Bug 14030 - named crashes on DLZ zone update
Summary: named crashes on DLZ zone update
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.10.5
Hardware: All FreeBSD
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-07-09 08:20 UTC by Pawel Worach
Modified: 2023-01-20 00:52 UTC (History)
2 users (show)

See Also:


Attachments
Patch for v4-17-test (12.97 KB, patch)
2023-01-19 13:44 UTC, Samuel Cabrero
dbagnall: review+
Details
Patch for v4-16-test (11.89 KB, patch)
2023-01-19 13:45 UTC, Samuel Cabrero
dbagnall: review+
Details
Patch for v4-15-test (11.89 KB, patch)
2023-01-19 13:46 UTC, Samuel Cabrero
dbagnall: review-
Details
patch for 4.18 (12.97 KB, patch)
2023-01-20 00:51 UTC, Douglas Bagnall
dbagnall: review? (scabrero)
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Pawel Worach 2019-07-09 08:20:32 UTC
Using samba 4.10.5 with bind_dlz DNS backend.
This DC was joined to a domain with a single 4.8.12 DC.
When samba_dnsupdate runs on the 4.10 DC it causes the local
named to abort on a assert when adding NS records.

# smbd --version
Version 4.10.5

# named -V
BIND 9.11.8 (Extended Support Version) <id:8d5d82d>
running on FreeBSD arm64 12.0-STABLE FreeBSD 12.0-STABLE r349828M BCM

(database dlopen configured with -d9)
# /usr/local/sbin/named -u bind -c /usr/local/etc/namedb/named.conf -d4 -g
...
09-Jul-2019 09:44:15.693 client @0x48d98000 172.16.17.11#21566: TCP request
09-Jul-2019 09:44:15.693 client @0x48d98000 172.16.17.11#21566: request has valid signature: ADS1\$\@DS.SAMDOM.LOCAL
09-Jul-2019 09:44:15.693 client @0x48d98000 172.16.17.11#21566/key ADS1\$\@DS.SAMDOM.LOCAL: recursion available
09-Jul-2019 09:44:15.693 client @0x48d98000 172.16.17.11#21566/key ADS1\$\@DS.SAMDOM.LOCAL: update
09-Jul-2019 09:44:15.693 samba_dlz: starting transaction on zone ds.samdom.local
09-Jul-2019 09:44:15.697 samba_dlz: Starting GENSEC mechanism spnego
09-Jul-2019 09:44:15.697 samba_dlz: Starting GENSEC submechanism gssapi_krb5
09-Jul-2019 09:44:15.699 samba_dlz: gensec_gssapi: NO credentials were delegated
09-Jul-2019 09:44:15.699 samba_dlz: GSSAPI Connection will be cryptographically sealed
09-Jul-2019 09:44:15.700 samba_dlz: Successful AuthZ: [(null),krb5] user [SAMDOM]\[ADS1$] [S-1-5-21-537364952-2021649045-2811105115-1109] at [Tue, 09 Jul 2019 09:44:15.700295 CEST] Remote host [NULL] local host [NULL]
09-Jul-2019 09:44:15.700 samba_dlz: {"timestamp": "2019-07-09T09:44:15.700599+0200", "type": "Authorization", "Authorization": {"version": {"major": 1, "minor": 1}, "localAddress": null, "remoteAddress": null, "serviceDescription": null, "authType": "krb5", "domain": "SAMDOM", "account": "ADS1$", "sid": "S-1-5-21-NN-NN-NN-1109", "sessionId": "38e3cc1a-8073-4b86-a017-24d9869b12fd", "logonServer": "OTHERDC", "transportProtection": "SEAL", "accountFlags": "0x00002100"}}
09-Jul-2019 09:44:15.703 samba_dlz: allowing update of signer=ADS1\$\@DS.SAMDOM.LOCAL name=ds.samdom.local tcpaddr=172.16.17.11 type=NS key=537363756.sig-ads1.ds.samdom.local/160/0
09-Jul-2019 09:44:15.704 client @0x48d98000 172.16.17.11#21566/key ADS1\$\@DS.SAMDOM.LOCAL: updating zone 'ds.samdom.local/NONE': adding an RR at 'ds.samdom.local' NS ads1.ds.samdom.local.
09-Jul-2019 09:44:15.706 name.c:714: REQUIRE((__builtin_expect(((name1) != ((void *)0)), 1) && __builtin_expect((((const isc__magic_t *)(name1))->magic == ((('D') << 24 | ('N') << 16 | ('S') << 8 | ('n')))), 1))) failed
09-Jul-2019 09:44:15.706 exiting (due to assertion failure)
Abort
Comment 1 Pawel Worach 2019-07-10 19:40:08 UTC
This also happens with two clean DCs on 4.10.5.

ADS1 provision command:
# samba-tool domain provision \
  --domain=SAMDOM \
  --host-name=ads1 \
  --host-ip=172.16.17.11 \
  --dns-backend=BIND9_DLZ \
  --server-role=dc \
  --use-rfc2307 \
  --realm=DS.SAMDOM.LOCAL \
  --option="interfaces = 172.16.17.11" \
  --option="bind interfaces only = yes" \
  --option="nsupdate command = /usr/local/bin/nsupdate -g" \
  --option="rndc command = /usr/local/sbin/rndc" \
  --option="kerberos method = secrets and keytab" \
  --option="server signing = mandatory" \
  --option="client signing = mandatory" \
  --option="name resolve order = lmhosts host" \
  --option="ntlm auth = no" \
  --option="smb ports = 445" \
  --option="tls priority = PFS:-SHA1:-VERS-TLS-ALL:+VERS-TLS1.2" \
  --option="vfs objects = freebsd" \
  --option="freebsd:extattr mode = secure"
<enable DLZ database in named on ADS1 and restart named>
<start samba>

ADS2 join command:
# samba-tool domain join ds.samdom.local DC -U"SAMDOM\Administrator" \
  --dns-backend=BIND9_DLZ \
  --option="interfaces = 172.16.17.12" \
  --option="bind interfaces only = yes" \
  --option="nsupdate command = /usr/local/bin/nsupdate -g" \
  --option="rndc command = /usr/local/sbin/rndc" \
  --option="kerberos method = secrets and keytab" \
  --option="server signing = mandatory" \
  --option="client signing = mandatory" \
  --option="name resolve order = lmhosts host" \
  --option="ntlm auth = no" \
  --option="smb ports = 445" \
  --option="tls priority = PFS:-SHA1:-VERS-TLS-ALL:+VERS-TLS1.2" \
  --option="vfs objects = freebsd" \
  --option="freebsd:extattr mode = secure"
<enable DLZ database in named on ADS2 and restart named>
<start samba>
named dies with the same assertion, first on ADS2, then on ADS1 when ADS2 tries to add it's NS record to the ds.samdom.local zone.
Comment 2 Samba QA Contact 2023-01-19 10:21:08 UTC
This bug was referenced in samba master:

fcecdfa8e5c651d4a27f8fcd5df6e9bce37ed8a7
Comment 3 Samuel Cabrero 2023-01-19 13:44:20 UTC
Created attachment 17737 [details]
Patch for v4-17-test

Pipeline: https://gitlab.com/scabrero/samba/-/pipelines/751792111
Comment 4 Samuel Cabrero 2023-01-19 13:45:42 UTC
Created attachment 17738 [details]
Patch for v4-16-test
Comment 5 Samuel Cabrero 2023-01-19 13:46:27 UTC
Created attachment 17739 [details]
Patch for v4-15-test

Pipeline: https://gitlab.com/scabrero/samba/-/pipelines/751799027
Comment 6 Samuel Cabrero 2023-01-19 13:46:59 UTC
(In reply to Samuel Cabrero from comment #4)
Pipeline for 4-16-test: https://gitlab.com/scabrero/samba/-/pipelines/751796506
Comment 7 Douglas Bagnall 2023-01-20 00:47:03 UTC
Comment on attachment 17739 [details]
Patch for v4-15-test

Patche look correct, but i don't think 4.15 is eligible, as it should be getting security patches only.
Comment 8 Douglas Bagnall 2023-01-20 00:51:03 UTC
Created attachment 17741 [details]
patch for 4.18

4.18 missed this by a few hours.