Bug 45800 - Samba/AD RPC server crashes when Azure AD Connect reads from it
Samba/AD RPC server crashes when Azure AD Connect reads from it
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Samba4
UCS 4.2
Other Linux
: P5 normal (vote)
: UCS 4.2-3-errata
Assigned To: Arvid Requate
Felix Botner
https://bugzilla.samba.org/show_bug.c...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-11-29 20:49 CET by Arvid Requate
Modified: 2017-12-06 15:40 CET (History)
2 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 7: Crash: Bug causes crash or data loss
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.120
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number: 2017112921000408
Bug group (optional):
Max CVSS v3 score:
requate: Patch_Available+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2017-11-29 20:49:44 CET
The rpc_server process of Samba/AD 4.6.x dies due to a segmentation fault when  Azure AD Connect is configured to use it as domain controller (AAD connect in express setup configuration). log.samba shows a panic for the pid of that process and /core is written.

Analysis of the core file and samba sources showed the origin of the problem and the upstream samba master branch has two commits that address this issue. It happens because AAD Connect apparently replicates with a non-admin user, see description is the Samba bug (URL field above).

We've successfully tested AAD Connect with a patched version of Samba/AD, so it's probably a good idea to ship it as part of errata4.2-3. The package is already built in that scope.
Comment 1 Arvid Requate univentionstaff 2017-11-29 20:53:14 CET
Patches:
* 99_samba-master-0001-s4-drsuapi-Avoid-segfault-when-replicating-as-a-non-.quilt
* 99_samba-master-0002-s4-drsuapi-Use-sam_ctx-consistently-in-dcesrv_drsuap.quilt

Advisory: samba.yaml
Comment 2 Felix Botner univentionstaff 2017-11-30 15:09:55 CET
can be reproduced with

-> udm users/user create --set username=test1 --set lastname=test1 --set password=univention

# allow user drs get changes
-> samba-tool dsacl set --sddl='(A;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-3006362628-2186033213-1690935345-1110)' --objectdn=DC=four,DC=two -UAdministrator

-> python

from samba.credentials import Credentials, DONT_USE_KERBEROS
from samba import drs_utils
from samba.param import LoadParm
from samba.dcerpc import drsuapi, misc

samname = "test1"
acct_pass = "univention"
server = "10.200.7.50"
req_dn = 'DC=four,DC=two'
binding_options = "seal,print"

lp = LoadParm()
repl_creds = Credentials()
repl_creds.guess(lp)
repl_creds.set_kerberos_state(DONT_USE_KERBEROS)
repl_creds.set_username(samname)
repl_creds.set_password(acct_pass)


drs, drsuapi_handle, bind_supported_extensions = drs_utils.drsuapi_connect(server, lp, repl_creds)

req8 = drsuapi.DsGetNCChangesRequest8()
req8.destination_dsa_guid = misc.GUID()
req8.source_dsa_invocation_id = misc.GUID()
req8.naming_context = drsuapi.DsReplicaObjectIdentifier()
req8.naming_context.dn = req_dn
req8.extended_op = drsuapi.DRSUAPI_EXOP_NONE
req8.replica_flags = drsuapi.DRSUAPI_DRS_WRIT_REP


(level, ctr) = drs.DsGetNCChanges(drsuapi_handle, 8, req8)

Traceback (most recent call last):
  File "crash.py", line 36, in <module>
    (level, ctr) = drs.DsGetNCChanges(drsuapi_handle, 8, req8)
RuntimeError: (-1073741300, 'The transport connection is now disconnected.')

-> /var/log/samba/log.samba
[2017/11/30 15:07:34.658911,  0, pid=10567] ../lib/util/fault.c:78(fault_report)
  ===============================================================
[2017/11/30 15:07:34.659174,  0, pid=10567] ../lib/util/fault.c:79(fault_report)
  INTERNAL ERROR: Signal 11 in pid 10567 (4.6.1-Debian)
  Please read the Trouble-Shooting section of the Samba HOWTO
[2017/11/30 15:07:34.659429,  0, pid=10567] ../lib/util/fault.c:81(fault_report)
  ===============================================================
[2017/11/30 15:07:34.659582,  0, pid=10567] ../lib/util/fault.c:151(smb_panic_default)
  PANIC: internal error
[2017/11/30 15:07:34.704702,  0, pid=10548] ../source4/smbd/process_standard.c:127(standard_child_pipe_handler)
  Child 10567 (rpc) terminated with signal 6
Comment 3 Felix Botner univentionstaff 2017-11-30 16:57:45 CET
OK - patches
OK - DsGetNCChanges as normal user
OK - sysvol replication
OK - installation/update
OK - winexe
OK - YAML
Comment 4 Arvid Requate univentionstaff 2017-12-06 15:40:22 CET
<http://errata.software-univention.de/ucs/4.2/232.html>