[Samba] samba-ad-dc.service: Got notification message from PID 27448, but reception only permitted for main PID 27410
L.P.H. van Belle
belle at bazuin.nl
Tue Aug 31 09:08:59 UTC 2021
Hai all,
I just got reply from the debian maintainer and tested on what he responded.
The coming fix in debian official this will be..
[Service]
Type=notify
NotifyAccess=all << Added.
So, im following that and in addition to the previous post.
( the absolete part now )
> Already on it.
>
> Quick (and dirty) fix is :
>
> sed -i 's/Type=notify/Type=Fork/g' /usr/lib/systemd/system/samba-ad-dc.service
> systemctl daemon-reload
> systemctl restart samba-ad-dc
>
>
> A "better" override fix.. I personaly use this, i try to "not" touch the original supplied files.
>
> systemctl edit samba-ad-dc.service
> [Unit]
> # Start bind9 always before samba-ad-dc starts (in case of bind9_dlz)
> After=network.target network-online.target bind9.service named.service
>
> [Service]
> # Temp fix ad-dc : reception only permitted for main PID
> Type=Fork
>
>
> Save
> systemctl daemon-reload
> systemctl restart samba-ad-dc
The real coming fix part.
I recommend you undo the changes if you picked the "sed" option.
And run : systemctl edit samba-ad-dc.service
[Unit]
# Start bind9 always before samba-ad-dc starts (in case of bind9_dlz)
After=network.target network-online.target bind9.service named.service
[Service]
# Temp fix ad-dc : reception only permitted for main PID
NotifyAccess=all
This way its correctly set.
Then after a (few) samba updates, see if its in the default serivce file.
systemctl cat samba-ad-dc.service|grep NotifyAccess
Once it's in, remove the addition from the override file.
Again with systemctl edit samba-ad-dc.service
* the plus of running : systemctl edit xxxx.service is..
When you save, it automaticly does run : systemctl daemon-reload
And run systemctl restart samba-ad-ac.service
Done.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Mani
> Wieser via samba
> Verzonden: dinsdag 31 augustus 2021 10:46
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] samba-ad-dc.service: Got notification
> message from PID 27448, but reception only permitted for main
> PID 27410
>
> On 31.08.2021 09:39, L.P.H. van Belle via samba wrote:
> > Hai Roy,
> >
> > Thanks for the feedback, much apriciated.
> > Im looking where what has changed, because this is one that
> hardly changed.
> >
> > I suspect the security fix on systemd has something todo with it.
> > ( see )
> >
> https://www.qualys.com/2021/07/20/cve-2021-33910/denial-of-ser
> vice-systemd.txt
> >
> > I also saw a recent that abused the Type=notify(-all)
> >
> > Is suspect its same in the official debian packages,
> checking that in few min.
> >
> > So far,
> >
> > Greetz,
> > Louis
> >
> Hi Louis
>
> I don't think forking is the right Type; according man
> systemd.service
> (systemd 247 ):
>
> If set to forking, it is expected that the process
> configured with ExecStart= will call fork() as part of its
> start-up. The parent process is expected to exit when
> start-up is complete and all communication channels are set
> up. The child continues to run as the main service process,
> and the service manager will consider the
> unit started when the parent process exits. .......
>
> Result:
> samba-ad-dc.service: start operation timed out. Terminating.
> samba-ad-dc.service: Control process exited, code=exited,
> status=127/n/a
> samba-ad-dc.service: Failed with result 'timeout'.
> Failed to start Samba AD Daemon.
>
> Because the main PID never exits and runs as root process
>
> Mani
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list