# samba-tool segfault (Samba 4.4)



## von_Gaden (Mar 19, 2017)

Hi!

I've noticed that trying to provision AD DC with net/samba44 ends up with segmentation fault. Higher debug level gives:

```
Finding user Administrator
Trying _Get_Pwnam(), username as lowercase is administrator
Trying _Get_Pwnam(), username as given is Administrator
Trying _Get_Pwnam(), username as uppercase is ADMINISTRATOR
Checking combinations of 0 uppercase letters in administrator
Get_Pwnam_internals didn't find user [Administrator]!
Segmentation fault (core dumped)
```

Similar problems occur with other `samba-tool` sub commands as `samba-tool dbcheck`.
The error reoccurs on different machines soI think it's a bug. I'd like to hear about your experience.

The only way for the things to work is to install net/samba43. 

By the way the current version of Samba is 4.6, but our ports are stuck with 4.4.8...


----------



## justwantask (Mar 19, 2017)

True, can some one please port new versions of samba, seems maintainer havn't time for it


----------



## Dutchman01 (Mar 21, 2017)

Ticket PR 217616 already opened, so far not a lot take notice.

https://bugs.freebsd.org/bugzilla/buglist.cgi?quicksearch=samba&list_id=163750


----------



## Dutchman01 (Mar 22, 2017)

Update, new samba45 and 46 ports are now coming soon


----------



## Dutchman01 (Mar 30, 2017)

They are in ports now.


----------



## von_Gaden (Apr 11, 2017)

That's great! They are also in packages.

But there is (yet another) problem with net/samba46: trying
`samba-tool domain provision` or `samba-tool domain provision --use-rfc2307 --interactive`

```
...
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_PARAMETER.
ERROR(runtime): uncaught exception - (-1073741811, 'Unexpected information received')
  File "/usr/local/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/lib/python2.7/site-packages/samba/netcmd/domain.py", line 471, in run
    nosync=ldap_backend_nosync, ldap_dryrun_mode=ldap_dryrun_mode)
  File "/usr/local/lib/python2.7/site-packages/samba/provision/__init__.py", line 2175, in provision
    skip_sysvolacl=skip_sysvolacl)
  File "/usr/local/lib/python2.7/site-packages/samba/provision/__init__.py", line 1806, in provision_fill
    names.domaindn, lp, use_ntvfs)
  File "/usr/local/lib/python2.7/site-packages/samba/provision/__init__.py", line 1593, in setsysvolacl
    service=SYSVOL_SERVICE)
  File "/usr/local/lib/python2.7/site-packages/samba/ntacls.py", line 162, in setntacl
    smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service)
```
No difference if net/samba46 is built via ports or installed as package.

This works fine with net/samba45 on the same system.


----------



## Paul-LKW (Mar 31, 2018)

It is already April of 2018 and seems no one could solve this problem as I just meet the same issue today under samba 4.6 !!!

Disappointed


----------



## freemicom (Apr 9, 2018)

Paul-LKW said:


> It is already April of 2018 and seems no one could solve this problem as I just meet the same issue today under samba 4.6 !!!
> 
> Disappointed



I´m with you! I ran into that error while I try to setup an AD Controller some days ago. And it´s present under samba 4.7 and 4.8. An extra pressure: samba 4.5 is eol mid june this year so there is no save way to run an AD controller on FreeBSD.
All I could find on Google was a thread on the samba mailing list from two or three weeks ago: Last message was "Your system (FreeBSD)  is not posix compatible". Firing up portmaster net/samba47 doesn´t show any options to turn off Posix acls.  I´ve checked the gui of FreeNAS and to my understanding they can at least join an ad domain. Does this mean the end of AD master controllers on FreeBSD?
Greetings,

Mike


----------



## Paul-LKW (Apr 13, 2018)

Hi All:
It has a good news as I just tried out Samba 4.8 and it all worked.

Paul.LKW


----------



## freemicom (Apr 23, 2018)

Paul-LKW said:


> It has a good news as I just tried out Samba 4.8 and it all worked.


Hi Paul,
could you please tell me which way you had configured or installed your setup? With a fresh FreeBSD 11.1 and pkg install samba48 the command
`samba-tool domain provision –-use-rfc2307 –-interactive`
still produces the old "NT_STATUS_INVALID_PARAMETER" error for me. Which backend do you use for instance?

Greetings,

Mike


----------



## Paul-LKW (Apr 23, 2018)

HI Mike:
I am still using 10.4  only.






Samba-4.8 is running and I also tried to create 2 VMs and joined this DC too.

Suggestion is you should try to delete the /var/db/smaba/* and re-run the samba-tool again.
Look forward to hear your good news to make it work.


----------



## freemicom (Apr 24, 2018)

Paul-LKW said:


> HI Mike:
> I am still using 10.4 only.


Hi Paul,
thanks for the reply. It is true, in 10.4 everything is fine. I´ve tested cleaning the /var/db/samba4 directory but no luck. As far as I could find out the problem starts with 11.x. On the other hand, according to the FreeBSD support lifecycles, 10.4 is eol in october. So when I set up a new server at a customer location it´s no longer an option. There error must be fixed in the 11.x branch.

Greetings,
Mike


----------



## zirias@ (May 14, 2018)

Any news on this issue? Would it be a good idea to try the patch from
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=220844
on net/samba48? What makes this patch "unsafe"?


----------



## SirDice (May 14, 2018)

The error is caused because FreeBSD doesn't enable POSIX ACLs by default. 

13.9. Access Control Lists


----------



## zirias@ (May 14, 2018)

Im not so sure about that...


```
vmhost# zfs get aclmode,aclinherit /var/jail/addc/var
NAME                 PROPERTY    VALUE          SOURCE
zroot/jail/addc/var  aclmode     passthrough    inherited from zroot
zroot/jail/addc/var  aclinherit  passthrough    inherited from zroot
```

Is this configuration wrong? Trying to provision a domain in this jail gives the error message from post #6. Trying the patch now...


----------



## SirDice (May 14, 2018)

I haven't tried it on ZFS. I just came across the same error this weekend when I tried to set up a Samba 4.8 ADS. In my case it was because the POSIX ACLs weren't enabled on the UFS filesystem.

While it's about migrating from an old Samba to a new one, this page provided me a lot of information: https://wiki.freebsd.org/Samba4ZFS


----------



## zirias@ (May 14, 2018)

Thanks, I've already found this wiki page. It suggests using UFS on a zvol .... I'd prefer not to do this though, but if it's the only way .... Unfortunately, the patch doesn't change anything for me.

Is there any restriction on using ACLs in jails?


----------



## zirias@ (May 14, 2018)

Finally found the bug report that seems to apply here:

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=225676

So, no way to get this working right now  I just left a comment and, in an attempt to get at least _some_ insight, started a build with some added `fprintf(stderr, ...)`s to lib/replace/xattr.c -- we will see. Otherwise, the only option for a jailed AD DC would be to go down all the way to samba 4.6


----------



## zirias@ (May 14, 2018)

Zirias said:


> [...] the only option for a jailed AD DC would be to go down all the way to samba 4.6


Which won't work, either. Samba 4.6 can't work with ZFS ACLs. Ok, now building samba 4.7.3 *) -- this is probably not recommended at all because of CVE-2018-1057 -- but might be ok for a DC in a protected network used only by a few trustworthy persons -- oh, my, I really hope this situation will improve soon.

*) JFTR, I can confirm 4.7.3 successfully provisions the AD DC in a jail on ZFS.


----------



## SirDice (May 15, 2018)

As this is a new setup, I would suggest using Samba 4.8. Samba 4.7 is in "maintenance" mode now, 4.8 is the current stable version.

https://wiki.samba.org/index.php/Samba_Release_Planning


----------



## zirias@ (May 15, 2018)

Of course, I could test whether it would indeed work with sysvol on UFS ... might be the better option after all, but it's kind of sad.

Unfortunately, even on UFS, it doesn't work. samba-tool from samba48 segfaults instead of giving any message.


----------



## SirDice (May 15, 2018)

Zirias said:


> Unfortunately, even on UFS, it doesn't work. samba-tool from samba48 segfaults instead of giving any message.


It works just fine but you *must* turn on ACLs on the filesystem (it's disabled by default):  13.9. Access Control Lists. I recommend using tunefs(8) to enable it on the filesystem.


----------



## zirias@ (May 15, 2018)

SirDice said:


> It works just fine but you *must* turn on ACLs on the filesystem


Isn't setting the mount option enough for UFS? That's what I did. And no, it just segfaulted, but I didn't try it outside of a jail...


----------



## freemicom (May 29, 2018)

Hi,
finally found the time to do some tests. Yes Samba AD works with FreeBSD 11.1 on UFS and ACLs activated with tunefs. I´ve installed Samba4.8 outside of a jail with `pkg install samba48` and then walked through the ad setup without any issues. Thank´s all, seems like I´m a bit to fixed on zfs to come up with this conclusion...

Best regards,

Mike


----------

