Bug 12946 - RPC Crash (due to Get-Changes privilege)
Summary: RPC Crash (due to Get-Changes privilege)
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: DCE-RPCs and pipes (show other bugs)
Version: unspecified
Hardware: All All
: P5 major (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
Depends on: 12977
  Show dependency treegraph
Reported: 2017-08-03 20:46 UTC by Alex MacCuish
Modified: 2017-09-05 06:51 UTC (History)
4 users (show)

See Also:

possible patch for master (1012 bytes, patch)
2017-08-03 23:57 UTC, Andrew Bartlett
no flags Details
Patch for 4.7-test (7.66 KB, patch)
2017-08-31 05:15 UTC, Garming Sam
abartlet: review+

Note You need to log in before you can comment on or make changes to this bug.
Description Alex MacCuish 2017-08-03 20:46:32 UTC
On the latest 4.7 test branch, the rpc server crashes. I also experienced this with the master branch. Also present on other DCs at this version.

The message in the log is:
INTERNAL ERROR: Signal 11 in pid 29358 (4.7.0rc4-GIT-d77de9a)
Please read the Trouble-Shooting section of the Samba HOWTO
PANIC: internal error

Valgrind reports:
==29358== Invalid read of size 4
==29358==    at 0xCE87AEC: ldb_set_timeout (in /usr/local/samba/lib/private/libldb.so.1.2.1)
==29358==    by 0xCE87B52: ldb_set_timeout_from_prev_req (in /usr/local/samba/lib/private/libldb.so.1.2.1)
==29358==    by 0xCE89829: ldb_build_req_common (in /usr/local/samba/lib/private/libldb.so.1.2.1)
==29358==    by 0xCE8992F: ldb_build_search_req_ex (in /usr/local/samba/lib/private/libldb.so.1.2.1)
==29358==    by 0xCE89AA9: ldb_build_search_req (in /usr/local/samba/lib/private/libldb.so.1.2.1)
==29358==    by 0xD0ADCE4: dsdb_search_dn (in /usr/local/samba/lib/private/libsamdb-common-samba4.so)
==29358==    by 0xD0AA6C8: dsdb_find_guid_attr_by_dn (in /usr/local/samba/lib/private/libsamdb-common-samba4.so)
==29358==    by 0xD0AA7A4: dsdb_find_guid_by_dn (in /usr/local/samba/lib/private/libsamdb-common-samba4.so)
==29358==    by 0x1249621F: dcesrv_drsuapi_DsGetNCChanges (in /usr/local/samba/lib/libdcerpc-server.so.0.0.1)
==29358==    by 0x1248BAD3: drsuapi__op_dispatch (in /usr/local/samba/lib/libdcerpc-server.so.0.0.1)
==29358==    by 0x12447931: dcesrv_request (in /usr/local/samba/lib/libdcerpc-server.so.0.0.1)
==29358==    by 0x124483BC: dcesrv_process_ncacn_packet (in /usr/local/samba/lib/libdcerpc-server.so.0.0.1)
==29358==  Address 0x7c is not stack'd, malloc'd or (recently) free'd
Comment 1 Alex MacCuish 2017-08-03 21:09:59 UTC
On debug level 10:

On debug level 10:

ldb: ldb_trace_request: (partition)->read_unlock
ldb: partition_read_unlock() -> CN=Schema,CN=Configuration,DC=x,DC=x,DC=x,DC=x
ldb: ldb_trace_next_request: (tdb)->read_unlock
ldb: partition_read_unlock() -> CN=Configuration,DC=x,DC=x,DC=x,DC=x
ldb: ldb_trace_next_request: (tdb)->read_unlock
ldb: partition_read_unlock() -> DC=DomainDnsZones,DC=x,DC=x,DC=x,DC=x
ldb: ldb_trace_next_request: (tdb)->read_unlock
ldb: partition_read_unlock() -> DC=ForestDnsZones,DC=x,DC=x,DC=x,DC=x
ldb: ldb_trace_next_request: (tdb)->read_unlock
ldb: partition_read_unlock() -> DC=x,DC=x,DC=x,DC=x
ldb: ldb_trace_next_request: (tdb)->read_unlock
ldb: partition_read_unlock() -> (metadata partition)
ldb: ldb_trace_next_request: (tdb)->read_unlock
ldb: Destroying timer event 0x55fd187189d0 "ltdb_timeout"

ldb: Ending timer event 0x55fd18718910 "ltdb_callback"

INTERNAL ERROR: Signal 11 in pid 30180 (4.7.0rc4-GIT-d77de9a)
Please read the Trouble-Shooting section of the Samba HOWTO
PANIC: internal error
Comment 2 Andrew Bartlett 2017-08-03 23:57:46 UTC
Created attachment 13447 [details]
possible patch for master

Have you manually given a normal user GUID_DRS_GET_CHANGES right to a non-administrator?

This patch should fix it, allowing that to work again.  

Before it lands in master I need to write a test.

This is a regression on bug 12398.
Comment 3 Alex MacCuish 2017-08-04 00:11:42 UTC
Ahh that would be AADConnect which syncs passwords with office 365. It sets up a service account and gives it GUID_DRS_GET_CHANGES. I assume the crash was triggered everytime it requested changes from AD. I'll apply and test in the morning! Thank you for a speedy reply!
Comment 4 Andrew Bartlett 2017-08-08 10:16:30 UTC
I'm continuing to write tests to lock down our behaviour here, but in the meantime how did the patch go?


Andrew Bartlett
Comment 5 Alex MacCuish 2017-08-08 18:52:09 UTC
Hi Andrew

Thanks for the patch! Worked perfectly. No more crashes, replication is working with no errors and AADConnect is syncing users and passwords just fine.

If you need any tests done etc. I'm more than willing :)

Comment 6 Andrew Bartlett 2017-08-08 21:28:47 UTC
(In reply to Alex MacCuish from comment #5)
Can you write up a guide in our Wiki about Azure AD Sync / Office 365, and how to get it working?

That will help our users a lot, as well as us as developers when we need to reproduce a more complex issue there.

Comment 7 Alex MacCuish 2017-08-09 22:54:54 UTC
(In reply to Andrew Bartlett from comment #6)
I'd be more than happy to though tbh the Microsoft guide works well, I would just be repeating their steps, and I don't recall any samba specifics to get it working (a credit to Samba Team's great work if the Microsoft instructions work against Samba AD too!)

Would you rather a link to the Microsoft guide? If not I will happily write a guide.
Comment 8 Andrew Bartlett 2017-08-09 23:00:44 UTC
Even just a page with the links the to Microsoft guide and saying that it works is very helpful, as folks don't know when to trust that.
Comment 9 Garming Sam 2017-08-31 05:15:49 UTC
Created attachment 13523 [details]
Patch for 4.7-test
Comment 10 Andrew Bartlett 2017-08-31 06:56:44 UTC
Please pick for 4.7.0
Comment 11 Karolin Seeger 2017-08-31 07:49:16 UTC
Pushed to autobuild-v4-7-test.
Comment 12 Karolin Seeger 2017-09-05 06:51:50 UTC
Pushed to v4-7-test.
Closing out bug report.