[Samba] samba-ad-dc.service: Got notification message from PID 27448, but reception only permitted for main PID 27410

L.P.H. van Belle belle at bazuin.nl
Fri Sep 3 14:42:33 UTC 2021


 Hello Alexander, 

> -----Oorspronkelijk bericht-----
> Van: Alexander Bokovoy [mailto:ab at samba.org] 
> Verzonden: vrijdag 3 september 2021 15:03
> Aan: L.P.H. van Belle
> CC: samba at lists.samba.org; Andreas Schneider
> Onderwerp: Re: [Samba] samba-ad-dc.service: Got notification 
> message from PID 27448, but reception only permitted for main 
> PID 27410
> 
> On ke, 01 syys 2021, L.P.H. van Belle wrote:
> > 
> > On this  : 
> > > Type=notify changes NotifyAccess forcibly to 'main' if
> > > NotifyAccess is not set (our case). Are you claiming this has 
> > > changed in systemd?
> > 
> > Yes, that is correct, this something related to changes in systemd. 
> > 
> > I suspect its this one:
> > 
> https://www.qualys.com/2021/07/20/cve-2021-33910/denial-of-ser
> vice-systemd.txt 
> > In debian this change passed on : [20 Jul 2021] DSA-4942 
> systemd - security update
> 
> I do not see how CVE-2021-33910 is affecting the NotifyAccess 
> behavior.

I hoped, you would see/find it.. :-( 

> 
> > And NotifyAccess=main wont work correctly for samba-ad-dc. 
> > 
> > At least on samba-ad-dc works but we see : 
> > Got notification message from PID 27448, but reception only 
> permitted for main PID 27410
> > 
> > Which didnt not look good. 
> 
> This one means we've got sd_notify() from a process that is not a
> correct one. Do you know what process is that? E.g. is it 'samba' or
> 'smbd' or 'winbindd'? or something else?

As far i can tell and see, only the "samba" process is affected in it. 
(And only samba-ad-dc mode.)

> 
> Right now smbd and winbindd disable SD notifications if they 
> are run in
> Samba AD DC configuration. It might be that we should add the same
> daemon_sd_notifications(false); call to other AD DC daemons when they
> fork out of 'samba' binary.

I wish i did know this, but thats one, i really dont know, 
im not that smart in the samba code. :-(  but maybe this one helps you more,
To identify the problem.

https://access.redhat.com/solutions/3062191 
Services using the "Type=Notify" and "NotifyAccess=All" settings 
are vulnerable to being inadvertently shut down by other services


Greetz, 

Louis


> 
> 
> > 
> > So i asked the debian maintainer about this. 
> > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993347
> > 
> > Where we first suggested to change back to "Fork" because 
> wiki says so.. 
> > But he pointed out. To use NotifyAccess=all 
> > 
> > So, this is the change i would like to see in samba back again. 
> > https://bugzilla.samba.org/show_bug.cgi?id=14814 
> > 
> > And i saw you guys made this change between 4.12/4.13. 
> > The "why" i dont know.. 
> 
> > 
> > Maybe this needs more research, but the suggested fix works 
> and did work since 4.4.x 
> > 
> > So far, and thanks for the reply :-) 
> > Im all ears for what best as fix. 
> > 
> > Greetz, 
> > 
> > Louis
> > 
> > Ps. Historical info : 
> > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=740942 
> samba 4.1.x 
> > https://lists.samba.org/archive/samba/2016-July/201197.html 
> samba 4.4.x 
> > 
> > 
> > 
> > > -----Oorspronkelijk bericht-----
> > > Van: Alexander Bokovoy [mailto:ab at samba.org] 
> > > Verzonden: woensdag 1 september 2021 16:06
> > > Aan: L.P.H. van Belle
> > > CC: samba at lists.samba.org; Andreas Schneider
> > > Onderwerp: Re: [Samba] samba-ad-dc.service: Got notification 
> > > message from PID 27448, but reception only permitted for main 
> > > PID 27410
> > > 
> > > On ke, 01 syys 2021, L.P.H. van Belle wrote:
> > > > Gooe morning, 
> > > > 
> > > > I'll CC Alexander Bokovoy in this on, i think he can tell 
> > > us more on this.
> > > > Before this ends up in a bloodbath ;-) 
> > > > 
> > > > No, joking her, but i think these guys can tell us. 
> > > > 
> > > > Rowland, Why do you think that we should not set Type. 
> > > > SystemD cant deteriming what type of program is running. 
> > > > 
> > > > Type must be set and if its not set, type is "simple" ( as 
> > > Roy also noticed )
> > > > If type is simple, it just used /etc/init.d/samba start/stop 
> > > > 
> > > > But simple is wrong, just because it wont catch errors when 
> > > starting up.. 
> > > > Quote:  systemctl start command lines for simple services 
> > > will report 
> > > > success even if the service's binary cannot be invoked 
> successfully 
> > > > 
> > > > All i can say is, the Samba team is using "notify" some time. 
> > > > And only somehere in Samba 4.12/4.13  NotifyAccess=  is 
> > > removed from 
> > > > all service files in the samba sources. 
> > > > 
> > > > And after this CVE fix in systemd, its not correct anymore 
> > > in my opionion
> > > > If NotifyAccess= isnt defined, then NotifyAccess=main and 
> > > > main isnt correct for samba-ad-dc, because of the extra 
> > > processes starting.
> > > > 
> > > > I dont know how its exact implemeted in samba, i leave that 
> > > to the devs. 
> > > > 
> > > > And lets keek the focus on this that it ONLY involves 
> > > samba-ad-dc.service
> > > > 
> > > > So NotifyAccess=all was removed in this commit 
> > > > 
> > > https://gitlab.com/thctlo1/samba/-/commit/d1740fb3d5a72cb49e30
> > > b330bb0b01e7ef3e09cc 
> > > > Which was correct at that time, but things changed. 
> > > > 
> > > > Lets wait what Alexander or Andreas can tell us on this. 
> > > 
> > > Hi. We use Type=notify for samba/smbd/winbindd when they run 
> > > separately
> > > because they are set up to provide notifications. Thus, 
> > > Type=notify has
> > > to be present in samba.service. Internally, smbd and 
> winbindd will not
> > > do notifications if they were started by 'samba' daemon 
> so there would
> > > be only a single process reporting its status.
> > > 
> > > Also, Type=notify changes NotifyAccess forcibly to 'main' if
> > > NotifyAccess is not set (our case). Are you claiming this has 
> > > changed in
> > > systemd?
> > > 
> > > 
> > > 
> > > > 
> > > > 
> > > > So far, 
> > > > 
> > > > Greetz, 
> > > > 
> > > > Louis
> > > > 
> > > > 
> > > > 
> > > > 
> > > > > -----Oorspronkelijk bericht-----
> > > > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> > > > > Rowland Penny via samba
> > > > > Verzonden: dinsdag 31 augustus 2021 22:50
> > > > > Aan: samba at lists.samba.org
> > > > > Onderwerp: Re: [Samba] samba-ad-dc.service: Got notification 
> > > > > message from PID 27448, but reception only permitted for main 
> > > > > PID 27410
> > > > > 
> > > > > On Tue, 2021-08-31 at 21:18 +0100, Roy Eastwood via 
> samba wrote:
> > > > > > I agree, now works.   Which leaves the WiKi incorrect 
> > > as it still
> > > > > > recommends Type=forking etc.    I assume this should be 
> > > updated to
> > > > > > (adapted for self-compiled version)?:
> > > > > > 
> > > > > 
> > > > > I am going to throw a hand grenade in here, after reading 'man
> > > > > systemd.service , I now think that 'Type' shouldn't 
> be set at all!
> > > > > 
> > > > > With this samba-ad-dc.service file:
> > > > > 
> > > > > [Unit]
> > > > > Description=Samba AD Daemon
> > > > > Documentation=man:samba(8) man:samba(7) man:smb.conf(5)
> > > > > Wants=network-online.target
> > > > > After=network.target network-online.target
> > > > > 
> > > > > [Service]
> > > > > PIDFile=/run/samba/samba.pid
> > > > > LimitNOFILE=16384
> > > > > EnvironmentFile=-/etc/default/samba
> > > > > ExecStart=/usr/sbin/samba --foreground --no-process-group 
> > > > > $SAMBAOPTIONS
> > > > > ExecReload=/bin/kill -HUP $MAINPID
> > > > > 
> > > > > 
> > > > > [Install]
> > > > > WantedBy=multi-user.target
> > > > > 
> > > > > Results in this:
> > > > > 
> > > > > ??? samba-ad-dc.service - Samba AD Daemon
> > > > >    Loaded: loaded 
> > > (/lib/systemd/system/samba-ad-dc.service; enabled;
> > > > > vendor preset: enabled)
> > > > >    Active: active (running) since Tue 2021-08-31 21:38:06 
> > > BST; 8s ago
> > > > >      Docs: man:samba(8)
> > > > >            man:samba(7)
> > > > >            man:smb.conf(5)
> > > > >  Main PID: 15307 (samba)
> > > > >     Tasks: 57 (limit: 4915)
> > > > >    CGroup: /system.slice/samba-ad-dc.service
> > > > >            ??????15307 samba: root process
> > > > >            ??????15309 samba: tfork waiter process(15310)
> > > > >            ??????15310 samba: task[s3fs] pre-fork master
> > > > >            ??????15311 samba: tfork waiter process(15313)
> > > > >            ??????15312 samba: tfork waiter process(15314)
> > > > >            ??????15313 samba: task[rpc] pre-fork master
> > > > >            ??????15314 /usr/sbin/smbd -D --option=server role
> > > > > check:inhibit=yes --foreground
> > > > >            ??????15315 samba: tfork waiter process(15316)
> > > > >            ??????15316 samba: task[nbt] pre-fork master
> > > > >            ??????15317 samba: tfork waiter process(15319)
> > > > >            ??????15318 samba: tfork waiter process(15320)
> > > > >            ??????15319 samba: task[rpc] pre-forked worker(0)
> > > > >            ??????15320 samba: task[wrepl] pre-fork master
> > > > >            ??????15321 samba: tfork waiter process(15325)
> > > > >            ??????15322 samba: tfork waiter process(15323)
> > > > >            ??????15323 samba: task[ldap] pre-fork master
> > > > >            ??????15324 samba: tfork waiter process(15326)
> > > > >            ??????15325 samba: task[rpc] pre-forked worker(1)
> > > > >            ??????15326 samba: task[cldap] pre-fork master
> > > > >            ??????15327 samba: tfork waiter process(15330)
> > > > >            ??????15328 samba: tfork waiter process(15329)
> > > > >            ??????15329 samba: task[rpc] pre-forked worker(2)
> > > > >            ??????15330 samba: task[kdc] pre-fork master
> > > > >            ??????15331 samba: tfork waiter process(15334)
> > > > >            ??????15332 samba: tfork waiter process(15333)
> > > > >            ??????15333 samba: task[drepl] pre-fork master
> > > > >            ??????15334 samba: task[rpc] pre-forked worker(3)
> > > > >            ??????15335 samba: tfork waiter process(15338)
> > > > >            ??????15336 samba: tfork waiter process(15337)
> > > > >            ??????15337 samba: task[kdc] pre-forked worker(0)
> > > > >            ??????15338 samba: task[winbindd] pre-fork master
> > > > >            ??????15339 samba: tfork waiter process(15342)
> > > > >            ??????15340 samba: tfork waiter process(15343)
> > > > >            ??????15341 samba: tfork waiter process(15348)
> > > > >            ??????15342 samba: task[kdc] pre-forked worker(1)
> > > > >            ??????15343 samba: task[ntp_signd] pre-fork master
> > > > >            ??????15344 samba: tfork waiter process(15346)
> > > > >            ??????15345 samba: tfork waiter process(15349)
> > > > >            ??????15346 samba: task[kcc] pre-fork master
> > > > >            ??????15347 samba: tfork waiter process(15350)
> > > > >            ??????15348 /usr/sbin/winbindd -D 
> --option=server role
> > > > > check:inhibit=yes --foreground
> > > > >            ??????15349 samba: task[kdc] pre-forked worker(2)
> > > > >            ??????15350 samba: task[dnsupdate] pre-fork master
> > > > >            ??????15351 samba: tfork waiter process(15352)
> > > > >            ??????15352 samba: task[kdc] pre-forked worker(3)
> > > > >            ??????15359 /usr/sbin/smbd -D --option=server role
> > > > > check:inhibit=yes --foreground
> > > > >            ??????15360 /usr/sbin/smbd -D --option=server role
> > > > > check:inhibit=yes --foreground
> > > > >            ??????15361 /usr/sbin/smbd -D --option=server role
> > > > > check:inhibit=yes --foreground
> > > > >            ??????15363 winbindd: domain child [SAMDOM]
> > > > >            ??????15364 samba: tfork waiter process(15365)
> > > > >            ??????15365 samba: task[ldap] pre-forked worker(0)
> > > > >            ??????15366 samba: tfork waiter process(15367)
> > > > >            ??????15367 samba: task[ldap] pre-forked worker(1)
> > > > >            ??????15368 samba: tfork waiter process(15369)
> > > > >            ??????15369 samba: task[ldap] pre-forked worker(2)
> > > > >            ??????15370 samba: tfork waiter process(15371)
> > > > >            ??????15371 samba: task[ldap] pre-forked worker(3)
> > > > > 
> > > > > Aug 31 21:38:07 rpidc2 samba[15307]: [2021/08/31 
> > > 21:38:07.380345,  0]
> > > > > ../../source4/samba/server.c:920(binary_smbd_main)
> > > > > Aug 31 21:38:07 rpidc2 samba[15307]:   binary_smbd_main: 
> > > samba: using
> > > > > 'prefork' process model
> > > > > Aug 31 21:38:07 rpidc2 samba[15307]: [2021/08/31 
> > > 21:38:07.609089,  0]
> > > > > ../../lib/util/become_daemon.c:136(daemon_ready)
> > > > > Aug 31 21:38:07 rpidc2 samba[15307]:   daemon_ready: 
> > > daemon 'samba'
> > > > > finished starting up and ready to serve connections
> > > > > Aug 31 21:38:08 rpidc2 smbd[15314]: [2021/08/31 
> > > 21:38:08.245451,  0]
> > > > > ../../lib/util/become_daemon.c:136(daemon_ready)
> > > > > Aug 31 21:38:08 rpidc2 smbd[15314]:   daemon_ready: 
> daemon 'smbd'
> > > > > finished starting up and ready to serve connections
> > > > > Aug 31 21:38:08 rpidc2 winbindd[15348]: [2021/08/31
> > > > > 21:38:08.338432,  0]
> > > > > ../../source3/winbindd/winbindd_cache.c:3206(initialize_winbin
> > > > > dd_cache)
> > > > > Aug 31 21:38:08 rpidc2 winbindd[15348]:   
> > > initialize_winbindd_cache:
> > > > > clearing cache and re-creating with version number 2
> > > > > Aug 31 21:38:08 rpidc2 winbindd[15348]: [2021/08/31
> > > > > 21:38:08.343985,  0] 
> > > ../../lib/util/become_daemon.c:136(daemon_ready)
> > > > > Aug 31 21:38:08 rpidc2 winbindd[15348]:   daemon_ready: daemon
> > > > > 'winbindd' finished starting up and ready to serve connections
> > > > > 
> > > > > And 'pstree' shows this:
> > > > > 
> > > > > systemd?????????agetty
> > > > >         
> > > > > ??????samba?????????tfork(15310)?????????s3fs[master]?????????
> > > > > tfork(15314)?????????smbd?????????c
> > > > > leanupd
> > > > >         ???       ???                                         
> > > > >           ??????l
> > > > > pqd
> > > > >         ???       ???                                         
> > > > >           ??????s
> > > > > mbd-notifyd
> > > > >         ???       
> > > > > ??????tfork(15313)?????????rpc[master]?????????tfork(15319)???
> > > > ??????rpc(0)
> > > > >         ???       ???                            
> > > > > ??????tfork(15325)?????????rpc(1)
> > > > >         ???       ???                            
> > > > > ??????tfork(15329)?????????rpc(2)
> > > > >         ???       ???                            
> > > > > ??????tfork(15334)?????????rpc(3)
> > > > >         ???       ??????tfork(15316)?????????nbt[master]
> > > > >         ???       ??????tfork(15320)?????????wrepl[master]
> > > > >         ???       
> > > > > ??????tfork(15323)?????????ldap[master]?????????tfork(15365)??
> > > > ???????ldap(0)
> > > > >         ???       ???                             
> > > > > ??????tfork(15367)?????????ldap(1)
> > > > >         ???       ???                             
> > > > > ??????tfork(15369)?????????ldap(2)
> > > > >         ???       ???                             
> > > > > ??????tfork(15371)?????????ldap(3)
> > > > >         ???       ??????tfork(15326)?????????cldap[master]
> > > > >         ???       
> > > > > ??????tfork(15330)?????????kdc[master]?????????tfork(15337)???
> > > > ??????kdc(0)
> > > > >         ???       ???                            
> > > > > ??????tfork(15342)?????????kdc(1)
> > > > >         ???       ???                            
> > > > > ??????tfork(15349)?????????kdc(2)
> > > > >         ???       ???                            
> > > > > ??????tfork(15352)?????????kdc(3)
> > > > >         ???       ??????tfork(15333)?????????drepl[master]
> > > > >         ???       
> > > > > ??????tfork(15338)?????????winbindd[master?????????tfork(15348
> > > > )?????????winbi
> > > > > ndd?????????winbindd
> > > > >         ???       ??????tfork(15343)?????????ntp_signd[master]
> > > > >         ???       ??????tfork(15346)?????????kcc[master]
> > > > >         ???       ??????tfork(15350)?????????dnsupdate[master]
> > > > > 
> > > > > It is all working for myself.
> > > > > 
> > > > > Rowland
> > > > >  
> > > > > 
> > > > > 
> > > > > -- 
> > > > > To unsubscribe from this list go to the following URL 
> and read the
> > > > > instructions:  https://lists.samba.org/mailman/options/samba
> > > > > 
> > > > > 
> > > > 
> > > 
> > > -- 
> > > / Alexander Bokovoy
> > > 
> > > 
> > 
> 
> -- 
> / Alexander Bokovoy
> 
> 




More information about the samba mailing list