samba - Aug 2021 - samba-ad-dc.service: Got notification message from PID 27448, but reception only permitted for main PID 27410

Hai all, 

I just got reply from the debian maintainer and tested on what he responded. 
The coming fix in debian official this will be..

[Service]
Type=notify
NotifyAccess=all		<< Added. 


So, im following that and in addition to the previous post. 
( the absolete part now ) 
> Already on it.
> 
> Quick (and dirty) fix is :
> 
> sed -i 's/Type=notify/Type=Fork/g'
/usr/lib/systemd/system/samba-ad-dc.service
> systemctl daemon-reload
> systemctl restart samba-ad-dc
> 
> 
> A "better" override fix.. I personaly use this, i try to
"not" touch the original supplied files.
> 
> systemctl edit samba-ad-dc.service
> [Unit]
> # Start bind9 always before samba-ad-dc starts (in case of bind9_dlz)
> After=network.target network-online.target bind9.service named.service
> 
> [Service]
> # Temp fix ad-dc : reception only permitted for main PID
> Type=Fork
> 
> 
> Save
> systemctl daemon-reload
> systemctl restart samba-ad-dc
The real coming fix part. 
I recommend you undo the changes if you picked the "sed" option. 

And run : systemctl edit samba-ad-dc.service
[Unit]
# Start bind9 always before samba-ad-dc starts (in case of bind9_dlz)
After=network.target network-online.target bind9.service named.service


[Service]
# Temp fix ad-dc : reception only permitted for main PID
NotifyAccess=all

This way its correctly set. 
Then after a (few) samba updates, see if its in the default serivce file. 
systemctl cat samba-ad-dc.service|grep NotifyAccess

Once it's in, remove the addition from the override file. 
Again with systemctl edit samba-ad-dc.service 

* the plus of running : systemctl edit xxxx.service is.. 
When you save, it automaticly does  run : systemctl daemon-reload

And run systemctl restart samba-ad-ac.service 
Done. 

Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Mani 
> Wieser via samba
> Verzonden: dinsdag 31 augustus 2021 10:46
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] samba-ad-dc.service: Got notification 
> message from PID 27448, but reception only permitted for main 
> PID 27410
> 
> On 31.08.2021 09:39, L.P.H. van Belle via samba wrote:
> > Hai Roy,
> >
> > Thanks for the feedback, much apriciated.
> > Im looking where what has changed, because this is one that 
> hardly changed.
> >
> > I suspect the security fix on systemd has something todo with it.
> > ( see )
> > 
> https://www.qualys.com/2021/07/20/cve-2021-33910/denial-of-ser
> vice-systemd.txt
> >
> > I also saw a recent that abused the Type=notify(-all)
> >
> > Is suspect its same in the official debian packages, 
> checking that in few min.
> >
> > So far,
> >
> > Greetz,
> > Louis
> >
> Hi Louis
> 
> I don't think forking is the right Type; according man 
> systemd.service? 
> (systemd 247 ):
> 
>   If set to forking, it is expected that the process 
> configured with ExecStart= will call fork() as part of its 
> start-up. The parent process is expected to exit when
>   start-up is complete and all communication channels are set 
> up. The child continues to run as the main service process, 
> and the service manager will consider the
>   unit started when the parent process exits. .......
> 
> Result:
> samba-ad-dc.service: start operation timed out. Terminating.
> samba-ad-dc.service: Control process exited, code=exited, 
> status=127/n/a
> samba-ad-dc.service: Failed with result 'timeout'.
> Failed to start Samba AD Daemon.
> 
> Because the main PID never exits and runs as root process
> 
> Mani
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

On 31.08.2021 11:08, L.P.H. van Belle via samba wrote:
> [Service]
> # Temp fix ad-dc : reception only permitted for main PID
> NotifyAccess=all
I can confirm a noise less restart of samba version 4.14.7-Debian (bullseye)

Mani