Using samba 4.10.5 with bind_dlz DNS backend. This DC was joined to a domain with a single 4.8.12 DC. When samba_dnsupdate runs on the 4.10 DC it causes the local named to abort on a assert when adding NS records. # smbd --version Version 4.10.5 # named -V BIND 9.11.8 (Extended Support Version) <id:8d5d82d> running on FreeBSD arm64 12.0-STABLE FreeBSD 12.0-STABLE r349828M BCM (database dlopen configured with -d9) # /usr/local/sbin/named -u bind -c /usr/local/etc/namedb/named.conf -d4 -g ... 09-Jul-2019 09:44:15.693 client @0x48d98000 172.16.17.11#21566: TCP request 09-Jul-2019 09:44:15.693 client @0x48d98000 172.16.17.11#21566: request has valid signature: ADS1\$\@DS.SAMDOM.LOCAL 09-Jul-2019 09:44:15.693 client @0x48d98000 172.16.17.11#21566/key ADS1\$\@DS.SAMDOM.LOCAL: recursion available 09-Jul-2019 09:44:15.693 client @0x48d98000 172.16.17.11#21566/key ADS1\$\@DS.SAMDOM.LOCAL: update 09-Jul-2019 09:44:15.693 samba_dlz: starting transaction on zone ds.samdom.local 09-Jul-2019 09:44:15.697 samba_dlz: Starting GENSEC mechanism spnego 09-Jul-2019 09:44:15.697 samba_dlz: Starting GENSEC submechanism gssapi_krb5 09-Jul-2019 09:44:15.699 samba_dlz: gensec_gssapi: NO credentials were delegated 09-Jul-2019 09:44:15.699 samba_dlz: GSSAPI Connection will be cryptographically sealed 09-Jul-2019 09:44:15.700 samba_dlz: Successful AuthZ: [(null),krb5] user [SAMDOM]\[ADS1$] [S-1-5-21-537364952-2021649045-2811105115-1109] at [Tue, 09 Jul 2019 09:44:15.700295 CEST] Remote host [NULL] local host [NULL] 09-Jul-2019 09:44:15.700 samba_dlz: {"timestamp": "2019-07-09T09:44:15.700599+0200", "type": "Authorization", "Authorization": {"version": {"major": 1, "minor": 1}, "localAddress": null, "remoteAddress": null, "serviceDescription": null, "authType": "krb5", "domain": "SAMDOM", "account": "ADS1$", "sid": "S-1-5-21-NN-NN-NN-1109", "sessionId": "38e3cc1a-8073-4b86-a017-24d9869b12fd", "logonServer": "OTHERDC", "transportProtection": "SEAL", "accountFlags": "0x00002100"}} 09-Jul-2019 09:44:15.703 samba_dlz: allowing update of signer=ADS1\$\@DS.SAMDOM.LOCAL name=ds.samdom.local tcpaddr=172.16.17.11 type=NS key=537363756.sig-ads1.ds.samdom.local/160/0 09-Jul-2019 09:44:15.704 client @0x48d98000 172.16.17.11#21566/key ADS1\$\@DS.SAMDOM.LOCAL: updating zone 'ds.samdom.local/NONE': adding an RR at 'ds.samdom.local' NS ads1.ds.samdom.local. 09-Jul-2019 09:44:15.706 name.c:714: REQUIRE((__builtin_expect(((name1) != ((void *)0)), 1) && __builtin_expect((((const isc__magic_t *)(name1))->magic == ((('D') << 24 | ('N') << 16 | ('S') << 8 | ('n')))), 1))) failed 09-Jul-2019 09:44:15.706 exiting (due to assertion failure) Abort
This also happens with two clean DCs on 4.10.5. ADS1 provision command: # samba-tool domain provision \ --domain=SAMDOM \ --host-name=ads1 \ --host-ip=172.16.17.11 \ --dns-backend=BIND9_DLZ \ --server-role=dc \ --use-rfc2307 \ --realm=DS.SAMDOM.LOCAL \ --option="interfaces = 172.16.17.11" \ --option="bind interfaces only = yes" \ --option="nsupdate command = /usr/local/bin/nsupdate -g" \ --option="rndc command = /usr/local/sbin/rndc" \ --option="kerberos method = secrets and keytab" \ --option="server signing = mandatory" \ --option="client signing = mandatory" \ --option="name resolve order = lmhosts host" \ --option="ntlm auth = no" \ --option="smb ports = 445" \ --option="tls priority = PFS:-SHA1:-VERS-TLS-ALL:+VERS-TLS1.2" \ --option="vfs objects = freebsd" \ --option="freebsd:extattr mode = secure" <enable DLZ database in named on ADS1 and restart named> <start samba> ADS2 join command: # samba-tool domain join ds.samdom.local DC -U"SAMDOM\Administrator" \ --dns-backend=BIND9_DLZ \ --option="interfaces = 172.16.17.12" \ --option="bind interfaces only = yes" \ --option="nsupdate command = /usr/local/bin/nsupdate -g" \ --option="rndc command = /usr/local/sbin/rndc" \ --option="kerberos method = secrets and keytab" \ --option="server signing = mandatory" \ --option="client signing = mandatory" \ --option="name resolve order = lmhosts host" \ --option="ntlm auth = no" \ --option="smb ports = 445" \ --option="tls priority = PFS:-SHA1:-VERS-TLS-ALL:+VERS-TLS1.2" \ --option="vfs objects = freebsd" \ --option="freebsd:extattr mode = secure" <enable DLZ database in named on ADS2 and restart named> <start samba> named dies with the same assertion, first on ADS2, then on ADS1 when ADS2 tries to add it's NS record to the ds.samdom.local zone.
This bug was referenced in samba master: fcecdfa8e5c651d4a27f8fcd5df6e9bce37ed8a7
Created attachment 17737 [details] Patch for v4-17-test Pipeline: https://gitlab.com/scabrero/samba/-/pipelines/751792111
Created attachment 17738 [details] Patch for v4-16-test
Created attachment 17739 [details] Patch for v4-15-test Pipeline: https://gitlab.com/scabrero/samba/-/pipelines/751799027
(In reply to Samuel Cabrero from comment #4) Pipeline for 4-16-test: https://gitlab.com/scabrero/samba/-/pipelines/751796506
Comment on attachment 17739 [details] Patch for v4-15-test Patche look correct, but i don't think 4.15 is eligible, as it should be getting security patches only.
Created attachment 17741 [details] patch for 4.18 4.18 missed this by a few hours.
Assigning to Jule for 4.18.next and 4.17.next Sorry to our users for the delay in getting this to you!
Hmm Has this been forgotten? 4.18.3 released today but without this fix?
It looks like the reassignment mentioned in comment 9 did not actually occur.
(In reply to Douglas Bagnall from comment #11) Yes, I was not assigned. Now pushed to autobuild-v4-{18,17}-test.
This bug was referenced in samba v4-18-test: af4d536ad20ecc735c0a44ca71618dec6dbcc772
This bug was referenced in samba v4-17-test: 25b75eccea072eb91a8480e4356a165e0cc1907e
Closing out bug report. Thanks!
This bug was referenced in samba v4-18-stable (Release samba-4.18.4): af4d536ad20ecc735c0a44ca71618dec6dbcc772
This bug was referenced in samba v4-17-stable (Release samba-4.17.9): 25b75eccea072eb91a8480e4356a165e0cc1907e