initgroups() system call in smbd child process doesn't get
suppliementary group info from LDAP 10462145
Marco Zhang
Marco.Zhang at Sun.COM
Fri Dec 19 12:53:52 GMT 2003
Hi Jerry,
I am looking for a workaround here. Instead of compiling Samba 2.2.8a with OpenLDAP, I tried to compile it with Netscape SDK. However, it fails at:
Compiling passdb/pdb_ldap.c
passdb/pdb_ldap.c: In function `rebindproc_with_state':
passdb/pdb_ldap.c:276: error: `ldap_state' undeclared (first use in this function)
passdb/pdb_ldap.c:276: error: (Each undeclared identifier is reported only once
Reading the pdb_ldap.c, I don't see anywhere defines ldap_state.
258 #else /* other Vendor or LDAP_API_VERSION */
259 # if LDAP_SET_REBIND_PROC_ARGS ==3
260 static int rebindproc_with_state (LDAP *ld, char **whop, char **credp,
261 int *methodp, int freeit, void *arg)
262
263 # else /* LDAP_SET_REBIND_PROC_ARGS == 2 */
264 static int rebindproc (LDAP *ldap_struct, char **whop, char **credp,
265 int *method, int freeit )
266 # endif
267 {
268 register char *to_clear = *credp;
269
270
271 if (freeit) {
272 SAFE_FREE(*whop);
273 memset(*credp, '\0', strlen(*credp));
274 SAFE_FREE(*credp);
275 } else {
276 *whop = strdup(ldap_state->bind_dn); <-- ldap_state is used
277 if (!*whop) {
278 return LDAP_NO_MEMORY;
279 }
And I also don't see anywhere inside rebindproc_with_state(..) function using *ld. I tried to be "smart" and change "ldap_state" to "ld", it doesn't compile as well. Anything wrong here?
I commended out "*whop = strdup(ldap_state->bind_dn);", compilation went through. If I am not wrong, this part of code is used if directory server contains referrals. If my directory server doesn't use referral, can I safely ignore this part of code? If so, I can just compile it with Netscape SDK and initgroups() call works fine regardless which patch I use. My problem can be solved. :-)
Thanks,
Marco
On Thu, Dec 18, 2003 at 05:45:44PM +0800, Marco Zhang wrote:
> Hi Jerry,
>
> Sorry to trouble you. Understand you are busying on 3.0.1 release.
>
> Just to share with you my latest findings. The problem seems to be in the compatablity bewteen OpenLdap library and Solaris 9 LDAP library.
>
> I did a truss aginst the smbd and user level function calls:
>
> # truss -u '*' smbd -i
>
> With 112960-03 patch, I get:
> ============================
>
> read(4, " # $ O p e n L D A P :".., 8192) = 388
> ...
> <- libldap:ldap_init() = 0x1d0180
> -> libldap:ldap_set_option(0x1d0180, 0x11, 0xffbfda0c, 0x0)
> <- libldap:ldap_set_option() = 0
> -> libldap:ldap_set_option(0x1d0180, 0x2, 0xffbfda08, 0x0)
> <- libldap:ldap_set_option() = 0
> -> libldap:ldap_set_option(0x1d0180, 0x8, 0x0, 0x0)
> <- libldap:ldap_set_option() = 0
> -> libldap:ldap_set_option(0x1d0180, 0x4, 0xffbfda04, 0x0)
> <- libldap:ldap_set_option() = 0
> -> libldap:ldap_set_option(0x1d0180, 0x3, 0xffbfda04, 0x0)
> <- libldap:ldap_set_option() = 0
> -> libldap:ldap_set_option(0x1d0180, 0x4f01, 0xffbfd9fc, 0x0)
> <- libldap:ldap_set_option() = -1
> -> libldap:ldap_simple_bind(0x1d0180, 0x1d03c8, 0x1d2e18, 0x0)
> ...
>
> This is correct. It makes ldap_init() call, set some optinos, then bind to ldap...
>
>
> However, with 112960-09 patch, I get:
> ====================================
>
> read(4, " # $ O p e n L D A P :".., 8192) = 388
> ...
> <- libldap:ldap_init() = 0x1d0180
> -> libldap:ldap_set_option(0x1d0180, 0x3f01, 0xff03e0ec, 0x1d0180)
> <- libldap:ldap_set_option() = -1
> -> libc:___errno(0xffffffff, 0x3f01, 0xff03e0ec, 0x1d0180)
> <- libc:___errno() = 0x1cee64
> -> libc:strerror(0x2, 0x3f01, 0xff03e0ec, 0x1d0180)
> ...
>
> As you can see, with patch 112960-09 initgroups() fails at ldap_set_option() without making further ldap_simple_bind() to directory server. Therefore, supplementary groups are not retrived from directory server.
>
>
> Do a "find" for libldap.* library files on the system:
>
> /usr/lib/libldap.so
> /usr/lib/libldap.so.3
> /usr/lib/libldap.so.4
> /usr/lib/libldap.so.5
> /usr/lib/sparcv9/libldap.so
> /usr/lib/sparcv9/libldap.so.3
> /usr/lib/sparcv9/libldap.so.4
> /usr/lib/sparcv9/libldap.so.5
> /usr/lib/fn/sparcv9/libldap.so
> /usr/lib/fn/sparcv9/libldap.so.1
> /usr/lib/fn/libldap.so
> /usr/lib/fn/libldap.so.1
> /usr/local/openldap_22/lib/libldap.so
> /usr/local/openldap_22/lib/libldap.so.2.0.122
> /usr/local/openldap_22/lib/libldap.so.2
> /usr/local/openldap_22/lib/libldap.la
> /usr/local/openldap_22/lib/libldap.a
>
>
> Obviously, initgroups() in smbd makes use of /usr/local/openldap_22/lib/libldap.so rather than /usr/lib/libldap.so. So, I did this:
>
> # cp /usr/lib/libldap.so.5 /usr/local/openldap_22/lib/libldap.so.2.0.122
>
> It works for retreiving supplementray group from directory server now!!! But I am sure it will break other stuff such as tls as far as I know.
>
> Does it ring a bell?
>
> Thanks,
> Marco
>
> On Wed, Dec 17, 2003 at 10:58:09AM -0600, Gerald (Jerry) Carter wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Sorry Marco. I got tied up in the 3.0.1 release and
> > the session key bug. I'll jump back on this tomorrow.
> >
> >
> >
> >
> > jerry
> >
> > Marco Zhang wrote:
> >
> > >I modified smbd/server.c and changed the main() to the following:
> > >
> > >/*------------*/
> > > int main(int argc,char *argv[])
> > >{
> > > gid_t *gids, gid;
> > > int ngroups;
> > >
> > > gid = (gid_t) 513;
> > > initgroups("marco", gid);
> > > ngroups = getgroups(0, gids);
> > > printf("%d groups!\n",ngroups);
> > > return(0);
> > >}
> > >
> > >I have a user called "marco" stored in Directory Server with
> > > primary group id 513 and suplmentary group 512.
> > >
> > >I compiled above and run "../sbin/smbd -i". The result are:
> > >
> > >- If with Solaris 9 patch 112960-03, getgroups() returns 2 groups
> > >
> > >- If with Solaris 9 patch 112960-09, getgroups() returns only 1 group !?
> > >
> > >Well, the interesting thing is if I compile above simple code
> > > without other Samba source code context (standalone), it
> > > returns 2 group regardless what patch I used.
> >
> >
> >
> > - --
> > ----------------------------------------------------------------------
> > Hewlett-Packard ------------------------- http://www.hp.com
> > SAMBA Team ---------------------- http://www.samba.org
> > GnuPG Key ---- http://www.plainjoe.org/gpg_public.asc
> > "If we're adding to the noise, turn off this song" --Switchfoot (2003)
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.2.1 (GNU/Linux)
> > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> >
> > iD8DBQE/4IshIR7qMdg1EfYRAvgkAKCBmx5EA5wPr/H2w2EMRJNvYtZ9cQCg31YQ
> > 5k7hF9984rRdawNKEjsshhY=
> > =xACE
> > -----END PGP SIGNATURE-----
> >
More information about the samba-technical
mailing list