[Samba] Segmentation fault in samba_upgradedns - Samba 4.4.5

Rowland Penny rpenny at samba.org
Fri Sep 2 13:51:12 UTC 2016 

On Fri, 2 Sep 2016 13:49:50 +0100
Cameron Murdoch via samba <samba at lists.samba.org> wrote:

> On 2 September 2016 at 13:19, Rowland Penny via samba
> <samba at lists.samba.org
> > wrote:
> 
> > On Fri, 2 Sep 2016 13:03:05 +0100
> > Rowland Penny via samba <samba at lists.samba.org> wrote:
> >
> > > On Fri, 2 Sep 2016 12:41:47 +0100
> > > Cameron Murdoch via samba <samba at lists.samba.org> wrote:
> > >
> > > > On 2 September 2016 at 12:21, Rowland Penny via samba
> > > > <samba at lists.samba.org
> > > > > wrote:
> > > >
> > > > > On Fri, 2 Sep 2016 11:51:02 +0100
> > > > > Cameron Murdoch <cam at macaroon.net> wrote:
> > > > >
> > > > > > On 2 September 2016 at 09:53, Rowland Penny via samba
> > > > > > <samba at lists.samba.org
> > > > > > > wrote:
> > > > > >
> > > > > > > On Thu, 1 Sep 2016 14:12:21 +0100
> > > > > > > Rowland Penny via samba <samba at lists.samba.org> wrote:
> > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > > Trying to understand why you are getting the segfault, I
> > > > > > > set up freebsd 11.0rc2 in a VM and then installed
> > > > > > > samba44, I now know where Gentoo gets its ideas from :)
> > > > > > >
> > > > > > > After freebsd built everything in the chain of required
> > > > > > > packages, it finally built Samba, I did notice two
> > > > > > > things, one it built part (or perhaps the whole) of Bind
> > > > > > > 9.8.6 to get nsupdate and it also used Samba 4.3.11 for
> > > > > > > various libraries.
> > > > > > >
> > > > > > > I then tried to provision Samba, big failure, ZFS doesn't
> > > > > > > seem to like ACLs, so if somebody could tell me how to
> > > > > > > get past this, I would be very much obliged.
> > > > > > >
> > > > > > > Rowland
> > > > > > >
> > > > > > >
> > > > > > Hi Rowland,
> > > > > >
> > > > > > I also had issues provisioning (well classicupgrade
> > > > > > actually) Samba44. I got segfaults from samba-tool. I did a
> > > > > > little bit of debugging, but due to work time pressures I
> > > > > > couldn't submit a bug report at the time. From memory I
> > > > > > think the python code in samba-tool was crashing when
> > > > > > accessing code from security.so, but that might be wrong.
> > > > >
> > > > > I tried to provision first as I would normally i.e.
> > > > > non-interacively but this wouldn't even run, so I tried
> > > > > provisioning interactively and this ran up to the point where
> > > > > it checks if a simple ACL can be set, I then get this:
> > > > >
> > > > > ERROR(<class 'samba.provision.ProvisioningError'>): Provision
> > > > > failed - ProvisioningError: Your filesystem or build does not
> > > > > support posix ACLs, which s3fs requires.  Try the mounting the
> > > > > filesystem with the 'acl' option.
> > > > >
> > > > >
> > > > > >
> > > > > > To provision/upgrade the domain I had to install samba43
> > > > > > which worked first time, however I had to specify
> > > > > > --use-ntvfs to classicupgrade. I am unsure if this has
> > > > > > caused any issues, but as domain controllers they seem to
> > > > > > work find, etc.
> > > > >
> > > > > Well, yes it will work, but ntvfs is deprecated and could be
> > > > > removed, it also doesn't get much work done on it, hence why I
> > > > > don't/won't use it.
> > > > >
> > > > >
> > > > I didn't want to use ntvfs but was desperate at the time :-)
> > > > What is the penalty of using ntvfs? Once provisioned with this
> > > > flag are you then stuck with it, or can you then use s3fs?
> > > >
> > >
> > > This may be a way forward, see here:
> > >
> > > https://wiki.samba.org/index.php/Samba4/s3fs
> > >
> > > It talks about moving from s3fs to ntvfs, but is should also be
> > > possible to go the other way, I will try it and let you know.
> > >
> > > Rowland
> > >
> >
> > I have now found out why you had to provision with samba43,
> > the '--use-ntvfs' option is gone from Samba 4.4.x. I never noticed
> > because, as I said, I never used it.
> > This does of course mean that you cannot use the latest versions of
> > Samba as an AD DC with freebsd unless somehow either samba-tool or
> > freebsd is changed.
> >
> > Rowland
> >
> 
> Once the classicupgrade had completed using samba43, (with
> --use-ntvfs) and both the  first DC and a second were working and
> authenticating clients, etc I upgraded them both to samba44.
> Everything seems to work, although I have issues with dynamic dns
> updates, and a couple of other small things. I think that switching
> to bind might help with some of this.

It probably will, I have always used Bind9 and never had any problems.

> 
> To confirm, I now have two AD DCs running samba44 on zfs and they
> mostly seems to work. I can us ADUC, and other windows tools, clients
> authenticate correctly, and I have a Samba44 member server that is
> serving files correctly and with zfs nfsv4 acls all working.
> Thanks
> C

As I said, I know very little about freebsd, but you should be aware
that Samba only supports the last three major versions i.e. at the
moment 4.2.X, 4.3.x and 4.4.x
They are supported in three ways, the oldest version (now 4.2.x) only
gets security fixes, the middle version (4.3.x) gets bug and
security fixes, just not all that the current release (4.4.x) does.

Minor releases are approx every six weeks and major approx every six
months. The next major release is scheduled for this month, at which
point 4.2.x will go EOL, 4.3.x will move to security fixes only and
4.4.x will move to Maintenance mode. It is explained here:

https://wiki.samba.org/index.php/Samba_Release_Planning

What this means is, approx 6 months from now, to set up an AD DC
on freebsd, you will have to install an EOL version and then upgrade
to a supported version.

Rowland

More information about the samba mailing list