samba-tool segfault (Samba 4.4)

Hi!

I've noticed that trying to provision AD DC with net/samba44 ends up with segmentation fault. Higher debug level gives:
Code:
Finding user Administrator
Trying _Get_Pwnam(), username as lowercase is administrator
Trying _Get_Pwnam(), username as given is Administrator
Trying _Get_Pwnam(), username as uppercase is ADMINISTRATOR
Checking combinations of 0 uppercase letters in administrator
Get_Pwnam_internals didn't find user [Administrator]!
Segmentation fault (core dumped)

Similar problems occur with other samba-tool sub commands as samba-tool dbcheck.
The error reoccurs on different machines soI think it's a bug. I'd like to hear about your experience.

The only way for the things to work is to install net/samba43.

By the way the current version of Samba is 4.6, but our ports are stuck with 4.4.8...
 
That's great! They are also in packages.

But there is (yet another) problem with net/samba46: trying
samba-tool domain provision or samba-tool domain provision --use-rfc2307 --interactive
Code:
...
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_PARAMETER.
ERROR(runtime): uncaught exception - (-1073741811, 'Unexpected information received')
  File "/usr/local/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/lib/python2.7/site-packages/samba/netcmd/domain.py", line 471, in run
    nosync=ldap_backend_nosync, ldap_dryrun_mode=ldap_dryrun_mode)
  File "/usr/local/lib/python2.7/site-packages/samba/provision/__init__.py", line 2175, in provision
    skip_sysvolacl=skip_sysvolacl)
  File "/usr/local/lib/python2.7/site-packages/samba/provision/__init__.py", line 1806, in provision_fill
    names.domaindn, lp, use_ntvfs)
  File "/usr/local/lib/python2.7/site-packages/samba/provision/__init__.py", line 1593, in setsysvolacl
    service=SYSVOL_SERVICE)
  File "/usr/local/lib/python2.7/site-packages/samba/ntacls.py", line 162, in setntacl
    smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service)
No difference if net/samba46 is built via ports or installed as package.

This works fine with net/samba45 on the same system.
 
It is already April of 2018 and seems no one could solve this problem as I just meet the same issue today under samba 4.6 !!!

Disappointed
 
It is already April of 2018 and seems no one could solve this problem as I just meet the same issue today under samba 4.6 !!!

Disappointed

I´m with you! I ran into that error while I try to setup an AD Controller some days ago. And it´s present under samba 4.7 and 4.8. An extra pressure: samba 4.5 is eol mid june this year so there is no save way to run an AD controller on FreeBSD.
All I could find on Google was a thread on the samba mailing list from two or three weeks ago: Last message was "Your system (FreeBSD) is not posix compatible". Firing up portmaster net/samba47 doesn´t show any options to turn off Posix acls. I´ve checked the gui of FreeNAS and to my understanding they can at least join an ad domain. Does this mean the end of AD master controllers on FreeBSD?
Greetings,

Mike
 
It has a good news as I just tried out Samba 4.8 and it all worked.
Hi Paul,
could you please tell me which way you had configured or installed your setup? With a fresh FreeBSD 11.1 and pkg install samba48 the command
samba-tool domain provision –-use-rfc2307 –-interactive
still produces the old "NT_STATUS_INVALID_PARAMETER" error for me. Which backend do you use for instance?

Greetings,

Mike
 
  • Thanks
Reactions: sdf
HI Mike:
I am still using 10.4 only.

Console.png


Samba-4.8 is running and I also tried to create 2 VMs and joined this DC too.

Suggestion is you should try to delete the /var/db/smaba/* and re-run the samba-tool again.
Look forward to hear your good news to make it work.
 
HI Mike:
I am still using 10.4 only.
Hi Paul,
thanks for the reply. It is true, in 10.4 everything is fine. I´ve tested cleaning the /var/db/samba4 directory but no luck. As far as I could find out the problem starts with 11.x. On the other hand, according to the FreeBSD support lifecycles, 10.4 is eol in october. So when I set up a new server at a customer location it´s no longer an option. There error must be fixed in the 11.x branch.

Greetings,
Mike
 
Im not so sure about that...

Code:
vmhost# zfs get aclmode,aclinherit /var/jail/addc/var
NAME                 PROPERTY    VALUE          SOURCE
zroot/jail/addc/var  aclmode     passthrough    inherited from zroot
zroot/jail/addc/var  aclinherit  passthrough    inherited from zroot

Is this configuration wrong? Trying to provision a domain in this jail gives the error message from post #6. Trying the patch now...
 
I haven't tried it on ZFS. I just came across the same error this weekend when I tried to set up a Samba 4.8 ADS. In my case it was because the POSIX ACLs weren't enabled on the UFS filesystem.

While it's about migrating from an old Samba to a new one, this page provided me a lot of information: https://wiki.freebsd.org/Samba4ZFS
 
Thanks, I've already found this wiki page. It suggests using UFS on a zvol .... I'd prefer not to do this though, but if it's the only way .... Unfortunately, the patch doesn't change anything for me.

Is there any restriction on using ACLs in jails?
 
Finally found the bug report that seems to apply here:

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=225676

So, no way to get this working right now :( I just left a comment and, in an attempt to get at least some insight, started a build with some added fprintf(stderr, ...)s to lib/replace/xattr.c -- we will see. Otherwise, the only option for a jailed AD DC would be to go down all the way to samba 4.6 :(
 
[...] the only option for a jailed AD DC would be to go down all the way to samba 4.6 :(
Which won't work, either. Samba 4.6 can't work with ZFS ACLs. Ok, now building samba 4.7.3 *) -- this is probably not recommended at all because of CVE-2018-1057 -- but might be ok for a DC in a protected network used only by a few trustworthy persons -- oh, my, I really hope this situation will improve soon.

*) JFTR, I can confirm 4.7.3 successfully provisions the AD DC in a jail on ZFS.
 
Of course, I could test whether it would indeed work with sysvol on UFS ... might be the better option after all, but it's kind of sad.

Unfortunately, even on UFS, it doesn't work. samba-tool from samba48 segfaults instead of giving any message.
 
Hi,
finally found the time to do some tests. Yes Samba AD works with FreeBSD 11.1 on UFS and ACLs activated with tunefs. I´ve installed Samba4.8 outside of a jail with pkg install samba48 and then walked through the ad setup without any issues. Thank´s all, seems like I´m a bit to fixed on zfs to come up with this conclusion...

Best regards,

Mike
 
Back
Top