Samba4 does not work with IPv6

Bug #1335502 reported by Thiago Martins on 2014-06-28
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
samba (Ubuntu)
Medium
Unassigned

Bug Description

Hello guys,

I'm playing with Samba4 and, with IPv4, it works great but, when we enable IPv6, nothing works.

Here is how to reproduce it:

Resume of the procedure that works (IPv4-Only):

SOURCE: http://www.tiltingatlinux.com/2014/04/basic-samba4-domain-controler-on-ubuntu.html

---
1- Install Ubuntu 14.04;

2- Configure /etc/hosts & /etc/network/interfaces according;

4- Install Samba4, like this: "apt-get install samba krb5-user smbclient";

5- Provision domain with: "samba-tool domain provision --realm domain.com.br --domain DOMAIN --adminpass Test1234Lol --server-role=dc --use-rfc2307";

6- Reboot & Done!
---

Everything works as expected but, since my network is based on IPv6, I need to enable it in Samba and... It does not work...

Resume of the procedure that does not work (Dual-Stacked):

---
1- Install Ubuntu 14.04;

2- Configure /etc/hosts & /etc/network/interfaces, like this:

-----
auto eth0

iface eth0 inet6 static
 address 2008:xxx:200:3f6::10
 netmask 64
 gateway 2008:xxx:200:3f6::1

iface eth0 inet static
 address 192.168.1.221
 netmask 24
 gateway 192.168.1.1
 dns-domain domain.com.br
 dns-search domain.com.br
 dns-nameservers 192.168.1.221

-- hosts:

127.0.0.1 localhost.localdomain localhost
2008:xxx:200:3f6::10 ubuntu-ad-1.domain.com.br ubuntu-ad-1
192.168.1.221 ubuntu-ad-1.domain.com.br ubuntu-ad-1
-----

4- Install Samba4, like this: "apt-get install samba krb5-user smbclient";

5- Provision domain with: "samba-tool domain provision --realm domain.com.br --domain DOMAIN --adminpass Test1234Lol --server-role=dc --use-rfc2307";

6- Reboot and... Nothing is working, Samba isn't listening on 53, 389, etc...
---

Is there any workarounds to deal with it?

Thanks!
Thiago

Thiago Martins (martinx) on 2014-06-28
description: updated
Thiago Martins (martinx) on 2014-06-29
description: updated
Robie Basak (racb) on 2014-06-30
Changed in samba (Ubuntu):
importance: Undecided → Medium
Thiago Martins (martinx) wrote :

I did more tests this weekend on this...

In fact, it is easier to replicate this problem... For example, if you have Samba4 working okay in an IPv4-Only environment and then, you just enable IPv6 (and reboot), Samba4 will not start anymore...

Also, I tried to run "samba_dnsupdate --verbose" after enabling IPv6 at etc/network/interfaces (ifdown eth0 ; ifup eth0) and, before a reboot (while Samba4 is still running), without success...

Thiago Martins (martinx) on 2014-07-08
information type: Public → Private Security
Thiago Martins (martinx) wrote :

Guys!

I'm considering this as a security flaw in Samba4 on top of Ubuntu 14.04!

But, why!?

Simple:

- If you start the IPv6 RA daemon within your network (radvd), where you have "Samba4 AD DC" up and running, then, it will, somehow, crash Samba (it will not restart anymore)...

These days is pretty normal to enable radvd on Corporate Networks...

Also, if an attacker wants to just impact your Samba4 network, he just needs to start the radvd somewhere within your network... This way, if the admin then tries to reboot / restart Samba4, it will not come up again. Until you disable IPv6...

NOTE: I'm doing more tests to see what can I do as a workaround to this situation... The way I'm seeing it, "as-is", Samba4 will not restart "out of nothing", if an IPv6 address appear on its machine...

Regards,
Thiago

information type: Private Security → Public Security
Seth Arnold (seth-arnold) wrote :

I have trouble believing such a common daemon is so brittle in the face of IPv6; further investigation would be very helpful.

Thiago Martins (martinx) wrote :

Hey Seth,

I completely agree with you... If true, this problem is serious (and unbelievable, it seems that Canonical have no Q.A. to deal with IPv6, or something like that, I do not want to be rude, but make Ubuntu a better O.S.) but, in the end of the day, I managed to make it work.

To make Samba4 safer against this problem (that come by default), we need to provision the domain passing the following option: "--function-level=2008_R2" to samba-tool.

Example with IPv6 working on Samba4 AD DC:

---
samba-tool domain provision --realm domain.com.br --domain DOMAIN --adminpass Test1234Lol --server-role=dc --use-rfc2307 --function-level=2008_R2
---

This way, Samba4 will behave okay when you have IPv6 on your network.

Samba4 AD DC with IPv6 enabled:

---
root@ubuntu-ad-1:~# host -t SRV _ldap._tcp.domain.com.br
_ldap._tcp.domain.com.br has SRV record 0 100 389 ubuntu-ad-1.domain.com.br.

root@ubuntu-ad-1:~# host ubuntu-ad-1.domain.com.br
ubuntu-ad-1.domain.com.br has address 192.168.1.221
ubuntu-ad-1.domain.com.br has IPv6 address 2008:xxx:200:3f6::10
---

Also, I noted that, 2008_R2 level do NOT fix this if you just tries to "raise up" your "Samba AD DC", after enabling IPv6, for example, by doing:

---
samba-tool domain level raise --domain-level 2008_R2 --forest-level 2008_R2
---

It will not fix the problem... You need to start from scratch, using 2008_R2 level from the beginning, to not hit this problem.

So, this is still a BUG but, less serious if you not use the "defaults" to provision your domain at first...

Cheers!
Thiago

description: updated
Thiago Martins (martinx) wrote :

Just for the record, after enabling IPv6 in "Samba4 AD DC", I'm now facing another small problem, which is:

https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1339434

Regards,
Thiago

Jamie Strandboge (jdstrand) wrote :

The crash does not seem to be a security issue since it is related to a specific configuration and therefore this is a normal bug.

information type: Public Security → Public
Thiago Martins (martinx) wrote :

Bug filled in Samba buzilla:

https://bugzilla.samba.org/show_bug.cgi?id=10730

Since it seems to be an upstream issue...

NOTE: Jaime, I don't think it is a "normal bug", it can be used as an attack vector to mess things up. Nevertheless, I filled a BUG report on Samba bugzilla. I think you guys can close it here on Launchpad, if desired...

Jelmer Vernooij (jelmer) on 2014-10-22
Changed in samba (Ubuntu):
status: New → Incomplete
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.