The Samba-Bugzilla – Bug 11948
Total dcerpc response payload more than 0x400000
Last modified: 2016-07-08 07:16:29 UTC
During join Samba DC (version 4.4.3) into existing Windows domain (Windows 2012 R2 with schema 2008 R2 and Exchange) we got next problem: ... Replicated 72 objects (12 linked attributes) for DC=xx,DC=xxx,DC=ru Unexpected total payload 0x4010E0 > 0x400000 dcerpc response ERROR(runtime): uncaught exception - (-1073610723, 'An RPC protocol error occurred.') File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run return self.run(*args, **kwargs) File "/usr/lib64/python2.7/site-packages/samba/netcmd/domain.py", line 651, in run machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1192, in join_DC ctx.do_join() File "/usr/lib64/python2.7/site-packages/samba/join.py", line 1096, in do_join ctx.join_replicate() File "/usr/lib64/python2.7/site-packages/samba/join.py", line 838, in join_replicate replica_flags=ctx.domain_replica_flags) File "/usr/lib64/python2.7/site-packages/samba/drs_utils.py", line 253, in replicate (level, ctr) = self.drs.DsGetNCChanges(self.drs_handle, req_level, req) checking sAMAccountName https://lists.samba.org/archive/samba-technical/2016-June/114322.html This restrictions added for security issues in CVE-2015-5370 at 22ab56d5 commit.
(In reply to Evgeny Sinelnikov from comment #0) > So we could think, that constant > DCERPC_NCACN_PAYLOAD_MAX_SIZE = 0x400000; /* 4 MByte */ > is not absolutelly right. > > It would be correct to simply increase this constant? I'd try to avoid that without understand it. I added some tests to verify that a server doesn't accept more than 4 Mbyte per pdu. From [MS-RPCE] 3.3.3.5.4 Maximum Server Input Data Size The combined length of the stub data for all fragments of a request SHOULD not exceed 4 megabytes. If it exceeds 4 megabytes, the server implementation SHOULD return a fault packet with the status field set to 0x00000005.<124> ... <124> Section 3.3.3.5.4: This behavior can be turned off by higher-level protocols or machine configuration. Note that the limit on Windows 2000 is 1 megabyte; Windows NT 4.0 does not implement such a limit. I think we need to ask Microsoft about the limit for [MS-DRSR]. In our source3 code we use 15 MByte #define MAX_RPC_DATA_SIZE (15*1024*1024)
(In reply to Stefan Metzmacher from comment #1) We may also end up using different values on client and server
I change it to 0x800000 (8Mb) and it works for me now.
*** Bug 11987 has been marked as a duplicate of this bug. ***
Created attachment 12201 [details] Patch from metze for master This should be in master shortly.
Created attachment 12208 [details] Patches for v4-4-test
Created attachment 12210 [details] Patches for v4-3-test
Created attachment 12212 [details] Patches for v4-2-test
Pushed to autobuild-v4-[4|3]-test. 4.2 is in the security fixes mode. Or should this one be included in the next 4.2 security release?
This isn't a security fix for 4.2, so I don't think it should go in the security release. We can leave it as a feature fix for anyone shipping an AD-DC on 4.2.x.
(In reply to Jeremy Allison from comment #10) It just means have a choice and need to revert to a pre-badlock version, I don't think that's a good idea.
If it would mean losing the badlock protection then I'm OK with it as a security-fix for 4.2.next.
Comment on attachment 12208 [details] Patches for v4-4-test LGTM
Pushed to v4-[4|3]-test and applied on v4-2-stable.
Pushed to all branches. Closing out bug report. Thanks!