LDAP-SAM and Samba 2.2
Erik Persson
erik at roxen.com
Fri Nov 30 15:16:01 GMT 2001
Hi!
I am experimenting with the PDC features of Samba 2.2 with the LDAP SAM
backend. This is going fairly well, except eny attempt to join the domain
fails due to some confusion within smbd concerning what the RID for the
workstation account should be.
To add user I use "add user script" parameter to call a homecooked Pike
script that creates an entry for the account in the LDAP server.
The script sets all relevant parameters, including lmPassword, ntPassword,
rid and primaryGroupID. The latter two attributes are calculated from
uidNumber and gidNumber as in the smbpasswd code:
#define RID_MULTIPLIER 2
#define USER_RID_TYPE 0
#define GROUP_RID_TYPE 1
string rid = sprintf("%d",
(((int)args["uidNumber"])*RID_MULTIPLIER + 1000) | USER_RID_TYPE );
string primaryGroupID = sprintf("%d",
(((int)args["gidNumber"])*RID_MULTIPLIER + 1000) | GROUP_RID_TYPE );
What seems to happen is that smbd seems to interpret the integer values in
"rid" and "primaryGroupID" as hexadecimal values and then convert them to
decimal.
As you can see from the excerpts from the log file below, the adduser
scripts completes successfully whereafter an LDAP search for "roadrunner$"
returns the correct rid and primaryGroupID values (15000 and 15001
calculated from uidNumber/gidNumber 7000/7000).
Now the LDAP records are modified from init_ldap_from_sam() and
pdb_update_sam_account() and the values printed in the debug log are
86016/86017.
Being happy with this (I don't really care if smbd feels that my
calculated values were unsatisfactory as long as it works) the process
goes in querying the LDAP server for a rid of "548886"
[2001/11/30 23:45:24, 3] smbd/reply.c:smb_create_user(538)
smb_create_user: Running the command
`/home/erik/src/pike/ldaptools/adduser.pike \
-t W -L ldaps://127.0.0.1 -D "cn=root,dc=roxen,dc=com" \
-b "dc=roxen, dc=com" -uo "ou=People" -go "ou=Group" -l 7000 -h
8000 \
-c "NT Domain account for roadrunner" -s /bin/false -d /dev/null \
-g ntws -p roadrunner roadrunner$' gave 0
[2001/11/30 23:45:24, 2] passdb/pdb_ldap.c:ldap_open_connection(130)
ldap_open_connection: connection opened
[2001/11/30 23:45:24, 2] passdb/pdb_ldap.c:ldap_connect_system(160)
ldap_connect_system: succesful connection to the LDAP server
[2001/11/30 23:45:24, 2] passdb/pdb_ldap.c:ldap_search_one_user(172)
ldap_search_one_user: searching
for:[(&(uid=roadrunner$)(objectclass=sambaAccount))]
[2001/11/30 23:45:24, 2] passdb/pdb_ldap.c:get_single_attribute(256)
get_single_attribute: [uid] = [roadrunner$]
[2001/11/30 23:45:24, 2] passdb/pdb_ldap.c:init_sam_from_ldap(374)
Entry found for user: roadrunner$
[2001/11/30 23:45:24, 2] passdb/pdb_ldap.c:get_single_attribute(256)
get_single_attribute: [rid] = [15000]
[2001/11/30 23:45:24, 2] passdb/pdb_ldap.c:get_single_attribute(256)
get_single_attribute: [primaryGroupID] = [15001]
[2001/11/30 23:45:24, 2] passdb/pdb_ldap.c:init_ldap_from_sam(543)
Setting entry for user: roadrunner$
[2001/11/30 23:45:25, 2] passdb/pdb_ldap.c:pdb_update_sam_account(931)
successfully modified uid = roadrunner$ in the LDAP database
[2001/11/30 23:45:25, 2] passdb/pdb_ldap.c:ldap_search_one_user(172)
ldap_search_one_user: searching
for:[(&(uid=roadrunner$)(objectclass=sambaAccount))]
[2001/11/30 23:45:25, 2] passdb/pdb_ldap.c:get_single_attribute(256)
get_single_attribute: [uid] = [roadrunner$]
[2001/11/30 23:45:25, 2] passdb/pdb_ldap.c:init_sam_from_ldap(374)
Entry found for user: roadrunner$
get_single_attribute: [rid] = [86016]
[2001/11/30 23:45:25, 2] passdb/pdb_ldap.c:get_single_attribute(256)
get_single_attribute: [primaryGroupID] = [86017]
ldap_search_one_user: searching for:[rid=548886]
[2001/11/30 23:45:25, 0] passdb/pdb_ldap.c:pdb_getsampwrid(755)
We don't find this rid [548886] count=0
Right... 0x15000 -> 86016, 0x86016 -> 548886. Pretty obvious I'd say. Is
this a known problem for which there might be a patch available?
Thanks,
/Erik
--
Erik Persson, System Manager <erik at roxen.com>
Roxen Internet Software Voice: +46 13 376817
More information about the samba-ntdom
mailing list