samba - Aug 2021 - samba-ad-dc.service: Got notification message from PID 27448, but reception only permitted for main PID 27410

Hai Roy, 

Thanks for the feedback, much apriciated. 
Im looking where what has changed, because this is one that hardly changed. 

I suspect the security fix on systemd has something todo with it. 
( see ) 
https://www.qualys.com/2021/07/20/cve-2021-33910/denial-of-service-systemd.txt 

I also saw a recent that abused the Type=notify(-all) 

Is suspect its same in the official debian packages, checking that in few min. 

So far, 

Greetz, 
Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Roy 
> Eastwood via samba
> Verzonden: maandag 30 augustus 2021 20:50
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] samba-ad-dc.service: Got notification 
> message from PID 27448, but reception only permitted for main 
> PID 27410
> 
> On 30 August 2021 13:09 L.P.H. van Belle wrote:
> > Already on it.
> > 
> > Quick (and dirty) fix is :
> > 
> > sed -i 's/Type=notify/Type=Fork/g' 
/usr/lib/systemd/system/samba-ad-dc.service
> > systemctl daemon-reload
> > systemctl restart samba-ad-dc
> > 
> > 
> > A "better" override fix.. I personaly use this, i try to 
> "not" touch the original supplied files.
> > 
> > systemctl edit samba-ad-dc.service
> > [Unit]
> > # Start bind9 always before samba-ad-dc starts (in case of 
> bind9_dlz)
> > After=network.target network-online.target bind9.service
> > 
> > [Service]
> > # Temp fix ad-dc : reception only permitted for main PID
> > Type=Fork
> > 
> > 
> > Save
> > systemctl daemon-reload
> > systemctl restart samba-ad-dc
> > 
> > New versions soon.
> > Greetz,
> > 
> > Louis
> 
> Thanks Louis.    I took your approach.   Using the supplied 
> samba-ad-dc.service file I created a file /etc/defaults/samba 
> containing:
> SAMBAOPTIONS="--no-process-group --daemon"
> 
> and using "systemctl edit samba-ad-dc", I  entered the following:
> [Unit]
> After=network.target remote-fs.target nss-lookup.target named.service
> [Service]
> Type=forking
> ExecStart> ExecStart=/usr/sbin/samba $SAMBAOPTIONS
> 
> Note that in Bullseye, bind9 service is now the named 
> service.    Also I had to use "forking" rather than
"fork"
> and I had to have an empty ExecStart line otherwise it 
> complains about multiple ExecStart lines.  I also had to 
> remove the option "--foreground" from the ExecStart line 
> otherwise the service will not start.
> 
> After all that the service starts OK without complaining!
> 
> Regards,
> Roy
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

On 31.08.2021 09:39, L.P.H. van Belle via samba wrote:
> Hai Roy,
>
> Thanks for the feedback, much apriciated.
> Im looking where what has changed, because this is one that hardly changed.
>
> I suspect the security fix on systemd has something todo with it.
> ( see )
>
https://www.qualys.com/2021/07/20/cve-2021-33910/denial-of-service-systemd.txt
>
> I also saw a recent that abused the Type=notify(-all)
>
> Is suspect its same in the official debian packages, checking that in few
min.
>
> So far,
>
> Greetz,
> Louis
>
Hi Louis

I don't think forking is the right Type; according man systemd.service? 
(systemd 247 ):

  If set to forking, it is expected that the process configured with ExecStart=
will call fork() as part of its start-up. The parent process is expected to exit
when
  start-up is complete and all communication channels are set up. The child
continues to run as the main service process, and the service manager will
consider the
  unit started when the parent process exits. .......

Result:
samba-ad-dc.service: start operation timed out. Terminating.
samba-ad-dc.service: Control process exited, code=exited, status=127/n/a
samba-ad-dc.service: Failed with result 'timeout'.
Failed to start Samba AD Daemon.

Because the main PID never exits and runs as root process

Mani

Hai all, 

I just got reply from the debian maintainer and tested on what he responded. 
The coming fix in debian official this will be..

[Service]
Type=notify
NotifyAccess=all		<< Added. 


So, im following that and in addition to the previous post. 
( the absolete part now ) 
> Already on it.
> 
> Quick (and dirty) fix is :
> 
> sed -i 's/Type=notify/Type=Fork/g'
/usr/lib/systemd/system/samba-ad-dc.service
> systemctl daemon-reload
> systemctl restart samba-ad-dc
> 
> 
> A "better" override fix.. I personaly use this, i try to
"not" touch the original supplied files.
> 
> systemctl edit samba-ad-dc.service
> [Unit]
> # Start bind9 always before samba-ad-dc starts (in case of bind9_dlz)
> After=network.target network-online.target bind9.service named.service
> 
> [Service]
> # Temp fix ad-dc : reception only permitted for main PID
> Type=Fork
> 
> 
> Save
> systemctl daemon-reload
> systemctl restart samba-ad-dc
The real coming fix part. 
I recommend you undo the changes if you picked the "sed" option. 

And run : systemctl edit samba-ad-dc.service
[Unit]
# Start bind9 always before samba-ad-dc starts (in case of bind9_dlz)
After=network.target network-online.target bind9.service named.service


[Service]
# Temp fix ad-dc : reception only permitted for main PID
NotifyAccess=all

This way its correctly set. 
Then after a (few) samba updates, see if its in the default serivce file. 
systemctl cat samba-ad-dc.service|grep NotifyAccess

Once it's in, remove the addition from the override file. 
Again with systemctl edit samba-ad-dc.service 

* the plus of running : systemctl edit xxxx.service is.. 
When you save, it automaticly does  run : systemctl daemon-reload

And run systemctl restart samba-ad-ac.service 
Done. 

Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Mani 
> Wieser via samba
> Verzonden: dinsdag 31 augustus 2021 10:46
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] samba-ad-dc.service: Got notification 
> message from PID 27448, but reception only permitted for main 
> PID 27410
> 
> On 31.08.2021 09:39, L.P.H. van Belle via samba wrote:
> > Hai Roy,
> >
> > Thanks for the feedback, much apriciated.
> > Im looking where what has changed, because this is one that 
> hardly changed.
> >
> > I suspect the security fix on systemd has something todo with it.
> > ( see )
> > 
> https://www.qualys.com/2021/07/20/cve-2021-33910/denial-of-ser
> vice-systemd.txt
> >
> > I also saw a recent that abused the Type=notify(-all)
> >
> > Is suspect its same in the official debian packages, 
> checking that in few min.
> >
> > So far,
> >
> > Greetz,
> > Louis
> >
> Hi Louis
> 
> I don't think forking is the right Type; according man 
> systemd.service? 
> (systemd 247 ):
> 
>   If set to forking, it is expected that the process 
> configured with ExecStart= will call fork() as part of its 
> start-up. The parent process is expected to exit when
>   start-up is complete and all communication channels are set 
> up. The child continues to run as the main service process, 
> and the service manager will consider the
>   unit started when the parent process exits. .......
> 
> Result:
> samba-ad-dc.service: start operation timed out. Terminating.
> samba-ad-dc.service: Control process exited, code=exited, 
> status=127/n/a
> samba-ad-dc.service: Failed with result 'timeout'.
> Failed to start Samba AD Daemon.
> 
> Because the main PID never exits and runs as root process
> 
> Mani
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>