After upgrading to 4.0.0rc6, the mmc crashes on a Win2k8R2 domain member. Can easily be reproduced by: -installing Samba 4.0.0rc6 -running 'samba-tool domain provision' -joining the win box to the domain -starting the mmc (users and computers)
Re-assigning to Metze and making it a blocker for 4.0.0.
After setting "acl:search = no" in the smb.conf, it cannot be reproduced any longer.
The problem happens when a search has the sd_flags controls, but doesn't explictly ask for the nTSecurityDescriptor attribute. The acl_read module filters the nTSecurityDescriptor, while it should be returned (after doing access checks).
Created attachment 8294 [details] Patch for master (also applies to v4-0-test)
I had the issue too, after upgrading to rc6, that ADUC on 2008r2 and W7 crashes direclty and the GPO console returns an error when choosing the domain (so completely unusable too). I applied your patch to my rc6, but this doesn't help. Only the workaround 'acl:search=false' work. Some more information on the issue: ADUC and GPO console on XP and 2003r2 doesn't showed a problem (at least I haven't seen one on a fast check).
Tow more information: 1. If I remove 'acl:search=false' and restart samba, it stop working directly again. 2. The error the GPO console shows when I try to click to domains is "Der Verzeichnisdatentyp kann nicht in einen oder von einem DS-Datentyp konvertiert werden, der ältere NT-Versionen berücksichtigt." (I don't have an english W7 here at the moment. Is saying something like "The directory datatype cannot be converted to/from a native DS datatype, that supports older NT versions").
Created attachment 8300 [details] Patch for master (also applies to v4-0-test) v2 I've verified that MMC works with similar changes. There was a memory corruption in the interaction of the schema_data and acl_read modules. This corrupted the autogenerated CN=Aggregate,CN=Schema,CN=Configuration,... attributes. I also found how MMC keeps a cache, it looks at the modifiersTimestamp on CN=Aggregate,CN=Schema,CN=Configuration,... That was the reason it's not possible to reproduce it once it was working with acl:search=no.
(In reply to comment #7) > This corrupted the autogenerated CN=Aggregate,CN=Schema,CN=Configuration,... > attributes. Is this corruption anything I have to worry about in production? We switched our rc5 production to rc6 2 days ago and since that having this problem, too.
I applied your second patch to rc6, recompiled it and tested without the 'acl:search = no' entry: ADUC and GP console works fine on 2008r2 and a fresh bootet W7. But your "This corrupted the autogenerated CN=Aggregate,CN=Schema,CN=Configuration,... attributes." comment makes me a bit nervous. Is there anything that could be broken?
(In reply to comment #9) > I applied your second patch to rc6, recompiled it and tested without the > 'acl:search = no' entry: ADUC and GP console works fine on 2008r2 and a fresh > bootet W7. Note: I'll upload an updated patchset later... > > But your "This corrupted the autogenerated > CN=Aggregate,CN=Schema,CN=Configuration,... attributes." comment makes me a bit > nervous. Is there anything that could be broken? It's not a corruption in the database, just the search the CN=Aggregate,CN=Schema,CN=Configuration,... search results.
Created attachment 8305 [details] Patches against samba-4.0.0rc6 (v3)
I did a quick recompile of your v3 patch on my rc6 production site. ADUC and GP MMC both seem to work fine on 2008r2 and W7. Thanks.
(In reply to comment #11) > Created attachment 8305 [details] > Patches against samba-4.0.0rc6 (v3) I can also confirm that this patchset fixes the issues on my box.
Comment on attachment 8305 [details] Patches against samba-4.0.0rc6 (v3) This patchset is not for v4-0-test, some patches are not in master yet
Created attachment 8334 [details] Patches for v4-0-test
Comment on attachment 8334 [details] Patches for v4-0-test ACK
==> Karolin for 4.0
Pushed to autobuild-v4-0-test.
Pushed to v4-0-test. Closing out bug report. Thanks a lot!