Bug 11667 - Bad SMB2 signature for message when editing GPO (sysvol share)
Bad SMB2 signature for message when editing GPO (sysvol share)
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services
x64 Solaris
: P5 normal
: ---
Assigned To: Samba QA Contact
Samba QA Contact
Depends on:
  Show dependency treegraph
Reported: 2016-01-11 13:53 UTC by Jan Holzhüter
Modified: 2016-06-29 13:59 UTC (History)
4 users (show)

See Also:

samba.log (104.32 KB, text/plain)
2016-01-11 13:53 UTC, Jan Holzhüter
no flags Details
tcpdump (35.41 KB, application/octet-stream)
2016-01-11 13:54 UTC, Jan Holzhüter
no flags Details
smb.conf (899 bytes, text/plain)
2016-01-11 13:54 UTC, Jan Holzhüter
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jan Holzhüter 2016-01-11 13:53:53 UTC
Created attachment 11765 [details]

When I want to create a new GPO with Windows 2008R2 windows reports:
The programm issued a command but the command lengh is incorrect.

Checking samba log this translates to:
Bad SMB2 signature for message of size XXX

Other operrations are fine. So might be a problem with special smb2 package sizes or whatever.
Comment 1 Jan Holzhüter 2016-01-11 13:54:36 UTC
Created attachment 11766 [details]
Comment 2 Jan Holzhüter 2016-01-11 13:54:55 UTC
Created attachment 11767 [details]
Comment 3 Jan Holzhüter 2016-01-22 08:55:50 UTC
anybody had the chance to look at it yet.
I would like to get rid of my Windows 2003 just to edit GPO.
Comment 4 Jan Holzhüter 2016-04-27 09:56:01 UTC
Still present in 4.4.2 would be nice if anyone could take a look at it.
Thank you
Comment 5 Jan Holzhüter 2016-06-27 14:45:00 UTC
still present in 4.4.4
Comment 6 Stefan Metzmacher 2016-06-28 18:30:49 UTC
(In reply to Jan Holzhüter from comment #3)

Why are you explicitly using the following options?

server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate, dns, smb
dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver, winreg, srvsvc

As you're using "smb" instead of "s3fs", you're getting experimental
discontinued "ntvfs" based smb server, which was a prototype of the
early Samba 4 development.

Typically you should just comment these lines out (or remove them).
Comment 7 Jan Holzhüter 2016-06-29 07:22:20 UTC
(In reply to Stefan Metzmacher from comment #6)

the config options does come from calling:

samba-tool domain provision --use-rfc2307 --interactive --use-ntvfs

This is a Solaris 11 Server with zfs

samba-tool without use-ntvfs fails:

Initialising default vfs hooks
Initialising custom vfs hooks from [/[Default VFS]/]
Initialising custom vfs hooks from [acl_xattr]
Module 'acl_xattr' loaded
Initialising custom vfs hooks from [dfs_samba4]
Module 'dfs_samba4' loaded
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service Unknown Service (snum == -1)
ERROR(<class 'samba.provision.ProvisioningError'>): Provision failed - ProvisioningError: Samba was compiled without the posix ACL support that s3fs requires.  Try installing libacl1-dev or libacl-devel, then re-run configure and make.

Not sure if I could build libacl on solaris. (could try) but actually that will not help as zfs does not use posix acl. It should probably just pull nfsv4_acl vfs hook (which is what zfs uses for acl) I guess.

How to archive this with s3fs?
Or is this not possible yet?

Comment 8 Jan Holzhüter 2016-06-29 13:59:04 UTC
ok after hacking more today.
I got it to work with s3fs.
Found this old mail thread:

with patches to hack around the samba-tool posix acl checks.
This is of cause not a fix and you still need to add.
vfs objects = zfsacl

to your sysvol share.
to convert you can then run:
samba-tool ntacl sysvolreset --use-s3fs 

and all seems fine at the moment.
ntvfs still has the SMB sign bug. But I guess this is deprecated an will not be fixed.

So samba-tool should not be so restrictive but that's a different topic.


p.s. up to you how to set that bug now.