The Samba-Bugzilla – Bug 11948
Total dcerpc response payload more than 0x400000
Last modified: 2016-07-08 07:16:29 UTC
During join Samba DC (version 4.4.3) into existing Windows domain (Windows 2012 R2 with schema 2008 R2 and Exchange) we got next problem:
Replicated 72 objects (12 linked attributes) for DC=xx,DC=xxx,DC=ru
Unexpected total payload 0x4010E0 > 0x400000 dcerpc response
ERROR(runtime): uncaught exception - (-1073610723, 'An RPC protocol
line 175, in _run
return self.run(*args, **kwargs)
line 651, in run
machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1192, in join_DC
File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1096, in do_join
File "/usr/lib64/python2.7/site-packages/samba/join.py", line 838,
File "/usr/lib64/python2.7/site-packages/samba/drs_utils.py", line
253, in replicate
(level, ctr) = self.drs.DsGetNCChanges(self.drs_handle, req_level, req)
This restrictions added for security issues in CVE-2015-5370 at 22ab56d5 commit.
(In reply to Evgeny Sinelnikov from comment #0)
> So we could think, that constant
> DCERPC_NCACN_PAYLOAD_MAX_SIZE = 0x400000; /* 4 MByte */
> is not absolutelly right.
> It would be correct to simply increase this constant?
I'd try to avoid that without understand it.
I added some tests to verify that a server doesn't accept more than
4 Mbyte per pdu.
188.8.131.52.4 Maximum Server Input Data Size
The combined length of the stub data for all fragments of a request SHOULD
not exceed 4 megabytes. If it exceeds 4 megabytes, the server implementation
SHOULD return a fault packet with the status field set to 0x00000005.<124>
<124> Section 184.108.40.206.4: This behavior can be turned off by higher-level
protocols or machine configuration. Note that the limit on Windows 2000 is 1
megabyte; Windows NT 4.0 does not implement such a limit.
I think we need to ask Microsoft about the limit for [MS-DRSR].
In our source3 code we use 15 MByte
#define MAX_RPC_DATA_SIZE (15*1024*1024)
(In reply to Stefan Metzmacher from comment #1)
We may also end up using different values on client and server
I change it to 0x800000 (8Mb) and it works for me now.
*** Bug 11987 has been marked as a duplicate of this bug. ***
Created attachment 12201 [details]
Patch from metze for master
This should be in master shortly.
Created attachment 12208 [details]
Patches for v4-4-test
Created attachment 12210 [details]
Patches for v4-3-test
Created attachment 12212 [details]
Patches for v4-2-test
Pushed to autobuild-v4-[4|3]-test.
4.2 is in the security fixes mode.
Or should this one be included in the next 4.2 security release?
This isn't a security fix for 4.2, so I don't think it should go in the security release. We can leave it as a feature fix for anyone shipping an AD-DC on 4.2.x.
(In reply to Jeremy Allison from comment #10)
It just means have a choice and need to revert to a pre-badlock version,
I don't think that's a good idea.
If it would mean losing the badlock protection then I'm OK with it as a security-fix for 4.2.next.
Comment on attachment 12208 [details]
Patches for v4-4-test
Pushed to v4-[4|3]-test and applied on v4-2-stable.
Pushed to all branches.
Closing out bug report.