[Samba] Segmentation fault in samba_upgradedns - Samba 4.4.5

Fri Sep 2 12:49:50 UTC 2016

On 2 September 2016 at 13:19, Rowland Penny via samba <samba at lists.samba.org
> wrote:

> On Fri, 2 Sep 2016 13:03:05 +0100
> Rowland Penny via samba <samba at lists.samba.org> wrote:
>
> > On Fri, 2 Sep 2016 12:41:47 +0100
> > Cameron Murdoch via samba <samba at lists.samba.org> wrote:
> >
> > > On 2 September 2016 at 12:21, Rowland Penny via samba
> > > <samba at lists.samba.org
> > > > wrote:
> > >
> > > > On Fri, 2 Sep 2016 11:51:02 +0100
> > > > Cameron Murdoch <cam at macaroon.net> wrote:
> > > >
> > > > > On 2 September 2016 at 09:53, Rowland Penny via samba
> > > > > <samba at lists.samba.org
> > > > > > wrote:
> > > > >
> > > > > > On Thu, 1 Sep 2016 14:12:21 +0100
> > > > > > Rowland Penny via samba <samba at lists.samba.org> wrote:
> > > > > >
> > > > > > >
> > > > > >
> > > > > > Trying to understand why you are getting the segfault, I set
> > > > > > up freebsd 11.0rc2 in a VM and then installed samba44, I now
> > > > > > know where Gentoo gets its ideas from :)
> > > > > >
> > > > > > After freebsd built everything in the chain of required
> > > > > > packages, it finally built Samba, I did notice two things, one
> > > > > > it built part (or perhaps the whole) of Bind 9.8.6 to get
> > > > > > nsupdate and it also used Samba 4.3.11 for various libraries.
> > > > > >
> > > > > > I then tried to provision Samba, big failure, ZFS doesn't seem
> > > > > > to like ACLs, so if somebody could tell me how to get past
> > > > > > this, I would be very much obliged.
> > > > > >
> > > > > > Rowland
> > > > > >
> > > > > >
> > > > > Hi Rowland,
> > > > >
> > > > > I also had issues provisioning (well classicupgrade actually)
> > > > > Samba44. I got segfaults from samba-tool. I did a little bit of
> > > > > debugging, but due to work time pressures I couldn't submit a
> > > > > bug report at the time. From memory I think the python code in
> > > > > samba-tool was crashing when accessing code from security.so,
> > > > > but that might be wrong.
> > > >
> > > > I tried to provision first as I would normally i.e.
> > > > non-interacively but this wouldn't even run, so I tried
> > > > provisioning interactively and this ran up to the point where it
> > > > checks if a simple ACL can be set, I then get this:
> > > >
> > > > ERROR(<class 'samba.provision.ProvisioningError'>): Provision
> > > > failed - ProvisioningError: Your filesystem or build does not
> > > > support posix ACLs, which s3fs requires.  Try the mounting the
> > > > filesystem with the 'acl' option.
> > > >
> > > >
> > > > >
> > > > > To provision/upgrade the domain I had to install samba43 which
> > > > > worked first time, however I had to specify --use-ntvfs to
> > > > > classicupgrade. I am unsure if this has caused any issues, but
> > > > > as domain controllers they seem to work find, etc.
> > > >
> > > > Well, yes it will work, but ntvfs is deprecated and could be
> > > > removed, it also doesn't get much work done on it, hence why I
> > > > don't/won't use it.
> > > >
> > > >
> > > I didn't want to use ntvfs but was desperate at the time :-)
> > > What is the penalty of using ntvfs? Once provisioned with this flag
> > > are you then stuck with it, or can you then use s3fs?
> > >
> >
> > This may be a way forward, see here:
> >
> > https://wiki.samba.org/index.php/Samba4/s3fs
> >
> > It talks about moving from s3fs to ntvfs, but is should also be
> > possible to go the other way, I will try it and let you know.
> >
> > Rowland
> >
>
> I have now found out why you had to provision with samba43,
> the '--use-ntvfs' option is gone from Samba 4.4.x. I never noticed
> because, as I said, I never used it.
> This does of course mean that you cannot use the latest versions of
> Samba as an AD DC with freebsd unless somehow either samba-tool or
> freebsd is changed.
>
> Rowland
>

Once the classicupgrade had completed using samba43, (with --use-ntvfs) and
both the  first DC and a second were working and authenticating clients,
etc I upgraded them both to samba44. Everything seems to work, although I
have issues with dynamic dns updates, and a couple of other small things. I
think that switching to bind might help with some of this.

To confirm, I now have two AD DCs running samba44 on zfs and they mostly
seems to work. I can us ADUC, and other windows tools, clients authenticate
correctly, and I have a Samba44 member server that is serving files
correctly and with zfs nfsv4 acls all working.
Thanks
C