multiple ExecStart lines.  I also had to 
> remove the option "--foreground" from the ExecStart line 
> otherwise the service will not start.
> 
> After all that the service starts OK without complaining!
> 
> Regards,
> Roy
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>