Bug 14030 - named crashes on DLZ zone update
Summary: named crashes on DLZ zone update
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.10.5
Hardware: All FreeBSD
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-07-09 08:20 UTC by Pawel Worach
Modified: 2019-07-10 19:40 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Pawel Worach 2019-07-09 08:20:32 UTC
Using samba 4.10.5 with bind_dlz DNS backend.
This DC was joined to a domain with a single 4.8.12 DC.
When samba_dnsupdate runs on the 4.10 DC it causes the local
named to abort on a assert when adding NS records.

# smbd --version
Version 4.10.5

# named -V
BIND 9.11.8 (Extended Support Version) <id:8d5d82d>
running on FreeBSD arm64 12.0-STABLE FreeBSD 12.0-STABLE r349828M BCM

(database dlopen configured with -d9)
# /usr/local/sbin/named -u bind -c /usr/local/etc/namedb/named.conf -d4 -g
...
09-Jul-2019 09:44:15.693 client @0x48d98000 172.16.17.11#21566: TCP request
09-Jul-2019 09:44:15.693 client @0x48d98000 172.16.17.11#21566: request has valid signature: ADS1\$\@DS.SAMDOM.LOCAL
09-Jul-2019 09:44:15.693 client @0x48d98000 172.16.17.11#21566/key ADS1\$\@DS.SAMDOM.LOCAL: recursion available
09-Jul-2019 09:44:15.693 client @0x48d98000 172.16.17.11#21566/key ADS1\$\@DS.SAMDOM.LOCAL: update
09-Jul-2019 09:44:15.693 samba_dlz: starting transaction on zone ds.samdom.local
09-Jul-2019 09:44:15.697 samba_dlz: Starting GENSEC mechanism spnego
09-Jul-2019 09:44:15.697 samba_dlz: Starting GENSEC submechanism gssapi_krb5
09-Jul-2019 09:44:15.699 samba_dlz: gensec_gssapi: NO credentials were delegated
09-Jul-2019 09:44:15.699 samba_dlz: GSSAPI Connection will be cryptographically sealed
09-Jul-2019 09:44:15.700 samba_dlz: Successful AuthZ: [(null),krb5] user [SAMDOM]\[ADS1$] [S-1-5-21-537364952-2021649045-2811105115-1109] at [Tue, 09 Jul 2019 09:44:15.700295 CEST] Remote host [NULL] local host [NULL]
09-Jul-2019 09:44:15.700 samba_dlz: {"timestamp": "2019-07-09T09:44:15.700599+0200", "type": "Authorization", "Authorization": {"version": {"major": 1, "minor": 1}, "localAddress": null, "remoteAddress": null, "serviceDescription": null, "authType": "krb5", "domain": "SAMDOM", "account": "ADS1$", "sid": "S-1-5-21-NN-NN-NN-1109", "sessionId": "38e3cc1a-8073-4b86-a017-24d9869b12fd", "logonServer": "OTHERDC", "transportProtection": "SEAL", "accountFlags": "0x00002100"}}
09-Jul-2019 09:44:15.703 samba_dlz: allowing update of signer=ADS1\$\@DS.SAMDOM.LOCAL name=ds.samdom.local tcpaddr=172.16.17.11 type=NS key=537363756.sig-ads1.ds.samdom.local/160/0
09-Jul-2019 09:44:15.704 client @0x48d98000 172.16.17.11#21566/key ADS1\$\@DS.SAMDOM.LOCAL: updating zone 'ds.samdom.local/NONE': adding an RR at 'ds.samdom.local' NS ads1.ds.samdom.local.
09-Jul-2019 09:44:15.706 name.c:714: REQUIRE((__builtin_expect(((name1) != ((void *)0)), 1) && __builtin_expect((((const isc__magic_t *)(name1))->magic == ((('D') << 24 | ('N') << 16 | ('S') << 8 | ('n')))), 1))) failed
09-Jul-2019 09:44:15.706 exiting (due to assertion failure)
Abort
Comment 1 Pawel Worach 2019-07-10 19:40:08 UTC
This also happens with two clean DCs on 4.10.5.

ADS1 provision command:
# samba-tool domain provision \
  --domain=SAMDOM \
  --host-name=ads1 \
  --host-ip=172.16.17.11 \
  --dns-backend=BIND9_DLZ \
  --server-role=dc \
  --use-rfc2307 \
  --realm=DS.SAMDOM.LOCAL \
  --option="interfaces = 172.16.17.11" \
  --option="bind interfaces only = yes" \
  --option="nsupdate command = /usr/local/bin/nsupdate -g" \
  --option="rndc command = /usr/local/sbin/rndc" \
  --option="kerberos method = secrets and keytab" \
  --option="server signing = mandatory" \
  --option="client signing = mandatory" \
  --option="name resolve order = lmhosts host" \
  --option="ntlm auth = no" \
  --option="smb ports = 445" \
  --option="tls priority = PFS:-SHA1:-VERS-TLS-ALL:+VERS-TLS1.2" \
  --option="vfs objects = freebsd" \
  --option="freebsd:extattr mode = secure"
<enable DLZ database in named on ADS1 and restart named>
<start samba>

ADS2 join command:
# samba-tool domain join ds.samdom.local DC -U"SAMDOM\Administrator" \
  --dns-backend=BIND9_DLZ \
  --option="interfaces = 172.16.17.12" \
  --option="bind interfaces only = yes" \
  --option="nsupdate command = /usr/local/bin/nsupdate -g" \
  --option="rndc command = /usr/local/sbin/rndc" \
  --option="kerberos method = secrets and keytab" \
  --option="server signing = mandatory" \
  --option="client signing = mandatory" \
  --option="name resolve order = lmhosts host" \
  --option="ntlm auth = no" \
  --option="smb ports = 445" \
  --option="tls priority = PFS:-SHA1:-VERS-TLS-ALL:+VERS-TLS1.2" \
  --option="vfs objects = freebsd" \
  --option="freebsd:extattr mode = secure"
<enable DLZ database in named on ADS2 and restart named>
<start samba>
named dies with the same assertion, first on ADS2, then on ADS1 when ADS2 tries to add it's NS record to the ds.samdom.local zone.