[Samba] samba-ad-dc.service: Got notification message from PID 27448, but reception only permitted for main PID 27410
L.P.H. van Belle
belle at bazuin.nl
Wed Sep 1 14:35:21 UTC 2021
On this :
> Type=notify changes NotifyAccess forcibly to 'main' if
> NotifyAccess is not set (our case). Are you claiming this has
> changed in systemd?
Yes, that is correct, this something related to changes in systemd.
I suspect its this one:
https://www.qualys.com/2021/07/20/cve-2021-33910/denial-of-service-systemd.txt
In debian this change passed on : [20 Jul 2021] DSA-4942 systemd - security update
And NotifyAccess=main wont work correctly for samba-ad-dc.
At least on samba-ad-dc works but we see :
Got notification message from PID 27448, but reception only permitted for main PID 27410
Which didnt not look good.
So i asked the debian maintainer about this.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993347
Where we first suggested to change back to "Fork" because wiki says so..
But he pointed out. To use NotifyAccess=all
So, this is the change i would like to see in samba back again.
https://bugzilla.samba.org/show_bug.cgi?id=14814
And i saw you guys made this change between 4.12/4.13.
The "why" i dont know..
Maybe this needs more research, but the suggested fix works and did work since 4.4.x
So far, and thanks for the reply :-)
Im all ears for what best as fix.
Greetz,
Louis
Ps. Historical info :
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=740942 samba 4.1.x
https://lists.samba.org/archive/samba/2016-July/201197.html samba 4.4.x
> -----Oorspronkelijk bericht-----
> Van: Alexander Bokovoy [mailto:ab at samba.org]
> Verzonden: woensdag 1 september 2021 16:06
> Aan: L.P.H. van Belle
> CC: samba at lists.samba.org; Andreas Schneider
> Onderwerp: Re: [Samba] samba-ad-dc.service: Got notification
> message from PID 27448, but reception only permitted for main
> PID 27410
>
> On ke, 01 syys 2021, L.P.H. van Belle wrote:
> > Gooe morning,
> >
> > I'll CC Alexander Bokovoy in this on, i think he can tell
> us more on this.
> > Before this ends up in a bloodbath ;-)
> >
> > No, joking her, but i think these guys can tell us.
> >
> > Rowland, Why do you think that we should not set Type.
> > SystemD cant deteriming what type of program is running.
> >
> > Type must be set and if its not set, type is "simple" ( as
> Roy also noticed )
> > If type is simple, it just used /etc/init.d/samba start/stop
> >
> > But simple is wrong, just because it wont catch errors when
> starting up..
> > Quote: systemctl start command lines for simple services
> will report
> > success even if the service's binary cannot be invoked successfully
> >
> > All i can say is, the Samba team is using "notify" some time.
> > And only somehere in Samba 4.12/4.13 NotifyAccess= is
> removed from
> > all service files in the samba sources.
> >
> > And after this CVE fix in systemd, its not correct anymore
> in my opionion
> > If NotifyAccess= isnt defined, then NotifyAccess=main and
> > main isnt correct for samba-ad-dc, because of the extra
> processes starting.
> >
> > I dont know how its exact implemeted in samba, i leave that
> to the devs.
> >
> > And lets keek the focus on this that it ONLY involves
> samba-ad-dc.service
> >
> > So NotifyAccess=all was removed in this commit
> >
> https://gitlab.com/thctlo1/samba/-/commit/d1740fb3d5a72cb49e30
> b330bb0b01e7ef3e09cc
> > Which was correct at that time, but things changed.
> >
> > Lets wait what Alexander or Andreas can tell us on this.
>
> Hi. We use Type=notify for samba/smbd/winbindd when they run
> separately
> because they are set up to provide notifications. Thus,
> Type=notify has
> to be present in samba.service. Internally, smbd and winbindd will not
> do notifications if they were started by 'samba' daemon so there would
> be only a single process reporting its status.
>
> Also, Type=notify changes NotifyAccess forcibly to 'main' if
> NotifyAccess is not set (our case). Are you claiming this has
> changed in
> systemd?
>
>
>
> >
> >
> > So far,
> >
> > Greetz,
> >
> > Louis
> >
> >
> >
> >
> > > -----Oorspronkelijk bericht-----
> > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> > > Rowland Penny via samba
> > > Verzonden: dinsdag 31 augustus 2021 22:50
> > > Aan: samba at lists.samba.org
> > > Onderwerp: Re: [Samba] samba-ad-dc.service: Got notification
> > > message from PID 27448, but reception only permitted for main
> > > PID 27410
> > >
> > > On Tue, 2021-08-31 at 21:18 +0100, Roy Eastwood via samba wrote:
> > > > I agree, now works. Which leaves the WiKi incorrect
> as it still
> > > > recommends Type=forking etc. I assume this should be
> updated to
> > > > (adapted for self-compiled version)?:
> > > >
> > >
> > > I am going to throw a hand grenade in here, after reading 'man
> > > systemd.service , I now think that 'Type' shouldn't be set at all!
> > >
> > > With this samba-ad-dc.service file:
> > >
> > > [Unit]
> > > Description=Samba AD Daemon
> > > Documentation=man:samba(8) man:samba(7) man:smb.conf(5)
> > > Wants=network-online.target
> > > After=network.target network-online.target
> > >
> > > [Service]
> > > PIDFile=/run/samba/samba.pid
> > > LimitNOFILE=16384
> > > EnvironmentFile=-/etc/default/samba
> > > ExecStart=/usr/sbin/samba --foreground --no-process-group
> > > $SAMBAOPTIONS
> > > ExecReload=/bin/kill -HUP $MAINPID
> > >
> > >
> > > [Install]
> > > WantedBy=multi-user.target
> > >
> > > Results in this:
> > >
> > > ??? samba-ad-dc.service - Samba AD Daemon
> > > Loaded: loaded
> (/lib/systemd/system/samba-ad-dc.service; enabled;
> > > vendor preset: enabled)
> > > Active: active (running) since Tue 2021-08-31 21:38:06
> BST; 8s ago
> > > Docs: man:samba(8)
> > > man:samba(7)
> > > man:smb.conf(5)
> > > Main PID: 15307 (samba)
> > > Tasks: 57 (limit: 4915)
> > > CGroup: /system.slice/samba-ad-dc.service
> > > ??????15307 samba: root process
> > > ??????15309 samba: tfork waiter process(15310)
> > > ??????15310 samba: task[s3fs] pre-fork master
> > > ??????15311 samba: tfork waiter process(15313)
> > > ??????15312 samba: tfork waiter process(15314)
> > > ??????15313 samba: task[rpc] pre-fork master
> > > ??????15314 /usr/sbin/smbd -D --option=server role
> > > check:inhibit=yes --foreground
> > > ??????15315 samba: tfork waiter process(15316)
> > > ??????15316 samba: task[nbt] pre-fork master
> > > ??????15317 samba: tfork waiter process(15319)
> > > ??????15318 samba: tfork waiter process(15320)
> > > ??????15319 samba: task[rpc] pre-forked worker(0)
> > > ??????15320 samba: task[wrepl] pre-fork master
> > > ??????15321 samba: tfork waiter process(15325)
> > > ??????15322 samba: tfork waiter process(15323)
> > > ??????15323 samba: task[ldap] pre-fork master
> > > ??????15324 samba: tfork waiter process(15326)
> > > ??????15325 samba: task[rpc] pre-forked worker(1)
> > > ??????15326 samba: task[cldap] pre-fork master
> > > ??????15327 samba: tfork waiter process(15330)
> > > ??????15328 samba: tfork waiter process(15329)
> > > ??????15329 samba: task[rpc] pre-forked worker(2)
> > > ??????15330 samba: task[kdc] pre-fork master
> > > ??????15331 samba: tfork waiter process(15334)
> > > ??????15332 samba: tfork waiter process(15333)
> > > ??????15333 samba: task[drepl] pre-fork master
> > > ??????15334 samba: task[rpc] pre-forked worker(3)
> > > ??????15335 samba: tfork waiter process(15338)
> > > ??????15336 samba: tfork waiter process(15337)
> > > ??????15337 samba: task[kdc] pre-forked worker(0)
> > > ??????15338 samba: task[winbindd] pre-fork master
> > > ??????15339 samba: tfork waiter process(15342)
> > > ??????15340 samba: tfork waiter process(15343)
> > > ??????15341 samba: tfork waiter process(15348)
> > > ??????15342 samba: task[kdc] pre-forked worker(1)
> > > ??????15343 samba: task[ntp_signd] pre-fork master
> > > ??????15344 samba: tfork waiter process(15346)
> > > ??????15345 samba: tfork waiter process(15349)
> > > ??????15346 samba: task[kcc] pre-fork master
> > > ??????15347 samba: tfork waiter process(15350)
> > > ??????15348 /usr/sbin/winbindd -D --option=server role
> > > check:inhibit=yes --foreground
> > > ??????15349 samba: task[kdc] pre-forked worker(2)
> > > ??????15350 samba: task[dnsupdate] pre-fork master
> > > ??????15351 samba: tfork waiter process(15352)
> > > ??????15352 samba: task[kdc] pre-forked worker(3)
> > > ??????15359 /usr/sbin/smbd -D --option=server role
> > > check:inhibit=yes --foreground
> > > ??????15360 /usr/sbin/smbd -D --option=server role
> > > check:inhibit=yes --foreground
> > > ??????15361 /usr/sbin/smbd -D --option=server role
> > > check:inhibit=yes --foreground
> > > ??????15363 winbindd: domain child [SAMDOM]
> > > ??????15364 samba: tfork waiter process(15365)
> > > ??????15365 samba: task[ldap] pre-forked worker(0)
> > > ??????15366 samba: tfork waiter process(15367)
> > > ??????15367 samba: task[ldap] pre-forked worker(1)
> > > ??????15368 samba: tfork waiter process(15369)
> > > ??????15369 samba: task[ldap] pre-forked worker(2)
> > > ??????15370 samba: tfork waiter process(15371)
> > > ??????15371 samba: task[ldap] pre-forked worker(3)
> > >
> > > Aug 31 21:38:07 rpidc2 samba[15307]: [2021/08/31
> 21:38:07.380345, 0]
> > > ../../source4/samba/server.c:920(binary_smbd_main)
> > > Aug 31 21:38:07 rpidc2 samba[15307]: binary_smbd_main:
> samba: using
> > > 'prefork' process model
> > > Aug 31 21:38:07 rpidc2 samba[15307]: [2021/08/31
> 21:38:07.609089, 0]
> > > ../../lib/util/become_daemon.c:136(daemon_ready)
> > > Aug 31 21:38:07 rpidc2 samba[15307]: daemon_ready:
> daemon 'samba'
> > > finished starting up and ready to serve connections
> > > Aug 31 21:38:08 rpidc2 smbd[15314]: [2021/08/31
> 21:38:08.245451, 0]
> > > ../../lib/util/become_daemon.c:136(daemon_ready)
> > > Aug 31 21:38:08 rpidc2 smbd[15314]: daemon_ready: daemon 'smbd'
> > > finished starting up and ready to serve connections
> > > Aug 31 21:38:08 rpidc2 winbindd[15348]: [2021/08/31
> > > 21:38:08.338432, 0]
> > > ../../source3/winbindd/winbindd_cache.c:3206(initialize_winbin
> > > dd_cache)
> > > Aug 31 21:38:08 rpidc2 winbindd[15348]:
> initialize_winbindd_cache:
> > > clearing cache and re-creating with version number 2
> > > Aug 31 21:38:08 rpidc2 winbindd[15348]: [2021/08/31
> > > 21:38:08.343985, 0]
> ../../lib/util/become_daemon.c:136(daemon_ready)
> > > Aug 31 21:38:08 rpidc2 winbindd[15348]: daemon_ready: daemon
> > > 'winbindd' finished starting up and ready to serve connections
> > >
> > > And 'pstree' shows this:
> > >
> > > systemd?????????agetty
> > >
> > > ??????samba?????????tfork(15310)?????????s3fs[master]?????????
> > > tfork(15314)?????????smbd?????????c
> > > leanupd
> > > ??? ???
> > > ??????l
> > > pqd
> > > ??? ???
> > > ??????s
> > > mbd-notifyd
> > > ???
> > > ??????tfork(15313)?????????rpc[master]?????????tfork(15319)???
> > ??????rpc(0)
> > > ??? ???
> > > ??????tfork(15325)?????????rpc(1)
> > > ??? ???
> > > ??????tfork(15329)?????????rpc(2)
> > > ??? ???
> > > ??????tfork(15334)?????????rpc(3)
> > > ??? ??????tfork(15316)?????????nbt[master]
> > > ??? ??????tfork(15320)?????????wrepl[master]
> > > ???
> > > ??????tfork(15323)?????????ldap[master]?????????tfork(15365)??
> > ???????ldap(0)
> > > ??? ???
> > > ??????tfork(15367)?????????ldap(1)
> > > ??? ???
> > > ??????tfork(15369)?????????ldap(2)
> > > ??? ???
> > > ??????tfork(15371)?????????ldap(3)
> > > ??? ??????tfork(15326)?????????cldap[master]
> > > ???
> > > ??????tfork(15330)?????????kdc[master]?????????tfork(15337)???
> > ??????kdc(0)
> > > ??? ???
> > > ??????tfork(15342)?????????kdc(1)
> > > ??? ???
> > > ??????tfork(15349)?????????kdc(2)
> > > ??? ???
> > > ??????tfork(15352)?????????kdc(3)
> > > ??? ??????tfork(15333)?????????drepl[master]
> > > ???
> > > ??????tfork(15338)?????????winbindd[master?????????tfork(15348
> > )?????????winbi
> > > ndd?????????winbindd
> > > ??? ??????tfork(15343)?????????ntp_signd[master]
> > > ??? ??????tfork(15346)?????????kcc[master]
> > > ??? ??????tfork(15350)?????????dnsupdate[master]
> > >
> > > It is all working for myself.
> > >
> > > Rowland
> > >
> > >
> > >
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions: https://lists.samba.org/mailman/options/samba
> > >
> > >
> >
>
> --
> / Alexander Bokovoy
>
>
More information about the samba
mailing list