Bug 10730 - Samba4, when with 2003 default level, dies when IPv6 is enabled.
Samba4, when with 2003 default level, dies when IPv6 is enabled.
Status: NEEDINFO
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Other
4.1.6
All Linux
: P5 minor
: ---
Assigned To: Andrew Bartlett
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-07-19 16:49 UTC by Thiago Martins
Modified: 2014-08-25 15:14 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thiago Martins 2014-07-19 16:49:03 UTC
Hello guys,

I'm playing with Ubuntu 14.04 + Samba4 and, with IPv4, it works great but, when we enable IPv6, nothing works.

Here is how to reproduce it:

Resume of the procedure that works (IPv4-Only):

Quick Guide I'm using:

http://www.tiltingatlinux.com/2014/04/basic-samba4-domain-controler-on-ubuntu.html

---
1- Install Ubuntu 14.04;

2- Configure /etc/hosts & /etc/network/interfaces according;

4- Install Samba4, like this: "apt-get install samba krb5-user smbclient";

5- Provision domain with: "samba-tool domain provision --realm domain.com.br --domain DOMAIN --adminpass Test1234Lol --server-role=dc --use-rfc2307";

6- Reboot & Done!
---

Everything works as expected, under 2003 level, but, since my network is based on IPv6, I need to enable it in Samba and then... It does not work...

Resume of the procedure that does not work (Dual-Stacked):

---
1- Install Ubuntu 14.04;

2- Configure /etc/hosts & /etc/network/interfaces, like this:

-----
auto eth0

iface eth0 inet6 static
 address 2008:xxx:200:3f6::10
 netmask 64
 gateway 2008:xxx:200:3f6::1

iface eth0 inet static
 address 192.168.1.221
 netmask 24
 gateway 192.168.1.1
 dns-domain domain.com.br
 dns-search domain.com.br
 dns-nameservers 192.168.1.221

-- hosts:

127.0.0.1	localhost.localdomain	localhost
2008:xxx:200:3f6::10 ubuntu-ad-1.domain.com.br	ubuntu-ad-1
192.168.1.221	ubuntu-ad-1.domain.com.br	ubuntu-ad-1
-----

4- Install Samba4, like this: "apt-get install samba krb5-user smbclient";

5- Provision domain with: "samba-tool domain provision --realm domain.com.br --domain DOMAIN --adminpass Test1234Lol --server-role=dc --use-rfc2307";

6- Reboot and... Nothing is working, Samba isn't listening on 53, 389, etc...
---

---
More tests #1:

I'm considering this as a security flaw in Samba4 on top of Ubuntu 14.04!

But, why!?

Simple:

- If someone (network team) starts the IPv6 RA daemon (radvd) within your network, where you have "Samba4 AD DC" up and running (2003 level), then, it will, somehow, crash Samba (it will not restart anymore)...

These days is pretty normal to enable radvd on Corporate Networks...

Also, if an attacker wants to just impact your Samba4 network, he just needs to start the radvd somewhere within your network... This way, if the admin then tries to reboot / restart Samba4, it will not come up again. Until you disable IPv6...
---

---
More tests #2:

To make Samba4 safer against this problem (that come by default, 2003 level), we need to provision the domain passing the following option: "--function-level=2008_R2" to samba-tool.

Example with IPv6 working on Samba4 AD DC:

---
samba-tool domain provision --realm domain.com.br --domain DOMAIN --adminpass Test1234Lol --server-role=dc --use-rfc2307 --function-level=2008_R2
---

This way, Samba4 will behave okay when you have IPv6 on your network.

Samba4 AD DC with IPv6 enabled:

---
root@ubuntu-ad-1:~# host -t SRV _ldap._tcp.domain.com.br
_ldap._tcp.domain.com.br has SRV record 0 100 389 ubuntu-ad-1.domain.com.br.

root@ubuntu-ad-1:~# host ubuntu-ad-1.domain.com.br
ubuntu-ad-1.domain.com.br has address 192.168.1.221
ubuntu-ad-1.domain.com.br has IPv6 address 2008:xxx:200:3f6::10
---

Also, I noted that, 2008_R2 level do NOT fix this if you just tries to "raise up" your "Samba AD DC", after enabling IPv6, for example, by doing:

-
samba-tool domain level raise --domain-level 2008_R2 --forest-level 2008_R2
-

It will not fix the problem... You need to start from scratch, using 2008_R2 level from the beginning, to not hit this problem.

So, this is still a BUG but, less serious if you not use the "defaults" to provision your domain at first...
---

Conclusion:

The default "2003 level" seems to have a BUG if IPv6 becomes enabled, it might be used as an attack vector, just to mess things up.

Regards,
Thiago
Comment 1 Jelmer Vernooij 2014-08-24 20:48:28 UTC
Downgrading, I don't see why this is a security issue.
Comment 2 Jelmer Vernooij 2014-08-24 20:49:03 UTC
You say Samba dies. What does it say in the logs? Does it segfault, or does it exit in some other way?
Comment 3 Thiago Martins 2014-08-24 21:18:54 UTC
(In reply to comment #2)
> You say Samba dies. What does it say in the logs? Does it segfault, or does it
> exit in some other way?

I mean, if an IPv6 address appear (like if a radvd starts on your LAN), then, Samba (2003 level) will not start anymore, after a reboot or "service samba-ad-dc restart".

I'm seeing as a security issue because it can be use as an attack vector, just to mess things up... If someone start a radvd at your LAN, then, this will prevent you from start up your Samba again. Assuming that almost all Linux distros accepts RA (SLAAC) by default.
Comment 4 Thiago Martins 2014-08-24 23:05:05 UTC
(In reply to comment #3)
> (In reply to comment #2)
> > You say Samba dies. What does it say in the logs? Does it segfault, or does it
> > exit in some other way?
> 
> I mean, if an IPv6 address appear (like if a radvd starts on your LAN), then,
> Samba (2003 level) will not start anymore, after a reboot or "service
> samba-ad-dc restart".
> 
> I'm seeing as a security issue because it can be use as an attack vector, just
> to mess things up... If someone start a radvd at your LAN, then, this will
> prevent you from start up your Samba again. Assuming that almost all Linux
> distros accepts RA (SLAAC) by default.


BTW, please, forgive my poor English...

"I'm seeing it as a security issue because it can be used as an attack vector, just..."
Comment 5 Jelmer Vernooij 2014-08-25 08:05:18 UTC
How does Samba die, does it segfault? What is there in the logs?

Samba works absolutely fine with IPv6 on my network, and I know in many more networks with IPv6.
Comment 6 Thiago Martins 2014-08-25 15:14:13 UTC
(In reply to comment #5)
> How does Samba die, does it segfault? What is there in the logs?
> 
> Samba works absolutely fine with IPv6 on my network, and I know in many more
> networks with IPv6.

Jelmer,

Samba works fine with IPv6 in my network too, but only when with "+2008 Level". The "2003 Level" (the default) does not work with IPv6, Samba4 AD DC daemons (2003) didn't even starts up.

I'll try it again with Samba 4.1.11 this week.

I backported it to Trusty: http://launchpad.net/~martinx/+archive/ubuntu/ig

Then, I'll post more info and log files.