Bug 9470 - MMC crashes
MMC crashes
Status: RESOLVED FIXED
Product: Samba 4.0
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB
4.0.0rc6
All All
: P5 critical
: ---
Assigned To: Karolin Seeger
Samba QA Contact
:
Depends on:
Blocks: 8622
  Show dependency treegraph
 
Reported: 2012-12-06 11:07 UTC by Karolin Seeger
Modified: 2012-12-11 10:52 UTC (History)
3 users (show)

See Also:


Attachments
Patch for master (also applies to v4-0-test) (12.89 KB, patch)
2012-12-06 15:37 UTC, Stefan Metzmacher
no flags Details
Patch for master (also applies to v4-0-test) v2 (18.37 KB, patch)
2012-12-07 10:44 UTC, Stefan Metzmacher
no flags Details
Patches against samba-4.0.0rc6 (v3) (31.46 KB, patch)
2012-12-07 21:59 UTC, Stefan Metzmacher
no flags Details
Patches for v4-0-test (30.48 KB, patch)
2012-12-10 23:30 UTC, Stefan Metzmacher
obnox: review+
metze: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Karolin Seeger 2012-12-06 11:07:35 UTC
After upgrading to 4.0.0rc6, the mmc crashes on a Win2k8R2 domain member.

Can easily be reproduced by:
-installing Samba 4.0.0rc6
-running 'samba-tool domain provision'
-joining the win box to the domain
-starting the mmc (users and computers)
Comment 1 Karolin Seeger 2012-12-06 11:08:34 UTC
Re-assigning to Metze and making it a blocker for 4.0.0.
Comment 2 Karolin Seeger 2012-12-06 11:09:50 UTC
After setting "acl:search = no" in the smb.conf, it cannot be reproduced any longer.
Comment 3 Stefan Metzmacher 2012-12-06 15:36:54 UTC
The problem happens when a search has the sd_flags controls, but doesn't
explictly ask for the nTSecurityDescriptor attribute.
The acl_read module filters the nTSecurityDescriptor, while it should be returned
(after doing access checks).
Comment 4 Stefan Metzmacher 2012-12-06 15:37:48 UTC
Created attachment 8294 [details]
Patch for master (also applies to v4-0-test)
Comment 5 Marc Muehlfeld 2012-12-06 18:10:06 UTC
I had the issue too, after upgrading to rc6, that ADUC on 2008r2 and W7 crashes direclty and the GPO console returns an error when choosing the domain (so completely unusable too).


I applied your patch to my rc6, but this doesn't help. Only the workaround 'acl:search=false' work.


Some more information on the issue:
ADUC and GPO console on XP and 2003r2 doesn't showed a problem (at least I haven't seen one on a fast check).
Comment 6 Marc Muehlfeld 2012-12-06 18:20:39 UTC
Tow more information:
1. If I remove 'acl:search=false' and restart samba, it stop working directly again.


2. The error the GPO console shows when I try to click to domains is "Der Verzeichnisdatentyp kann nicht in einen oder von einem DS-Datentyp konvertiert werden, der ältere NT-Versionen berücksichtigt." (I don't have an english W7 here at the moment. Is saying something like "The directory datatype cannot be converted to/from a native DS datatype, that supports older NT versions").
Comment 7 Stefan Metzmacher 2012-12-07 10:44:33 UTC
Created attachment 8300 [details]
Patch for master (also applies to v4-0-test) v2

I've verified that MMC works with similar changes.

There was a memory corruption in the interaction of the
schema_data and acl_read modules.

This corrupted the autogenerated CN=Aggregate,CN=Schema,CN=Configuration,...
attributes.

I also found how MMC keeps a cache, it looks at the modifiersTimestamp
on CN=Aggregate,CN=Schema,CN=Configuration,...
That was the reason it's not possible to reproduce it once
it was working with acl:search=no.
Comment 8 Marc Muehlfeld 2012-12-07 11:56:44 UTC
(In reply to comment #7)
> This corrupted the autogenerated CN=Aggregate,CN=Schema,CN=Configuration,...
> attributes.

Is this corruption anything I have to worry about in production? We switched our rc5 production to rc6 2 days ago and since that having this problem, too.
Comment 9 Marc Muehlfeld 2012-12-07 18:31:09 UTC
I applied your second patch to rc6, recompiled it and tested without the 'acl:search = no' entry: ADUC and GP console works fine on 2008r2 and a fresh bootet W7.


But your "This corrupted the autogenerated CN=Aggregate,CN=Schema,CN=Configuration,... attributes." comment makes me a bit nervous. Is there anything that could be broken?
Comment 10 Stefan Metzmacher 2012-12-07 19:53:45 UTC
(In reply to comment #9)
> I applied your second patch to rc6, recompiled it and tested without the
> 'acl:search = no' entry: ADUC and GP console works fine on 2008r2 and a fresh
> bootet W7.

Note: I'll upload an updated patchset later...

> 
> But your "This corrupted the autogenerated
> CN=Aggregate,CN=Schema,CN=Configuration,... attributes." comment makes me a bit
> nervous. Is there anything that could be broken?

It's not a corruption in the database, just the search the
CN=Aggregate,CN=Schema,CN=Configuration,... search results.
Comment 11 Stefan Metzmacher 2012-12-07 21:59:20 UTC
Created attachment 8305 [details]
Patches against samba-4.0.0rc6 (v3)
Comment 12 Marc Muehlfeld 2012-12-09 15:46:09 UTC
I did a quick recompile of your v3 patch on my rc6 production site. ADUC and GP MMC both seem to work fine on 2008r2 and W7. Thanks.
Comment 13 Karolin Seeger 2012-12-09 19:47:26 UTC
(In reply to comment #11)
> Created attachment 8305 [details]
> Patches against samba-4.0.0rc6 (v3)

I can also confirm that this patchset fixes the issues on my box.
Comment 14 Stefan Metzmacher 2012-12-10 07:48:40 UTC
Comment on attachment 8305 [details]
Patches against samba-4.0.0rc6 (v3)

This patchset is not for v4-0-test, some patches are not in master yet
Comment 15 Stefan Metzmacher 2012-12-10 23:30:31 UTC
Created attachment 8334 [details]
Patches for v4-0-test
Comment 16 Michael Adam 2012-12-10 23:34:18 UTC
Comment on attachment 8334 [details]
Patches for v4-0-test

ACK
Comment 17 Michael Adam 2012-12-10 23:36:47 UTC
==> Karolin for 4.0
Comment 18 Karolin Seeger 2012-12-11 08:00:47 UTC
Pushed to autobuild-v4-0-test.
Comment 19 Karolin Seeger 2012-12-11 10:52:27 UTC
Pushed to v4-0-test.
Closing out bug report.

Thanks a lot!