initgroups() system call in smbd child process doesn't get suppliementary group info from LDAP 10462145

Marco Zhang Marco.Zhang at Sun.COM
Fri Dec 19 12:53:52 GMT 2003


Hi Jerry,

I am looking for a workaround here. Instead of compiling Samba 2.2.8a with OpenLDAP, I tried to compile it with Netscape SDK. However, it fails at:

Compiling passdb/pdb_ldap.c
passdb/pdb_ldap.c: In function `rebindproc_with_state':
passdb/pdb_ldap.c:276: error: `ldap_state' undeclared (first use in this function)
passdb/pdb_ldap.c:276: error: (Each undeclared identifier is reported only once


Reading the pdb_ldap.c, I don't see anywhere defines ldap_state. 

   258  #else /* other Vendor or LDAP_API_VERSION  */
   259  # if LDAP_SET_REBIND_PROC_ARGS ==3
   260  static int rebindproc_with_state  (LDAP *ld, char **whop, char **credp,  
   261                                     int *methodp, int freeit, void *arg)
   262
   263  # else  /* LDAP_SET_REBIND_PROC_ARGS == 2 */
   264  static int rebindproc (LDAP *ldap_struct, char **whop, char **credp,
   265                         int *method, int freeit )
   266  # endif
   267  {
   268      register char   *to_clear = *credp;
   269
   270
   271          if (freeit) {
   272                  SAFE_FREE(*whop);
   273                  memset(*credp, '\0', strlen(*credp));
   274                  SAFE_FREE(*credp);
   275          } else {
   276                  *whop = strdup(ldap_state->bind_dn);    <-- ldap_state is used
   277                  if (!*whop) {
   278                          return LDAP_NO_MEMORY;
   279                  }


And I also don't see anywhere inside rebindproc_with_state(..) function using *ld. I tried to be "smart" and change "ldap_state" to "ld", it doesn't compile as well. Anything wrong here?


I commended out "*whop = strdup(ldap_state->bind_dn);", compilation went through. If I am not wrong, this part of code is used if directory server contains referrals. If my directory server doesn't use referral, can I safely ignore this part of code? If so, I can just compile it with Netscape SDK and initgroups() call works fine regardless which patch I use. My problem can be solved. :-)


Thanks,
Marco


On Thu, Dec 18, 2003 at 05:45:44PM +0800, Marco Zhang wrote:
> Hi Jerry,
> 
> Sorry to trouble you. Understand you are busying on 3.0.1 release.
> 
> Just to share with you my latest findings. The problem seems to be in the compatablity bewteen OpenLdap library and Solaris 9 LDAP library.
> 
> I did a truss aginst the smbd and user level function calls:
> 
> # truss -u '*' smbd -i
> 
> With 112960-03 patch, I get:
> ============================
> 
> read(4, " #   $ O p e n L D A P :".., 8192)     = 388
> ...
>     <- libldap:ldap_init() = 0x1d0180
>     -> libldap:ldap_set_option(0x1d0180, 0x11, 0xffbfda0c, 0x0)
>     <- libldap:ldap_set_option() = 0
>     -> libldap:ldap_set_option(0x1d0180, 0x2, 0xffbfda08, 0x0)
>     <- libldap:ldap_set_option() = 0
>     -> libldap:ldap_set_option(0x1d0180, 0x8, 0x0, 0x0)
>     <- libldap:ldap_set_option() = 0
>     -> libldap:ldap_set_option(0x1d0180, 0x4, 0xffbfda04, 0x0)
>     <- libldap:ldap_set_option() = 0
>     -> libldap:ldap_set_option(0x1d0180, 0x3, 0xffbfda04, 0x0)
>     <- libldap:ldap_set_option() = 0
>     -> libldap:ldap_set_option(0x1d0180, 0x4f01, 0xffbfd9fc, 0x0)
>     <- libldap:ldap_set_option() = -1
>     -> libldap:ldap_simple_bind(0x1d0180, 0x1d03c8, 0x1d2e18, 0x0)
> ...
> 
> This is correct. It makes ldap_init() call, set some optinos, then bind to ldap...
> 
> 
> However, with 112960-09 patch, I get:
> ====================================
> 
> read(4, " #   $ O p e n L D A P :".., 8192)     = 388
> ...
>     <- libldap:ldap_init() = 0x1d0180
>     -> libldap:ldap_set_option(0x1d0180, 0x3f01, 0xff03e0ec, 0x1d0180)
>     <- libldap:ldap_set_option() = -1
>     -> libc:___errno(0xffffffff, 0x3f01, 0xff03e0ec, 0x1d0180)
>     <- libc:___errno() = 0x1cee64
>     -> libc:strerror(0x2, 0x3f01, 0xff03e0ec, 0x1d0180)
> ...
> 
> As you can see, with patch 112960-09 initgroups() fails at ldap_set_option() without making further ldap_simple_bind() to directory server. Therefore, supplementary groups are not retrived from directory server.
> 
> 
> Do a "find" for libldap.* library files on the system:
> 
> /usr/lib/libldap.so
> /usr/lib/libldap.so.3
> /usr/lib/libldap.so.4
> /usr/lib/libldap.so.5
> /usr/lib/sparcv9/libldap.so
> /usr/lib/sparcv9/libldap.so.3
> /usr/lib/sparcv9/libldap.so.4
> /usr/lib/sparcv9/libldap.so.5
> /usr/lib/fn/sparcv9/libldap.so
> /usr/lib/fn/sparcv9/libldap.so.1
> /usr/lib/fn/libldap.so
> /usr/lib/fn/libldap.so.1
> /usr/local/openldap_22/lib/libldap.so
> /usr/local/openldap_22/lib/libldap.so.2.0.122
> /usr/local/openldap_22/lib/libldap.so.2
> /usr/local/openldap_22/lib/libldap.la
> /usr/local/openldap_22/lib/libldap.a
> 
> 
> Obviously, initgroups() in smbd makes use of /usr/local/openldap_22/lib/libldap.so rather than /usr/lib/libldap.so. So, I did this:
> 
> # cp /usr/lib/libldap.so.5 /usr/local/openldap_22/lib/libldap.so.2.0.122
> 
> It works for retreiving supplementray group from directory server now!!! But I am sure it will break other stuff such as tls as far as I know.
> 
> Does it ring a bell? 
> 
> Thanks,
> Marco
> 
> On Wed, Dec 17, 2003 at 10:58:09AM -0600, Gerald (Jerry) Carter wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > 
> > Sorry Marco.  I got tied up in the 3.0.1 release and
> > the session key bug.  I'll jump back on this tomorrow.
> > 
> > 
> > 
> > 
> > jerry
> > 
> > Marco Zhang wrote:
> > 
> > >I modified smbd/server.c and changed the main() to the following:
> > >
> > >/*------------*/
> > > int main(int argc,char *argv[])
> > >{
> > >        gid_t *gids,  gid;
> > >        int ngroups;
> > >
> > >        gid = (gid_t) 513;
> > >        initgroups("marco", gid);
> > >        ngroups = getgroups(0, gids);
> > >        printf("%d groups!\n",ngroups);
> > >        return(0);
> > >}
> > >
> > >I have a user called "marco" stored in Directory Server with 
> > > primary group id 513 and suplmentary group 512.
> > >
> > >I compiled above and run "../sbin/smbd -i". The result are:
> > >
> > >- If with Solaris 9 patch 112960-03, getgroups() returns 2 groups 
> > >
> > >- If with Solaris 9 patch 112960-09, getgroups() returns only 1 group !?
> > >
> > >Well, the interesting thing is if I compile above simple code 
> > > without other Samba source code context (standalone), it
> > > returns 2 group regardless what patch I used.
> > 
> > 
> > 
> > - -- 
> >  ----------------------------------------------------------------------
> >  Hewlett-Packard            ------------------------- http://www.hp.com
> >  SAMBA Team                 ---------------------- http://www.samba.org
> >  GnuPG Key                  ---- http://www.plainjoe.org/gpg_public.asc
> >  "If we're adding to the noise, turn off this song" --Switchfoot (2003)
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.2.1 (GNU/Linux)
> > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> > 
> > iD8DBQE/4IshIR7qMdg1EfYRAvgkAKCBmx5EA5wPr/H2w2EMRJNvYtZ9cQCg31YQ
> > 5k7hF9984rRdawNKEjsshhY=
> > =xACE
> > -----END PGP SIGNATURE-----
> > 


More information about the samba-technical mailing list