Discovered by Timur Bakeyev, when building on FreeBSD. Administrator password will be set randomly! Looking up IPv4 addresses Looking up IPv6 addresses Setting up secrets.ldb Setting up the registry Setting up the privileges database Setting up idmap db Setting up SAM db Setting up sam.ldb partitions and settings Setting up sam.ldb rootDSE Pre-loading the Samba 4 and AD schema Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs Adding DomainDN: DC=domain,DC=freebsd Adding configuration container Setting up sam.ldb schema Setting up sam.ldb configuration data Setting up display specifiers Modifying display specifiers and extended rights Adding users container Modifying users container Adding computers container Modifying computers container Setting up sam.ldb data Setting up well known security principals Setting up sam.ldb users and groups ERROR(ldb): uncaught exception - gnutls_aead_cipher_encrypt 'failed GNUTLS_E_SHORT_MEMORY_BUFFER - The given memory buffer is too short to hold parameters. File "/usr/local/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/local/lib/python2.7/site-packages/samba/netcmd/domain.py", line 500, in run plaintext_secrets=plaintext_secrets) File "/usr/local/lib/python2.7/site-packages/samba/provision/__init__.py", line 2276, in provision skip_sysvolacl=skip_sysvolacl) File "/usr/local/lib/python2.7/site-packages/samba/provision/__init__.py", line 1870, in provision_fill next_rid=next_rid, dc_rid=dc_rid) File "/usr/local/lib/python2.7/site-packages/samba/provision/__init__.py", line 1524, in fill_samdb "KRBTGTPASS_B64": b64encode(krbtgtpass.encode('utf-16-le')) File "/usr/local/lib/python2.7/site-packages/samba/provision/common.py", line 55, in setup_add_ldif ldb.add_ldif(data, controls) File "/usr/local/lib/python2.7/site-packages/samba/__init__.py", line 229, in add_ldif self.add(msg, controls)
There appears to have been a mix up in the block and tag sizes.
(In reply to Garming Sam from comment #1) And the correct buffer size needed to be sent to the gnutls_aead_cipher_encrypt function.
Created attachment 14075 [details] Pass allocated buffer size as the last parameter to the gnutls_aead_cipher_encrypt()
(In reply to Garming Sam from comment #1) Dumping those values showed that coincidentally both tag and block sizes are 16 bytes, which possibly explained, why it wasn't noticed immediately. But for large enough blocks of data - in the given example it's a machine password, which can be up to 512 bytes and total allocated buffer exceeded 2Kb the last call parameter has to be properly initialized with the buffer size. for small chunks of data, seems, default value of 0 was good enough.
Created attachment 14081 [details] Backport for 4.8
Pushed to autobuild-v4-8-test.
(In reply to Karolin Seeger from comment #6) Pushed to v4-8-test. Closing out bug report. Thanks!