Bug 2091 - Samba 4 needs to be in a Chroot with bind
: Samba 4 needs to be in a Chroot with bind
Status: VERIFIED FIXED
Product: Desktop Bugs
Classification: ROSA Desktop
Component: Main Packages
: Fresh
: All Linux
: Normal normal
: ---
Assigned To: Alexey Ivanov
: ROSA Linux Bugs
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-06-03 00:43 MSD by Zombie Ryushu
Modified: 2015-05-18 13:59 MSD (History)
4 users (show)

See Also:
RPM Package: samba4
ISO-related:
Bad POT generating:
Upstream:
vladimir.potapov: qa_verified+
kuzma.kazygashev: secteam_verified+
denis.silakov: published+


Attachments
ssh session record (24.39 KB, text/plain)
2015-05-07 21:14 MSD, Alexey Ivanov
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Zombie Ryushu 2013-06-03 00:43:28 MSD
Samba 4.0.6, the latest version of Samba 4 with Active directory support cannot communicate with Bind, due to the fact that it has a dynamically linked module that it must communicate with Bind through. The chroot Bind is in prevents this from working. Reccommended special samba4-bind chroot be created to handle this problem. All Samba 4 server installs go into said chroot.
Comment 1 Zombie Ryushu 2013-06-10 12:39:59 MSD
There may be a way around this with a mount -o bind.
Comment 2 Denis Silakov 2014-10-20 19:54:28 MSD
Is this bug valid for Fresh R4?
Comment 3 Zombie Ryushu 2014-10-20 20:04:53 MSD
I think so. The issue is that without this, your only option is Bind Flat Files. This is a Configuration problem as much as a Packaging Problem. Without the module, Bind cannot do DLZ Updates to Samba 4.
Comment 5 Zombie Ryushu 2015-05-05 13:27:05 MSD
I don't think its wise to take bind out of a Chroot for security reasons. Bind_DLZ is not required for Samba 4's AD to function. Its only required for AD Integrated zones. Bind Flat Files still work. But if we can map the DLZ Module into the chroot some how, that helps.
Comment 6 Alexey Ivanov 2015-05-05 13:37:36 MSD
We'll leave bind as it is: chrooted.
I'm going to try bind mounting the library into chrooted environment and see if it actually works.
Comment 7 Alexey Ivanov 2015-05-05 19:40:18 MSD
(In reply to comment #5)
Zombie Ryushu, please have a look at this build:

https://abf.io/build_lists/2497530
https://abf.io/build_lists/2497531

You can add container with one of these commands:

urpmi.addmedia 2497531 http://abf-downloads.rosalinux.ru/rosa2014.1/container/2497531/x86_64/main/release/

for x86_64 arch and

urpmi.addmedia 2497530 http://abf-downloads.rosalinux.ru/rosa2014.1/container/2497530/i586/main/release/

for i586 arch.

Bind is now under systemd control. I have added helper script that bind mounts Samba DLZ libraries to Bind chroot along with OpenSSL libgost.so module. The latter one might fail to load as it gets loaded not by ld but by OpenSSL itself. A copy of libgost.so module in chrooted environment resolves this issue for sure.
See /lib/systemd/system/named.service if curious.

Please tell us if this build solves your problems.
Comment 8 Zombie Ryushu 2015-05-06 00:12:53 MSD
I've installed it, and preliminarily, bind seems to still be working. But I have not looked into the dlz module yet.
Comment 9 Zombie Ryushu 2015-05-06 00:26:42 MSD
named[24367]: dlz_dlopen failed to open library '/usr/lib64/samba/bind9/dlz_bind9_10.so' - libsamdb-common.so: cannot open shared object file: No such file or directory
Comment 10 Alexey Ivanov 2015-05-06 08:59:12 MSD
The modules have their own dependencies.
All right, I'll trace them and make another build.
Comment 11 Zombie Ryushu 2015-05-07 00:38:47 MSD
Installation of your rpm creates some sort of loop in fstab here it fails to mount /usr over and over.
Comment 12 Alexey Ivanov 2015-05-07 07:13:50 MSD
This is weird. I haven't been mangling with fstab at all. Could you please provide more details?
Comment 13 Zombie Ryushu 2015-05-07 07:59:22 MSD
(In reply to comment #12)
> This is weird. I haven't been mangling with fstab at all. Could you please
> provide more details?

In that case it may just be a misconfiguration with the node in question.
Comment 14 Alexey Ivanov 2015-05-07 21:13:41 MSD
Here goes another build:

https://abf.io/build_lists/2498507
https://abf.io/build_lists/2498508

A command to attach x86_64 container:

urpmi.addmedia 2498508 http://abf-downloads.rosalinux.ru/rosa2014.1/container/2498508/x86_64/main/release/

The same for i586 arch:

urpmi.addmedia 2498507 http://abf-downloads.rosalinux.ru/rosa2014.1/container/2498507/i586/main/release/

Zombie Ryushu, please have a look at this one.
Object of most interest for you is file /etc/sysconfig/named-chroot-setup.
I don't see an easy and reliable way to find out if user is going to use samba_dlz modules. So the approach taken is 'uncomment if you need it'. Other actions a user has to do manually are: provision a domain and edit named.conf
Comment 15 Alexey Ivanov 2015-05-07 21:14:51 MSD
Created attachment 3939 [details]
ssh session record

I am attaching an ssh session record with my latest test - it worked.
I have briefly stripped most non-printable characters to make it more or less readable.
Comment 16 Zombie Ryushu 2015-05-08 05:02:46 MSD
(In reply to comment #15)
> Created attachment 3939 [details]
> ssh session record
> 
> I am attaching an ssh session record with my latest test - it worked.
> I have briefly stripped most non-printable characters to make it more or
> less readable.

Are the SAM Databases consistent between the inside and outside of the chroot?
Comment 17 Zombie Ryushu 2015-05-08 09:02:30 MSD
No such file or directory because while there is a mount connection for /var/lib/samba there is not one for /usr/lib64/samba to actually see the SO.
Comment 18 Zombie Ryushu 2015-05-08 09:12:49 MSD
(In reply to comment #17)
> No such file or directory because while there is a mount connection for
> /var/lib/samba there is not one for /usr/lib64/samba to actually see the SO.

named[8398]: dlz_dlopen failed to open library '/usr/lib64/samba/dlz_bind9_10.so' - libsamdb-common.so: cannot open shared object file: No such file or directory I'm still getting this error.
Comment 19 Zombie Ryushu 2015-05-08 09:15:11 MSD
dlz "AD DNS Zone" {
    database "dlopen /usr/lib64/samba/bind9/dlz_bind9_10.so";
};
Comment 20 Alexey Ivanov 2015-05-08 09:20:02 MSD
What is your architecture? Which section of /etc/sysconfig/named-chroot-setup have you uncommented?

Please attach output of the following commands:

uname -i
egrep -v '^\s*(#|$)' /etc/sysconfig/named-chroot-setup
findmnt
Comment 21 Alexey Ivanov 2015-05-08 19:56:00 MSD
[root@fresh-586-01 ~]# uname -i
i686
I have installed an i586 VM to test package under this arch. Just in case.

Succeeded:

[root@fresh-586-01 ~]# uname -i
i686
[root@fresh-586-01 ~]# tail -n 1 /etc/named.conf 
dlz "example.com" { database "dlopen /usr/lib/samba/bind9/dlz_bind9_10.so"; };
[root@fresh-586-01 ~]# egrep -v '^\s*(#|$)' /etc/sysconfig/named-chroot-setup
 ROOTDIR_MOUNT='/etc/samba/smb.conf
                /etc/ld.so.conf
                /etc/ld.so.conf.d
                /etc/ld.so.cache
                /usr/lib/samba
                /usr/lib/sasl2
                /usr/lib/ldb
                /usr/lib/openssl-1.0.1m/engines
                /usr/lib/libsamba-hostconfig.so*
                /usr/lib/libgensec.so*
                /usr/lib/libsamba-util.so*
                /usr/lib/libsamba-credentials.so*
                /usr/lib/libsamdb.so*
                /usr/lib/libldb.so*
                /usr/lib/libtalloc.so*
                /usr/lib/libndr.so*
                /usr/lib/libtevent.so*
                /usr/lib/libtevent-util.so*
                /usr/lib/libndr-krb5pac.so*
                /usr/lib/libgnutls.so*
                /usr/lib/libtdb.so*
                /usr/lib/libndr-standard.so*
                /usr/lib/libndr-nbt.so*
                /usr/lib/libp11-kit.so*
                /usr/lib/libtasn1.so*
                /usr/lib/libnettle.so*
                /usr/lib/libhogweed.so*
                /usr/lib/libffi.so*
                /usr/lib/libdcerpc-binding.so*
                /usr/lib/libsmbconf.so*
                /usr/lib/libgmp.so*
                /usr/lib/libfreebl3.so*
                /lib/libpopt.so*
                /lib/librt.so*
                /lib/libcrypt.so*
                /lib/libfreebl3.so*
                /var/lib/samba/private/dns
                /var/lib/samba/private/dns.keytab
                /var/lib/samba/private/sam.ldb.d'
[root@fresh-586-01 ~]# dig A +short example.com @127.0.0.1
192.168.0.177
[root@fresh-586-01 ~]# dig A +short `hostname`.example.com @127.0.0.1
192.168.0.177
[root@fresh-586-01 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 52:54:00:3a:f3:88 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.177/24 brd 192.168.0.255 scope global dynamic eth0
       valid_lft 85098sec preferred_lft 85098sec
    inet6 fe80::5054:ff:fe3a:f388/64 scope link 
       valid_lft forever preferred_lft forever
[root@fresh-586-01 ~]# cat /etc/samba/smb.conf 
# Global parameters
[global]
        workgroup = EXAMPLE
        realm = EXAMPLE.COM
        netbios name = FRESH-586-01
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate

[netlogon]
        path = /var/lib/samba/sysvol/example.com/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No
Comment 22 Zombie Ryushu 2015-05-09 05:25:52 MSD
It works, I had to create an additional mount point for /var/lib/named/usr/lib64/samba
Comment 23 Alexey Ivanov 2015-05-09 10:09:45 MSD
(In reply to comment #22)
> It works,

Great!

> I had to create an additional mount point for
> /var/lib/named/usr/lib64/samba

It should have been there. The package ships with this directory:

alexey@Fresh-10349-03 ~ $ uname -i
x86_64
alexey@Fresh-10349-03 ~ $ urpmq -l bind-9.10.2-2 | grep samba
/var/lib/named/etc/samba
/var/lib/named/usr/lib/samba
/var/lib/named/usr/lib64/samba
/var/lib/named/var/lib/samba
/var/lib/named/var/lib/samba/private
/var/lib/named/var/lib/samba/private/dns
/var/lib/named/var/lib/samba/private/sam.ldb.d
alexey@Fresh-10349-03 ~ $ 

[alexey@fresh-586-01 ~]$ uname -i
i686
[alexey@fresh-586-01 ~]$ urpmq -l bind-9.10.2-2 | grep samba
/var/lib/named/etc/samba
/var/lib/named/usr/lib/samba
/var/lib/named/usr/lib64/samba
/var/lib/named/var/lib/samba
/var/lib/named/var/lib/samba/private
/var/lib/named/var/lib/samba/private/dns
/var/lib/named/var/lib/samba/private/sam.ldb.d
[alexey@fresh-586-01 ~]$ 

So, do you find this issue resolved? Or may be you see ways to improve something?
Comment 24 Zombie Ryushu 2015-05-09 10:19:30 MSD
I have kinda a FUBAR situation with a previous build of Samba 4. It was partly my fault.
Comment 25 Zombie Ryushu 2015-05-13 08:37:20 MSD
I think this can go into QA.
Comment 26 Alexey Ivanov 2015-05-13 12:02:39 MSD
Ok, we have figured out and fixed all the problems we've had.
The last build works as expected and solves the issue reported.

====================================

Build lists:

https://abf.io/build_lists/2498507
https://abf.io/build_lists/2498508

Advisory:
************************************
Upgrade to version 9.10.2. This covers security issues CVE-2014-8500, CVE-2014-8680 and CVE-2015-1349.
Chroot environment can now be populated with files and directories via helper script that reads /etc/sysconfig/named-chroot-setup file and bind mounts files and directories listed in ROOTDIR_MOUNT variable.
Initialization processes completely migrated to systemd.
************************************
Comment 27 Vladimir Potapov 2015-05-14 17:06:10 MSD
The update is sent to expanded testing
***************************************
Comment 28 Vladimir Potapov 2015-05-18 12:38:18 MSD
bind-9.10.2-2
https://abf.io/build_lists/2498507
https://abf.io/build_lists/2498508
*********************** Advisory ********************************
Upgrade to version 9.10.2. This covers security issues CVE-2014-8500, CVE-2014-8680 and CVE-2015-1349.
Chroot environment can now be populated with files and directories via helper script that reads /etc/sysconfig/named-chroot-setup file and bind mounts files and directories listed in ROOTDIR_MOUNT variable.
Initialization processes completely migrated to systemd.
*****************************************************************
QA Verified