samba-tool domain provision crash with "password hash userPassword schemes" parameter

Bug #1912750 reported by EOLE team
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
samba
Unknown
Unknown
samba (Ubuntu)
Fix Released
Undecided
Sergio Durigan Junior
Focal
Incomplete
Undecided
Unassigned
Hirsute
Won't Fix
Undecided
Unassigned
Impish
Won't Fix
Undecided
Sergio Durigan Junior

Bug Description

On focal, when I try to initialize samba (2:4.11.6+dfsg-0ubuntu1.6 amd64) with this parameter in my smb.conf, I always get an error.

root@eolebase:~# grep schemes /etc/samba/smb.conf
  password hash userPassword schemes = CryptSHA256 CryptSHA512

root@eolebase:~# samba-tool domain provision --use-rfc230 --realm="AC-TEST.FR" --domain="AC-TEST" --adminpass="By65Killer" --server-role=dc --host-ip=192.168.0.24
INFO 2021-01-22 09:59:58,050 pid:4529 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2145: Looking up IPv6 addresses
WARNING 2021-01-22 09:59:58,050 pid:4529 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2152: No IPv6 address will be assigned
INFO 2021-01-22 09:59:58,323 pid:4529 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2319: Setting up share.ldb
INFO 2021-01-22 09:59:58,357 pid:4529 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2323: Setting up secrets.ldb
INFO 2021-01-22 09:59:58,381 pid:4529 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2329: Setting up the registry
INFO 2021-01-22 09:59:58,462 pid:4529 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2332: Setting up the privileges database
INFO 2021-01-22 09:59:58,504 pid:4529 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2335: Setting up idmap db
INFO 2021-01-22 09:59:58,534 pid:4529 /usr/lib/python3/dist-packages/samba/provision/__init__.py #2342: Setting up SAM db
INFO 2021-01-22 09:59:58,542 pid:4529 /usr/lib/python3/dist-packages/samba/provision/__init__.py #898: Setting up sam.ldb partitions and settings
INFO 2021-01-22 09:59:58,543 pid:4529 /usr/lib/python3/dist-packages/samba/provision/__init__.py #910: Setting up sam.ldb rootDSE
INFO 2021-01-22 09:59:58,550 pid:4529 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1339: Pre-loading the Samba 4 and AD schema
Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs

INFO 2021-01-22 09:59:58,589 pid:4529 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1417: Adding DomainDN: DC=ac-test,DC=fr
INFO 2021-01-22 09:59:58,602 pid:4529 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1449: Adding configuration container
INFO 2021-01-22 09:59:58,653 pid:4529 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1464: Setting up sam.ldb schema
INFO 2021-01-22 10:00:01,208 pid:4529 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1482: Setting up sam.ldb configuration data
INFO 2021-01-22 10:00:01,350 pid:4529 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1523: Setting up display specifiers
INFO 2021-01-22 10:00:03,204 pid:4529 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1531: Modifying display specifiers and extended rights
INFO 2021-01-22 10:00:03,239 pid:4529 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1538: Adding users container
INFO 2021-01-22 10:00:03,240 pid:4529 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1544: Modifying users container
INFO 2021-01-22 10:00:03,241 pid:4529 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1547: Adding computers container
INFO 2021-01-22 10:00:03,242 pid:4529 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1553: Modifying computers container
INFO 2021-01-22 10:00:03,243 pid:4529 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1557: Setting up sam.ldb data
INFO 2021-01-22 10:00:03,376 pid:4529 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1587: Setting up well known security principals
INFO 2021-01-22 10:00:03,417 pid:4529 /usr/lib/python3/dist-packages/samba/provision/__init__.py #1601: Setting up sam.ldb users and groups
ERROR(ldb): uncaught exception - setup_primary_userPassword: generation of a CryptSHA256 password hash failed: (Numerical result out of range)
  File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 186, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python3/dist-packages/samba/netcmd/domain.py", line 519, in run
    result = provision(self.logger,
  File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", line 2371, in provision
    provision_fill(samdb, secrets_ldb, logger, names, paths,
  File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", line 1958, in provision_fill
    samdb = fill_samdb(samdb, lp, names, logger=logger,
  File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", line 1602, in fill_samdb
    setup_add_ldif(samdb, setup_path("provision_users.ldif"), {
  File "/usr/lib/python3/dist-packages/samba/provision/common.py", line 55, in setup_add_ldif
    ldb.add_ldif(data, controls)
  File "/usr/lib/python3/dist-packages/samba/__init__.py", line 230, in add_ldif
    self.add(msg, controls)

It seems to be the same as the upstream bug : https://bugzilla.samba.org/show_bug.cgi?id=14424

ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: samba 2:4.11.6+dfsg-0ubuntu1.6
ProcVersionSignature: Ubuntu 5.4.0-65.73-generic 5.4.78
Uname: Linux 5.4.0-65-generic x86_64
ApportVersion: 2.20.11-0ubuntu27.14
Architecture: amd64
BothFailedConnect: Yes
CasperMD5CheckResult: skip
Date: Fri Jan 22 10:05:48 2021
InstallationDate: Installed on 2020-12-17 (35 days ago)
InstallationMedia: EOLE 2.8.0 "Focal Fossa" - Release amd64 (20201217)
NmbdLog:

SambaServerRegression: Yes
SmbConfIncluded: Yes
SmbLog:

SourcePackage: samba
TestparmExitCode: 0
TestparmStderr:
 Load smb config files from /etc/samba/smb.conf
 Loaded services file OK.
 Server role: ROLE_ACTIVE_DIRECTORY_DC
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
EOLE team (eole-team) wrote :
Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

Thanks for taking the time to file this bug and trying to make Ubuntu better.

The upstream bug you mentioned might be related to what you faced, I am subscribing Sergio who has been working on samba to check if this is true. This is the upstream patch targeting 4.11 and it is not included in Focal:

https://attachments.samba.org/attachment.cgi?id=16104

Out of curiosity, do you have FIPS mode enabled in your system? I am asking because it was mentioned in the upstream bug.

Changed in samba (Ubuntu):
assignee: nobody → Sergio Durigan Junior (sergiodj)
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

OK, I can reproduce the bug here.

I backported the 3 upstream patches that fix this bug, and built a new Samba version in a PPA:

https://launchpad.net/~sergiodj/+archive/ubuntu/samba-bug1912750

However, even after installing it, I'm still seeing the error when running "samba-tool".

I'm still investigating.

Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

@EOLE team, could you run a test with the PPA provided above and see if it fixes the bug for you, please?

Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

Offhand, after analysing the bug and the patches mentioned in the original description, I'm a bit skeptical that we're dealing with the same issue here.

The upstream bug expliciltly mentions a limitation with crypt_r on RHEL systems, and the person says that the underlying problem is that "... libfreeblpriv3.so tries to read /tmp as a file to update as an RNG cache during nspr init." This doesn't seem to be the case for Ubuntu.

I inserted a few debugging statements around the crypt_rn call, ran the samba-tool command, and noticed that there are two calls to crypt_rn: the first one seems valid (with valid phrase and salt arguments), but the second one contains a strange phrase which doesn't look like a string at all, and this is the call that causes the error to be thrown.

Revision history for this message
EOLE team (eole-team) wrote :

Thank you for taking care of this problem.
I confirm we don't use FIPS mode.
And unfortunately, the PPA provided doesn't fix the bug for us.

Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

Thank you for your reply.

OK, that confirms my suspicion that the upstream bug referenced in the original description does not (entirely) relate to this issue.

I was able to confirm a few things:

- This bug is reproducible in hirsute as well, which means that the latest version of samba in our repositories (2:4.13.3+dfsg-1, at the time of this writing) doesn't have the fix.

- I was also able to reproduce this on a Fedora 33 VM.

The next steps would be to try to reproduce this with the latest version of samba on git.samba.org, and file an upstream bug if successful.

Changed in samba (Ubuntu):
status: New → Triaged
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

Upstream is aware of the bug and is working on a solution.

Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

The upstream bug is still opened.

Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

I contacted upstream and verified that the bug has been fixed on Samba 4.15.

There fix consists of several patches and now we have to evaluate whether it makes sense to backport everything to Focal.

FWIW, these are the commits that apparently fix the issue (I haven't tested them myself):

05d70f92b633284044d1cd14314eadb3645c1e09
88b3d3443b3a581ec301430346b3e9bf05d81b5e
609ca657652862fd9c81fd11f818efb74f72ff55
0730b936d7a8f55389873d72cb0996ab941f15d7
e656d8b1ad4c70a7c85a66945d7c7d807fce9b6c
de28d915d7f135c43c35cf2b5167f9603e99b1f6

Changed in samba (Ubuntu Focal):
status: New → Incomplete
Changed in samba (Ubuntu Hirsute):
status: New → Incomplete
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

OK, a few more important things to mention here.

First, I may be wrong here but this bug doesn't seem extremely important to justify a backport to Focal and going through the SRU process. For this reason, I am marking the bug as Incomplete for Focal/Hirsute in order to give time to other people comment here and help us determine whether this is important enough to warrant a backport.

At the time of this writing, we are finalizing the Impish release. Due to this, I am unable to backport/fix this bug there. Once Impish is released, I will also mark the task as Incomplete.

The ultimate goal here is to have this fixed in the next Ubuntu release (JJ).

Thanks.

Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

As promised, marking the Impish task as Incomplete.

Changed in samba (Ubuntu Impish):
status: Triaged → Incomplete
Revision history for this message
Brian Murray (brian-murray) wrote :

The Hirsute Hippo has reached End of Life, so this bug will not be fixed for that release.

Changed in samba (Ubuntu Hirsute):
status: Incomplete → Won't Fix
Revision history for this message
Lena Voytek (lvoytek) wrote :

The relevant upstream commits seem to have been added to Focal, Impish, and Jammy, although I have not checked by trying to reproduce the issue. If they are working properly then we should be able to close this bug

Revision history for this message
EOLE team (eole-team) wrote :

The bug is still there on focal with the latest package :

root@eolebase:~# apt policy samba
samba:
  Installé : 2:4.13.17~dfsg-0ubuntu0.21.04.1
  Candidat : 2:4.13.17~dfsg-0ubuntu0.21.04.1
 Table de version :
 *** 2:4.13.17~dfsg-0ubuntu0.21.04.1 500
        500 http://test-eole.ac-dijon.fr/ubuntu focal-security/main amd64 Packages
        500 http://test-eole.ac-dijon.fr/ubuntu focal-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     2:4.11.6+dfsg-0ubuntu1 500
        500 http://test-eole.ac-dijon.fr/ubuntu focal/main amd64 Packages

Revision history for this message
EOLE team (eole-team) wrote :

But it's OK on jammy with actual package :

root@eolebase:~# apt policy samba
samba:
  Installé : 2:4.15.5~dfsg-0ubuntu2
  Candidat : 2:4.15.5~dfsg-0ubuntu2
 Table de version :
 *** 2:4.15.5~dfsg-0ubuntu2 500
        500 http://test-eole.ac-dijon.fr/ubuntu jammy/main amd64 Packages
        100 /var/lib/dpkg/status

So this bug can be closed.

Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

Thanks for the follow-up, Lena and EOLE team.

Unfortunately the fix for the bug is not present in the samba 4.13 series, which is what we ship on Focal/Impish (4.13.17, to be more specific). So, although I haven't tried to reproduce the bug in F/I, I believe it will still be present there.

We will ship samba 4.15.5 on Jammy, which already contains the fix; for this reason, I marked the Jammy task as Fix Released.

@EOLE team, I will keep this task open for Focal and Impish because it's still a valid bug there. I don't see us fixing it for Impish, but we can make a staged SRU upload on Focal IMO. I'll see how feasible this is.

Thanks.

Changed in samba (Ubuntu):
status: Triaged → Fix Released
Revision history for this message
Brian Murray (brian-murray) wrote :

Ubuntu 21.10 (Impish Indri) has reached end of life, so this bug will not be fixed for that specific release.

Changed in samba (Ubuntu Impish):
status: Incomplete → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.