Provisioning fails on 4.8.0 on FreeBSD

Garming Sam garming at catalyst.net.nz
Sun Mar 18 21:07:56 UTC 2018 

Hi,

The last time I encountered such an error with GnuTLS, it meant that
there needed to be a back-off with the correct size.

a) Perform crypto with fixed buffer size which may be too small

b) GnuTLS returns too short, but returns the size required

c) Resize the buffer to the correct length and retry

There might be some assumption we're making about the sizes that is not
the same and/or a bug.

The gnutls_aead_cipher_encrypt was only recently introduced and should
be simple to find. If you want to check if the rest proceeds, past this
error, it should also be possible to disable the module, but I would try
to see if there is a simple solution to this error first.

Cheers,

Garming

On 15/03/18 12:07, Timur I. Bakeyev via samba-technical wrote:
> Hi!
>
> I know that AD DC provisioning was crippled on FreeBSD for quite a while,so
> I tried once again with the hope that in 4.8.0 the situation has changed.
> Well, now I got quite  anew error message while trying:
>
> # /usr/local/bin/samba-tool domain provision --realm 'DOMAIN.FREEBSD'
> --domain 'DOMAIN' --dns-backend 'SAMBA_INTERNAL'  --server-role 'dc'
> Administrator password will be set randomly!
> Looking up IPv4 addresses
> Looking up IPv6 addresses
> Setting up secrets.ldb
> Setting up the registry
> Setting up the privileges database
> Setting up idmap db
> Setting up SAM db
> Setting up sam.ldb partitions and settings
> Setting up sam.ldb rootDSE
> Pre-loading the Samba 4 and AD schema
> Unable to determine the DomainSID, can not enforce uniqueness constraint on
> local domainSIDs
>
> Adding DomainDN: DC=domain,DC=freebsd
> Adding configuration container
> Setting up sam.ldb schema
> Setting up sam.ldb configuration data
> Setting up display specifiers
> Modifying display specifiers and extended rights
> Adding users container
> Modifying users container
> Adding computers container
> Modifying computers container
> Setting up sam.ldb data
> Setting up well known security principals
> Setting up sam.ldb users and groups
> ERROR(ldb): uncaught exception - gnutls_aead_cipher_encrypt 'failed
> GNUTLS_E_SHORT_MEMORY_BUFFER - The given memory buffer is too short to hold
> parameters.
>
>   File "/usr/local/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 176, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/local/lib/python2.7/site-packages/samba/netcmd/domain.py",
> line 500, in run
>     plaintext_secrets=plaintext_secrets)
>   File
> "/usr/local/lib/python2.7/site-packages/samba/provision/__init__.py", line
> 2276, in provision
>     skip_sysvolacl=skip_sysvolacl)
>   File
> "/usr/local/lib/python2.7/site-packages/samba/provision/__init__.py", line
> 1870, in provision_fill
>     next_rid=next_rid, dc_rid=dc_rid)
>   File
> "/usr/local/lib/python2.7/site-packages/samba/provision/__init__.py", line
> 1524, in fill_samdb
>     "KRBTGTPASS_B64": b64encode(krbtgtpass.encode('utf-16-le'))
>   File "/usr/local/lib/python2.7/site-packages/samba/provision/common.py",
> line 55, in setup_add_ldif
>     ldb.add_ldif(data, controls)
>   File "/usr/local/lib/python2.7/site-packages/samba/__init__.py", line
> 229, in add_ldif
>     self.add(msg, controls)
>
> So, what do I miss and where I can increase the buffer size?
>
> With regards,
> Timur Bakeyev.

More information about the samba-technical mailing list