[Samba] samba-ad-dc.service: Got notification message from PID 27448, but reception only permitted for main PID 27410

Rowland Penny rpenny at samba.org
Wed Sep 1 08:14:59 UTC 2021

On Wed, 2021-09-01 at 09:48 +0200, L.P.H. van Belle via samba wrote:
> Gooe morning, 
> I'll CC Alexander Bokovoy in this on, i think he can tell us more on
> this.
> Before this ends up in a bloodbath ;-) 
> No, joking her, but i think these guys can tell us. 
> Rowland, Why do you think that we should not set Type. 
> SystemD cant deteriming what type of program is running. 

I am not a systemd expert (I tend towards not using it, but will use it
if I have to), but I can read manpages
> Type must be set and if its not set, type is "simple" ( as Roy also
> noticed )
> If type is simple, it just used /etc/init.d/samba start/stop 

So, 'Type' doesn't need to be set.

> But simple is wrong, just because it wont catch errors when starting
> up.. 
> Quote:  systemctl start command lines for simple services will
> report 
> success even if the service's binary cannot be invoked successfully 

Not a problem, systemd might not catch the errors, but the samba logs

> All i can say is, the Samba team is using "notify" some time. 
> And only somehere in Samba 4.12/4.13  NotifyAccess=  is removed from 
> all service files in the samba sources. 

Perhaps, but from my understanding of systemd, 'notify' expects just
the main program to notify it, not sub programs.

> And after this CVE fix in systemd, its not correct anymore in my
> opionion
> If NotifyAccess= isnt defined, then NotifyAccess=main and 
> main isnt correct for samba-ad-dc, because of the extra processes
> starting.

No it has been going on for some time.

> I dont know how its exact implemeted in samba, i leave that to the
> devs. 
> And lets keek the focus on this that it ONLY involves samba-ad-
> dc.service
> So NotifyAccess=all was removed in this commit 
> https://gitlab.com/thctlo1/samba/-/commit/d1740fb3d5a72cb49e30b330bb0b01e7ef3e09cc 
> Which was correct at that time, but things changed. 
> Lets wait what Alexander or Andreas can tell us on this. 

I am open to persuasion on this, so lets wait until someone can explain
why not having 'Type' is a bad idea. Lets be honest, starting a Samba
DC from an init script worked well for years.


More information about the samba mailing list