Backtrace when running "gpo manage motd set" to update an existing motd policy

Status changed to 'Confirmed' because the bug affects multiple users.

This bug was fixed in the package samba - 2:4.20.4+dfsg-1ubuntu2

---------------
samba (2:4.20.4+dfsg-1ubuntu2) plucky; urgency=medium

  * d/p/fix-update-motd-gpo.patch: fix crash when updating an already existing
    MOTD GPO (LP: #2092308)

 -- Andreas Hasenack <email address hidden> Fri, 20 Dec 2024 17:39:35 -0300

Ok, it's not crashing anymore, but it's also not updating the text correctly. It's just adding the key over and over again:

# cat /var/lib/samba/sysvol/example.internal/Policies/\{31B2F340-016D-11D2-945F-00C04FB984F9\}/MACHINE/VGP/VTLA/Unix/MOTD/manifest.xml
<?xml version='1.0' encoding='UTF-8'?>
<vgppolicy><policysetting><version>1</version><name>Text File</name><description>Represents a Generic Text File</description><apply_mode>replace</apply_mode><data><filename>motd</filename><text>Welcome</text><text>Welcome</text><text>Welcome</text><text>Welcome\n</text><text>Welcome again</text><text>Welcome again</text></data></policysetting></vgppolicy>

root@o-ad:~#

Hello Andreas, or anyone else affected,

Accepted samba into oracular-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/samba/2:4.20.4+dfsg-1ubuntu1.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-oracular to verification-done-oracular. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-oracular. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Andreas, or anyone else affected,

Accepted samba into noble-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/samba/2:4.19.5+dfsg-4ubuntu9.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-noble to verification-done-noble. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-noble. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

All autopkgtests for the newly accepted samba (2:4.20.4+dfsg-1ubuntu1.1) for oracular have finished running.
The following regressions have been reported in tests triggered by the package:

ffmpeg/unknown (amd64)
freedombox/unknown (i386)
kworkflow/unknown (amd64)
libfilesys-smbclient-perl/unknown (amd64)
libsoup2.4/2.74.3-7ubuntu0.1 (amd64, i386, ppc64el)
libsoup3/unknown (amd64)
openldap/unknown (amd64)
samba/2:4.20.4+dfsg-1ubuntu1.1 (amd64, arm64, ppc64el)
scapy/unknown (amd64)
sssd/unknown (amd64)
vlc/unknown (amd64)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/oracular/update_excuses.html#samba

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

# Noble verification

Reproducing the bug now is harder because of https://bugs.launchpad.net/ubuntu/+source/samba/+bug/2088094, which doesn't let us reach that part of the code (it crashes before). I will therefore only verify the fix, without the reproduction step.

Installed version:
ubuntu@n-ad:~$ apt-cache policy samba
samba:
  Installed: 2:4.19.5+dfsg-4ubuntu9.1
  Candidate: 2:4.19.5+dfsg-4ubuntu9.1
  Version table:
 *** 2:4.19.5+dfsg-4ubuntu9.1 100
        100 http://br.archive.ubuntu.com/ubuntu noble-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     2:4.19.5+dfsg-4ubuntu9 500
        500 http://br.archive.ubuntu.com/ubuntu noble/main amd64 Packages

Running the command multiple times:
ubuntu@n-ad:~$ sudo samba-tool gpo manage motd set {31B2F340-016D-11D2-945F-00C04FB984F9} "Welcome" -U Administrator%Passw0rd
WARNING: Using passwords on command line is insecure. Installing the setproctitle python module will hide these from shortly after program start.
ubuntu@n-ad:~$ sudo samba-tool gpo manage motd set {31B2F340-016D-11D2-945F-00C04FB984F9} "Welcome" -U Administrator%Passw0rd
WARNING: Using passwords on command line is insecure. Installing the setproctitle python module will hide these from shortly after program start.
ubuntu@n-ad:~$ sudo samba-tool gpo manage motd set {31B2F340-016D-11D2-945F-00C04FB984F9} "Welcome" -U Administrator%Passw0rd
WARNING: Using passwords on command line is insecure. Installing the setproctitle python module will hide these from shortly after program start.
ubuntu@n-ad:~$ sudo samba-tool gpo manage motd set {31B2F340-016D-11D2-945F-00C04FB984F9} "Welcome" -U Administrator%Passw0rd
WARNING: Using passwords on command line is insecure. Installing the setproctitle python module will hide these from shortly after program start.

And confirming the set value:

ubuntu@n-ad:~$ sudo samba-tool gpo manage motd list {31B2F340-016D-11D2-945F-00C04FB984F9};echo
Welcome

Noble verification succeeded.

# Oracular verification failed

I'm not sure why it worked in noble and not oracular, but I get an unexpected backtrace:

ubuntu@o-ad:~$ sudo samba-tool gpo manage motd set {31B2F340-016D-11D2-945F-00C04FB984F9} "Welcome" -U Administrator%Passw0rd
WARNING: Using passwords on command line is insecure. Installing the setproctitle python module will hide these from shortly after program start.
ERROR(<class 'AttributeError'>): uncaught exception - 'NoneType' object has no attribute 'text'
  File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 285, in _run
    return self.run(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/samba/netcmd/gpo.py", line 3840, in run
    text.text = value
    ^^^^^^^^^

The version of samba in the proposed pocket of Oracular that was purported to fix this bug report has been removed because one or more bugs that were to be fixed by the upload have failed verification and been in this state for more than 10 days.

All autopkgtests for the newly accepted samba (2:4.20.4+dfsg-1ubuntu1.1) for oracular have finished running.
The following regressions have been reported in tests triggered by the package:

samba/2:4.20.4+dfsg-1ubuntu1.1 (ppc64el)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/oracular/update_excuses.html#samba

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Turns out this also fails in noble, and wasn't seen before just because of ordering.

If we try to first reproduce the bug, and then update the package and run again, it will work. Even though we get a crash at first when trying to reproduce the bug, it did manage to create the policy file. Then when we update to the package in proposed, and run the command again, the policy file already exists, and we run through a different code path.

In noble, if you start fresh from the packages in noble proposed, this bug is also not verified:

ubuntu@n-ad:~$ sudo samba-tool gpo manage motd set {31B2F340-016D-11D2-945F-00C04FB984F9} "Welcome" -U Administrator%Passw0rd
WARNING: Using passwords on command line is insecure. Installing the setproctitle python module will hide these from shortly after program start.
ERROR(<class 'AttributeError'>): uncaught exception - 'NoneType' object has no attribute 'text'
  File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 279, in _run
    return self.run(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/samba/netcmd/gpo.py", line 3832, in run
    text.text = value
    ^^^^^^^^^

Package from proposed:

ubuntu@n-ad:~$ apt-cache policy samba
samba:
  Installed: 2:4.19.5+dfsg-4ubuntu9.1
  Candidate: 2:4.19.5+dfsg-4ubuntu9.1
  Version table: ...

Reopening the plucky task, since it has the same patch and bug.

I have a new fix. Testing.

This particular scenario was actually fixed in plucky (updating existing policy). Creating a new fresh policy is what broke, and is being tracked in https://bugs.launchpad.net/bugs/2098755

The version of samba in the proposed pocket of Noble that was purported to fix this bug report has been removed because one or more bugs that were to be fixed by the upload have failed verification and been in this state for more than 10 days.

oracular is about to be EOL

Hello Andreas, or anyone else affected,

Accepted samba into noble-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/samba/2:4.19.5+dfsg-4ubuntu9.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-noble to verification-done-noble. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-noble. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Noble verification

This SRU includes a new test case for this bug, part of the existing d/t/samba-ad-dc-provisioning-internal-dns test.

For verification purposes, the samba-ad-dc-provisioning-internal-dns test must pass. More specifically, the test server_motd_gpo_tests() must pass. The start of the test is marked with the following text in the test output:

  ## MOTD GPO tests (server only)

autopkgtests for samba/2:4.19.5+dfsg-4ubuntu9.2 have passed:
- amd64: https://autopkgtest.ubuntu.com/results/autopkgtest-noble/noble/amd64/s/samba/20250702_195525_a4167@/log.gz
- arm64: https://autopkgtest.ubuntu.com/results/autopkgtest-noble/noble/arm64/s/samba/20250702_194651_2d1ca@/log.gz
- armhf: https://autopkgtest.ubuntu.com/results/autopkgtest-noble/noble/armhf/s/samba/20250702_193550_d7043@/log.gz
- i386 (fail in general, no regression, but the test for this SRU passed): https://autopkgtest.ubuntu.com/results/autopkgtest-noble/noble/i386/s/samba/20250702_201122_30021@/log.gz
- ppc64el: https://autopkgtest.ubuntu.com/results/autopkgtest-noble/noble/ppc64el/s/samba/20250702_194901_d6d6f@/log.gz
- s390x: https://autopkgtest.ubuntu.com/results/autopkgtest-noble/noble/s390x/s/samba/20250702_194350_c9880@/log.gz
- riscv64: didn't run, I triggered it manually

The specific test we are looking for is, inside samba-ad-dc-provisioning-internal-dns, the "MOTD GPO tests (server only)" test. Here is a paste of its results in amd64 (from link above):
1798s ## MOTD GPO tests (server only)
1798s
1798s ## Setting MOTD GPO text to "Welcome1"
1798s WARNING: Using passwords on command line is insecure. Installing the setproctitle python module will hide these from shortly after program start.
1798s
1798s ## Verifying MOTD text "Welcome1" is in the policy manifest
1798s <vgppolicy><policysetting><version>1</version><name>Text File</name><description>Represents a Generic Text File</description><apply_mode>replace</apply_mode><data><filename>motd</filename><text>Welcome1</text></data></policysetting></vgppolicy>
1799s
1799s ## Setting MOTD GPO text to "Welcome2"
1799s WARNING: Using passwords on command line is insecure. Installing the setproctitle python module will hide these from shortly after program start.
1799s
1799s ## Verifying MOTD text "Welcome2" is in the policy manifest
1799s <vgppolicy><policysetting><version>1</version><name>Text File</name><description>Represents a Generic Text File</description><apply_mode>replace</apply_mode><data><filename>motd</filename><text>Welcome2</text></data></policysetting></vgppolicy>
1799s
1799s ## Verifying that the policy manifest DOES NOT contain previous MOTD text Welcome1
1799s
1799s ## Setting MOTD GPO text to empty
1799s WARNING: Using passwords on command line is insecure. Installing the setproctitle python module will hide these from shortly after program start.
1800s ## Verifying that the MOTD GPO text is empty

And the summary showing samba-ad-dc-provisioning-internal-dns passed:
1801s autopkgtest [19:55:18]: @@@@@@@@@@@@@@@@@@@@ summary
1801s cifs-share-access PASS
1801s cifs-share-access-uring PASS
1801s python-smoke PASS
1801s smbclient-anonymous-share-list PASS
1801s smbclient-authenticated-...

I'm just getting tmpfails[1] from the autopkgtest runner on riscv64. It seems it just can't get a system up to run the test, the logs are full of nova api call errors, timeouts, and retries
. Example:

1103s novaclient.exceptions.ClientException: Unexpected API Error. Please report this at http://bugs.launchpad.net/nova/ and attach the Nova API log if possible.

1. https://autopkgtest.ubuntu.com/results/autopkgtest-noble/noble/riscv64/s/samba/20250710_002118_3f958@/log.gz

The riscv64 autopkgtest infrastructure is currently failing[1]

  [2025-07-10] riscv64 testbeds are currently not spawning. This issue is being actively worked on,
  and testbeds should be online in the next few days.

That post is edited live, so it may not have the same content as above once the issue is resolved.

Given this situation, and the fact that the test plan (the autopkgtest) was verified for all other architectures, I'm marking the noble verification as succeeded.

1. https://discourse.ubuntu.com/t/autopkgtest-service/34490

This bug was fixed in the package samba - 2:4.19.5+dfsg-4ubuntu9.2

---------------
samba (2:4.19.5+dfsg-4ubuntu9.2) noble; urgency=medium

  * DEP8 test updates:
    - d/t/samba-ad-dc-provisioning-internal-dns: add MOTD GPO test
    - d/t/samba-ad-dc-provisioning-internal-dns: force samba-tool to use
      kerberos when interrogating the DNS server, otherwise it will prompt for
      a password
  * d/p/fix-motd-gpo-list-empty.patch: fix crash when listing an empty MOTD
    GPO (LP: #2107395)
  * d/p/fix-update-motd-gpo.patch: replace patch with upstream's version, which
    includes another fix for the case of updating an existing MOTD GPO
    (LP: #2107395)

samba (2:4.19.5+dfsg-4ubuntu9.1) noble; urgency=medium

  * d/p/gpo-segfault-fix.patch: fix segfault in samba-gpupdate (LP: #2078854)
  * d/p/deprecated-readfp-configparser.patch: fix crash in samba-tool due to
    using removed method (LP: #2088094)
  * d/p/fix-update-motd-gpo.patch: fix crash when updating an already existing
    MOTD GPO (LP: #2092308)

 -- Andreas Hasenack <email address hidden> Tue, 03 Jun 2025 15:25:34 -0300

The verification of the Stable Release Update for samba has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.