[Samba] Segmentation fault in samba_upgradedns - Samba 4.4.5

Rowland Penny rpenny at samba.org
Sat Sep 10 18:07:56 UTC 2016


On Sat, 10 Sep 2016 15:56:50 +0100
Cameron Murdoch via samba <samba at lists.samba.org> wrote:

> On 8 September 2016 at 08:17, Rowland Penny via samba
> <samba at lists.samba.org
> > wrote:
> 
> > On Thu, 08 Sep 2016 12:58:18 +1200
> > Andrew Bartlett <abartlet at samba.org> wrote:
> >
> > > On Fri, 2016-09-02 at 13:19 +0100, Rowland Penny via samba wrote:
> > > >
> > > >
> > > > I have now found out why you had to provision with samba43,
> > > > the '--use-ntvfs' option is gone from Samba 4.4.x. I never
> > > > noticed because, as I said, I never used it.
> > > > This does of course mean that you cannot use the latest
> > > > versions of Samba as an AD DC with freebsd unless somehow
> > > > either samba-tool or freebsd is changed.
> > >
> > > BTW, just to be clear for those on the list:
> > >
> > > --use-ntvfs is gone by default, because we don't build it by
> > > default. To re-enable it if you have a really important use case
> > > you use --with- ntvfs-fileserver at configure time.
> > >
> > > The main reason for that is so that when a security hole is found
> > > in the NTVFS file server (as all C code is prone to), that we
> > > don't have to make the NAS vendors and major linux distros
> > > upgrade their packages, as the code won't be in their binaries.
> > >
> > > (However we would really like to know if that is really needed,
> > > as the code will probably go away at some point).
> > >
> > > Andrew Bartlett
> > >
> >
> > It would seem that it is accepted practice to use '--use-ntvfs' on
> > Freebsd with zfs if you want an AD DC. I have some ideas on how to
> > fix this, but it depends on being able to build Samba on freebsd,
> > something I am struggling with, so bear with me.
> >
> > Rowland
> >
> 
> Regardless of --use-ntvfs I still can't upgrade to the bind9 backend
> due to the segfault in samba_upgradedns.
> 
> I've tried to add a new domain controllor to the domain, and I get a
> the following segfault in samba-tool:
> 
> [root at dc3 ~]# samba-tool domain join mbok.co.uk DC -Umbok\setup
> --realm= MBOK.CO.UK --dns-backend=BIND9_DLZ
> Finding a writeable DC for domain 'mbok.co.uk'
> Found DC dc1.mbok.co.uk
> Password for [WORKGROUP\mboksetup]:
> [root at dc3 ~]# samba-tool domain join mbok.co.uk DC -Usetup  --realm=
> MBOK.CO.UK --dns-backend=BIND9_DLZ
> Finding a writeable DC for domain 'mbok.co.uk'
> Found DC dc1.mbok.co.uk
> Password for [WORKGROUP\setup]:
> workgroup is MBOK
> realm is mbok.co.uk
> checking sAMAccountName
> Adding CN=DC3,OU=Domain Controllers,DC=mbok,DC=co,DC=uk
> Adding
> CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mbok,DC=co,DC=uk
> Adding CN=NTDS
> Settings,CN=DC3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mbok,DC=co,DC=uk
> Adding SPNs to CN=DC3,OU=Domain Controllers,DC=mbok,DC=co,DC=uk
> Setting account password for DC3$
> Enabling account
> Adding DNS account CN=dns-DC3,CN=Users,DC=mbok,DC=co,DC=uk with dns/
> SPN Setting account password for dns-DC3
> Calling bare provision
> Looking up IPv4 addresses
> Looking up IPv6 addresses
> No IPv6 address will be assigned
> Setting up share.ldb
> Setting up secrets.ldb
> Setting up the registry
> Setting up the privileges database
> Setting up idmap db
> Setting up SAM db
> Setting up sam.ldb partitions and settings
> Setting up sam.ldb rootDSE
> Pre-loading the Samba 4 and AD schema
> A Kerberos configuration suitable for Samba 4 has been generated at
> /var/db/samba4/private/krb5.conf
> Provision OK for domain DN DC=mbok,DC=co,DC=uk
> Starting replication
> Schema-DN[CN=Schema,CN=Configuration,DC=mbok,DC=co,DC=uk]
> objects[402/1550] linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=mbok,DC=co,DC=uk]
> objects[804/1550] linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=mbok,DC=co,DC=uk]
> objects[1206/1550] linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=mbok,DC=co,DC=uk]
> objects[1550/1550] linked_values[0/0]
> Analyze and apply schema objects
> Partition[CN=Configuration,DC=mbok,DC=co,DC=uk] objects[402/1619]
> linked_values[0/0]
> Partition[CN=Configuration,DC=mbok,DC=co,DC=uk] objects[804/1619]
> linked_values[0/0]
> Partition[CN=Configuration,DC=mbok,DC=co,DC=uk] objects[1206/1619]
> linked_values[0/0]
> Partition[CN=Configuration,DC=mbok,DC=co,DC=uk] objects[1608/1619]
> linked_values[0/0]
> Partition[CN=Configuration,DC=mbok,DC=co,DC=uk] objects[1619/1619]
> linked_values[39/0]
> Replicating critical objects from the base DN of the domain
> Partition[DC=mbok,DC=co,DC=uk] objects[98/98] linked_values[26/0]
> Partition[DC=mbok,DC=co,DC=uk] objects[464/366] linked_values[52/0]
> Done with always replicated NC (base, config, schema)
> Replicating DC=DomainDnsZones,DC=mbok,DC=co,DC=uk
> Partition[DC=DomainDnsZones,DC=mbok,DC=co,DC=uk] objects[87/87]
> linked_values[0/0]
> Replicating DC=ForestDnsZones,DC=mbok,DC=co,DC=uk
> Partition[DC=ForestDnsZones,DC=mbok,DC=co,DC=uk] objects[19/19]
> linked_values[0/0]
> Committing SAM database
> Sending DsReplicaUpdateRefs for all the replicated partitions
> Setting isSynchronized and dsServiceName
> Setting up secrets database
> Segmentation fault (core dumped)
> 
> Thanks for your help
> Cameron

OK, I think I know what is going on here, this is only a guess and a
wild one at that.

The secrets database (secrets.ldb) has been changed, it now adds a
'saltPrincipal' attribute to the 'dns-*' user that is created for
Bind9.

I am not entirely sure why this is failing, more info is needed, can
you try again, but add '-d10' 
Hopefully this will find what is going on.

Rowland 



More information about the samba mailing list