[Pkg-samba-maint] Bug#859101: regression: net: security update makes `net ads join` freeze when run a second time

Paul Wise pabs at debian.org
Thu Mar 30 10:30:05 UTC 2017 

Package: samba-common-bin
Version: 2:4.2.10+dfsg-0+deb8u1
Severity: serious
File: /usr/bin/net
Control: found -1 2:4.2.14+dfsg-0+deb8u4
X-Debbugs-CC: security at debian.org

The jessie security upgrade from samba 2:4.1.17+dfsg-2+deb8u2 to
2:4.2.10+dfsg-0+deb8u1 causes the `net ads join` command to freeze when
run on a system that has already been joined to the domain.

I've confirmed that the freeze does not happen on samba 4.1 using
snapshot.d.o. The issue still occurs with 2:4.2.14+dfsg-0+deb8u4.

When I increase the debug level to 15, it appears that it freezes while
trying to remove old keytab entries.

The command doesn't use much CPU so it appears to be a deadlock.

$ sudo apt install samba-common-bin smbclient
$ grep -A13 \\[global /etc/samba/smb.conf 
[global]

## Browsing/Identification ###

# Change this to the workgroup/NT-domain name your Samba server will part of
   workgroup = TEST
   realm = TEST.LOCAL
   dedicated keytab file = /etc/krb5.keytab
   kerberos method = secrets and keytab
   preferred master = no
   domain master = No
   password server = *
   security = ADS
   ldap timeout = 300
$ sudo net ads join -d15 -UAdministrator
...
Enter Administrator's password:
...
$ sudo net ads join -d15 -UAdministrator
...
Enter Administrator's password:
...
../source3/libads/kerberos_keytab.c:65: Will try to delete old keytab entries
../source3/libads/kerberos_keytab.c:139: Found old entry for principal: host/test46.test.local at TEST.LOCAL (kvno 6) - trying to remove it.
^C
$ sudo smbclient -Utester -L //testsbs01
Enter Indexer's password: 
Domain=[TEST] OS=[Windows Server 2003 3790 Service Pack 2] Server=[Windows Server 2003 5.2]
$ cat /etc/apt/sources.d/snapshot.list
deb http://snapshot.debian.org/archive/debian/20160103T163148Z/ jessie main
deb http://snapshot.debian.org/archive/debian-security/20160413T203215Z/ jessie/updates main
deb http://snapshot.debian.org/archive/debian/20160314T035958Z/ jessie main
deb http://snapshot.debian.org/archive/debian-security/20160312T072202Z/ jessie/updates main

-- System Information:
Debian Release: 8.7
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages samba-common-bin depends on:
ii  libbsd0        0.7.0-2
ii  libc6          2.19-18+deb8u7
ii  libldap-2.4-2  2.4.40+dfsg-1+deb8u2
ii  libncurses5    5.9+20140913-1+b1
ii  libpopt0       1.16-10
ii  libreadline6   6.3-8+b3
ii  libtalloc2     2.1.2-0+deb8u1
ii  libtdb1        1.3.6-0+deb8u1
ii  libtevent0     0.9.28-0+deb8u1
ii  libtinfo5      5.9+20140913-1+b1
ii  libwbclient0   2:4.2.14+dfsg-0+deb8u4
ii  python         2.7.9-1
ii  python-samba   2:4.2.14+dfsg-0+deb8u4
pn  python2.7:any  <none>
ii  samba-common   2:4.2.14+dfsg-0+deb8u4
ii  samba-libs     2:4.2.14+dfsg-0+deb8u4

samba-common-bin recommends no packages.

Versions of packages samba-common-bin suggests:
pn  heimdal-clients  <none>

-- no debconf information

-- 
bye,
pabs

https://wiki.debian.org/PaulWise
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-samba-maint/attachments/20170330/608a7799/attachment.sig>

More information about the Pkg-samba-maint mailing list