Univention Bugzilla – Bug 45800
Samba/AD RPC server crashes when Azure AD Connect reads from it
Last modified: 2017-12-06 15:40:22 CET
The rpc_server process of Samba/AD 4.6.x dies due to a segmentation fault when Azure AD Connect is configured to use it as domain controller (AAD connect in express setup configuration). log.samba shows a panic for the pid of that process and /core is written. Analysis of the core file and samba sources showed the origin of the problem and the upstream samba master branch has two commits that address this issue. It happens because AAD Connect apparently replicates with a non-admin user, see description is the Samba bug (URL field above). We've successfully tested AAD Connect with a patched version of Samba/AD, so it's probably a good idea to ship it as part of errata4.2-3. The package is already built in that scope.
Patches: * 99_samba-master-0001-s4-drsuapi-Avoid-segfault-when-replicating-as-a-non-.quilt * 99_samba-master-0002-s4-drsuapi-Use-sam_ctx-consistently-in-dcesrv_drsuap.quilt Advisory: samba.yaml
can be reproduced with -> udm users/user create --set username=test1 --set lastname=test1 --set password=univention # allow user drs get changes -> samba-tool dsacl set --sddl='(A;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-3006362628-2186033213-1690935345-1110)' --objectdn=DC=four,DC=two -UAdministrator -> python from samba.credentials import Credentials, DONT_USE_KERBEROS from samba import drs_utils from samba.param import LoadParm from samba.dcerpc import drsuapi, misc samname = "test1" acct_pass = "univention" server = "10.200.7.50" req_dn = 'DC=four,DC=two' binding_options = "seal,print" lp = LoadParm() repl_creds = Credentials() repl_creds.guess(lp) repl_creds.set_kerberos_state(DONT_USE_KERBEROS) repl_creds.set_username(samname) repl_creds.set_password(acct_pass) drs, drsuapi_handle, bind_supported_extensions = drs_utils.drsuapi_connect(server, lp, repl_creds) req8 = drsuapi.DsGetNCChangesRequest8() req8.destination_dsa_guid = misc.GUID() req8.source_dsa_invocation_id = misc.GUID() req8.naming_context = drsuapi.DsReplicaObjectIdentifier() req8.naming_context.dn = req_dn req8.extended_op = drsuapi.DRSUAPI_EXOP_NONE req8.replica_flags = drsuapi.DRSUAPI_DRS_WRIT_REP (level, ctr) = drs.DsGetNCChanges(drsuapi_handle, 8, req8) Traceback (most recent call last): File "crash.py", line 36, in <module> (level, ctr) = drs.DsGetNCChanges(drsuapi_handle, 8, req8) RuntimeError: (-1073741300, 'The transport connection is now disconnected.') -> /var/log/samba/log.samba [2017/11/30 15:07:34.658911, 0, pid=10567] ../lib/util/fault.c:78(fault_report) =============================================================== [2017/11/30 15:07:34.659174, 0, pid=10567] ../lib/util/fault.c:79(fault_report) INTERNAL ERROR: Signal 11 in pid 10567 (4.6.1-Debian) Please read the Trouble-Shooting section of the Samba HOWTO [2017/11/30 15:07:34.659429, 0, pid=10567] ../lib/util/fault.c:81(fault_report) =============================================================== [2017/11/30 15:07:34.659582, 0, pid=10567] ../lib/util/fault.c:151(smb_panic_default) PANIC: internal error [2017/11/30 15:07:34.704702, 0, pid=10548] ../source4/smbd/process_standard.c:127(standard_child_pipe_handler) Child 10567 (rpc) terminated with signal 6
OK - patches OK - DsGetNCChanges as normal user OK - sysvol replication OK - installation/update OK - winexe OK - YAML
<http://errata.software-univention.de/ucs/4.2/232.html>