Hello guys, I'm playing with Ubuntu 14.04 + Samba4 and, with IPv4, it works great but, when we enable IPv6, nothing works. Here is how to reproduce it: Resume of the procedure that works (IPv4-Only): Quick Guide I'm using: http://www.tiltingatlinux.com/2014/04/basic-samba4-domain-controler-on-ubuntu.html --- 1- Install Ubuntu 14.04; 2- Configure /etc/hosts & /etc/network/interfaces according; 4- Install Samba4, like this: "apt-get install samba krb5-user smbclient"; 5- Provision domain with: "samba-tool domain provision --realm domain.com.br --domain DOMAIN --adminpass Test1234Lol --server-role=dc --use-rfc2307"; 6- Reboot & Done! --- Everything works as expected, under 2003 level, but, since my network is based on IPv6, I need to enable it in Samba and then... It does not work... Resume of the procedure that does not work (Dual-Stacked): --- 1- Install Ubuntu 14.04; 2- Configure /etc/hosts & /etc/network/interfaces, like this: ----- auto eth0 iface eth0 inet6 static address 2008:xxx:200:3f6::10 netmask 64 gateway 2008:xxx:200:3f6::1 iface eth0 inet static address 192.168.1.221 netmask 24 gateway 192.168.1.1 dns-domain domain.com.br dns-search domain.com.br dns-nameservers 192.168.1.221 -- hosts: 127.0.0.1 localhost.localdomain localhost 2008:xxx:200:3f6::10 ubuntu-ad-1.domain.com.br ubuntu-ad-1 192.168.1.221 ubuntu-ad-1.domain.com.br ubuntu-ad-1 ----- 4- Install Samba4, like this: "apt-get install samba krb5-user smbclient"; 5- Provision domain with: "samba-tool domain provision --realm domain.com.br --domain DOMAIN --adminpass Test1234Lol --server-role=dc --use-rfc2307"; 6- Reboot and... Nothing is working, Samba isn't listening on 53, 389, etc... --- --- More tests #1: I'm considering this as a security flaw in Samba4 on top of Ubuntu 14.04! But, why!? Simple: - If someone (network team) starts the IPv6 RA daemon (radvd) within your network, where you have "Samba4 AD DC" up and running (2003 level), then, it will, somehow, crash Samba (it will not restart anymore)... These days is pretty normal to enable radvd on Corporate Networks... Also, if an attacker wants to just impact your Samba4 network, he just needs to start the radvd somewhere within your network... This way, if the admin then tries to reboot / restart Samba4, it will not come up again. Until you disable IPv6... --- --- More tests #2: To make Samba4 safer against this problem (that come by default, 2003 level), we need to provision the domain passing the following option: "--function-level=2008_R2" to samba-tool. Example with IPv6 working on Samba4 AD DC: --- samba-tool domain provision --realm domain.com.br --domain DOMAIN --adminpass Test1234Lol --server-role=dc --use-rfc2307 --function-level=2008_R2 --- This way, Samba4 will behave okay when you have IPv6 on your network. Samba4 AD DC with IPv6 enabled: --- root@ubuntu-ad-1:~# host -t SRV _ldap._tcp.domain.com.br _ldap._tcp.domain.com.br has SRV record 0 100 389 ubuntu-ad-1.domain.com.br. root@ubuntu-ad-1:~# host ubuntu-ad-1.domain.com.br ubuntu-ad-1.domain.com.br has address 192.168.1.221 ubuntu-ad-1.domain.com.br has IPv6 address 2008:xxx:200:3f6::10 --- Also, I noted that, 2008_R2 level do NOT fix this if you just tries to "raise up" your "Samba AD DC", after enabling IPv6, for example, by doing: - samba-tool domain level raise --domain-level 2008_R2 --forest-level 2008_R2 - It will not fix the problem... You need to start from scratch, using 2008_R2 level from the beginning, to not hit this problem. So, this is still a BUG but, less serious if you not use the "defaults" to provision your domain at first... --- Conclusion: The default "2003 level" seems to have a BUG if IPv6 becomes enabled, it might be used as an attack vector, just to mess things up. Regards, Thiago
Downgrading, I don't see why this is a security issue.
You say Samba dies. What does it say in the logs? Does it segfault, or does it exit in some other way?
(In reply to comment #2) > You say Samba dies. What does it say in the logs? Does it segfault, or does it > exit in some other way? I mean, if an IPv6 address appear (like if a radvd starts on your LAN), then, Samba (2003 level) will not start anymore, after a reboot or "service samba-ad-dc restart". I'm seeing as a security issue because it can be use as an attack vector, just to mess things up... If someone start a radvd at your LAN, then, this will prevent you from start up your Samba again. Assuming that almost all Linux distros accepts RA (SLAAC) by default.
(In reply to comment #3) > (In reply to comment #2) > > You say Samba dies. What does it say in the logs? Does it segfault, or does it > > exit in some other way? > > I mean, if an IPv6 address appear (like if a radvd starts on your LAN), then, > Samba (2003 level) will not start anymore, after a reboot or "service > samba-ad-dc restart". > > I'm seeing as a security issue because it can be use as an attack vector, just > to mess things up... If someone start a radvd at your LAN, then, this will > prevent you from start up your Samba again. Assuming that almost all Linux > distros accepts RA (SLAAC) by default. BTW, please, forgive my poor English... "I'm seeing it as a security issue because it can be used as an attack vector, just..."
How does Samba die, does it segfault? What is there in the logs? Samba works absolutely fine with IPv6 on my network, and I know in many more networks with IPv6.
(In reply to comment #5) > How does Samba die, does it segfault? What is there in the logs? > > Samba works absolutely fine with IPv6 on my network, and I know in many more > networks with IPv6. Jelmer, Samba works fine with IPv6 in my network too, but only when with "+2008 Level". The "2003 Level" (the default) does not work with IPv6, Samba4 AD DC daemons (2003) didn't even starts up. I'll try it again with Samba 4.1.11 this week. I backported it to Trusty: http://launchpad.net/~martinx/+archive/ubuntu/ig Then, I'll post more info and log files.
please reopen and attach crash log files if this still happens with latest samba releases.