[PATCH] Fix invocation of gnutls_aead_cipher_encrypt() (was: Provisioning fails on 4.8.0 on FreeBSD)

Timur I. Bakeyev timur at freebsd.org
Thu Mar 22 04:59:32 UTC 2018

Thanks to Garming I was able to figure out what was the problem.

Besides mixed up block and tag sizes, the invocation of the
gnutls_aead_cipher_encrypt() requires the last parameter to be initialized
with the maximum buffer size:

int gnutls_aead_cipher_encrypt (gnutls_aead_cipher_hd_t handle, const void
* nonce, size_t nonce_len, const void * auth, size_t auth_len, size_t
tag_size, const void * ptext, size_t ptext_len, void * ctext, size_t *


ctext_len: the length of encrypted data (initially must hold the maximum
available size, including space for tag)

Please, review and commit.

With best regards,
Timur Bakeyev.

On 15 March 2018 at 00:07, Timur I. Bakeyev <timur at freebsd.org> wrote:

> Hi!
> I know that AD DC provisioning was crippled on FreeBSD for quite a
> while,so I tried once again with the hope that in 4.8.0 the situation has
> changed. Well, now I got quite  anew error message while trying:
> # /usr/local/bin/samba-tool domain provision --realm 'DOMAIN.FREEBSD'
> --domain 'DOMAIN' --dns-backend 'SAMBA_INTERNAL'  --server-role 'dc'
> Administrator password will be set randomly!
> Looking up IPv4 addresses
> Looking up IPv6 addresses
> Setting up secrets.ldb
> Setting up the registry
> Setting up the privileges database
> Setting up idmap db
> Setting up SAM db
> Setting up sam.ldb partitions and settings
> Setting up sam.ldb rootDSE
> Pre-loading the Samba 4 and AD schema
> Unable to determine the DomainSID, can not enforce uniqueness constraint
> on local domainSIDs
> Adding DomainDN: DC=domain,DC=freebsd
> Adding configuration container
> Setting up sam.ldb schema
> Setting up sam.ldb configuration data
> Setting up display specifiers
> Modifying display specifiers and extended rights
> Adding users container
> Modifying users container
> Adding computers container
> Modifying computers container
> Setting up sam.ldb data
> Setting up well known security principals
> Setting up sam.ldb users and groups
> ERROR(ldb): uncaught exception - gnutls_aead_cipher_encrypt 'failed
> GNUTLS_E_SHORT_MEMORY_BUFFER - The given memory buffer is too short to hold
> parameters.
>   File "/usr/local/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 176, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/local/lib/python2.7/site-packages/samba/netcmd/domain.py",
> line 500, in run
>     plaintext_secrets=plaintext_secrets)
>   File "/usr/local/lib/python2.7/site-packages/samba/provision/__init__.py",
> line 2276, in provision
>     skip_sysvolacl=skip_sysvolacl)
>   File "/usr/local/lib/python2.7/site-packages/samba/provision/__init__.py",
> line 1870, in provision_fill
>     next_rid=next_rid, dc_rid=dc_rid)
>   File "/usr/local/lib/python2.7/site-packages/samba/provision/__init__.py",
> line 1524, in fill_samdb
>     "KRBTGTPASS_B64": b64encode(krbtgtpass.encode('utf-16-le'))
>   File "/usr/local/lib/python2.7/site-packages/samba/provision/common.py",
> line 55, in setup_add_ldif
>     ldb.add_ldif(data, controls)
>   File "/usr/local/lib/python2.7/site-packages/samba/__init__.py", line
> 229, in add_ldif
>     self.add(msg, controls)
> So, what do I miss and where I can increase the buffer size?
> With regards,
> Timur Bakeyev.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Fix-invocation-of-gnutls_aead_cipher_encrypt.patch
Type: application/octet-stream
Size: 1493 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20180322/3d29c39c/0001-Fix-invocation-of-gnutls_aead_cipher_encrypt.obj>

More information about the samba-technical mailing list