Problems adding users with 3.0.1rc3 and ldapsam --
ldapsam_update_sam_account error etc..
Hansjörg Maurer
hansjoerg.maurer at itsd.de
Sun Nov 23 12:24:10 GMT 2003
Hi,
I am using 3.0.1rc3 with RH9.0 and openldap-2.1.22
and I had some problems adding and deleting user with usermgr.exe
So I tried to debug some infos....
I know, these errors may be of a "cosmetic nature", because most points
are working fine and I am not sure,
if sombody of the samba team is interested in these points
But here is what i tried out...
I addee a user with usermgr.exe in 2 different ways.
1) with smbldap-useradd.pl -a (adding the Samba Account with the
helpercommand)
2) with smbldap-useradd.pl (without -a, so adding just the posix account
with the helpercommand)
Adding a posix account and adding a samba user with pdbedit -a works fine.
1)
In the first case, the user is added in ldap correctly (by the
smbldap-script), but usermgr.exe shows an error (permission denied...)
If I refresh the view of usermgr.exe , the user appears correctly.
Here a part of the logs..
[2003/11/23 12:23:41, 11] passdb/pdb_get_set.c:pdb_set_init_flags(505)
element 19 -> now DEFAULT
[2003/11/23 12:23:41, 10] passdb/passdb.c:pdb_init_sam_new(323)
pdb_init_sam_new: no RID specified. Generating one via old algorithm
[2003/11/23 12:23:41, 10] passdb/pdb_get_set.c:pdb_set_user_sid(520)
pdb_set_user_sid: setting user sid
S-1-5-21-3723159834-3326906825-3408399178-2202
[2003/11/23 12:23:41, 10] passdb/pdb_get_set.c:pdb_set_init_flags(493)
element 17 -> now SET
[2003/11/23 12:23:41, 10] passdb/pdb_compat.c:pdb_set_user_sid_from_rid(73)
pdb_set_user_sid_from_rid:
setting user sid S-1-5-21-3723159834-3326906825-3408399178-2202
from rid 2202
[2003/11/23 12:23:41, 11] passdb/pdb_get_set.c:pdb_set_init_flags(482)
element 19 -> now CHANGED
[2003/11/23 12:23:41, 2] lib/smbldap.c:smbldap_search_suffix(1067)
smbldap_search_suffix: searching
for:[(&(uid=aa)(objectclass=sambaSamAccount))]
[2003/11/23 12:23:41, 11] lib/smbldap.c:smbldap_open(821)
smbldap_open: already connected to the LDAP server
[2003/11/23 12:23:41, 0] passdb/pdb_ldap.c:ldapsam_add_sam_account(1446)
ldapsam_add_sam_account: User 'aa' already in the base, with samba
attributes
[2003/11/23 12:23:41, 0] rpc_server/srv_samr_nt.c:_samr_create_user(2333)
could not add user/computer aa to passdb. Check permissions?
2003/11/23 12:23:41, 5] rpc_parse/parse_prs.c:prs_debug(82)
000000 samr_io_r_create_user
[2003/11/23 12:23:41, 6] rpc_parse/parse_prs.c:prs_debug(82)
000000 smb_io_pol_hnd user_pol
[2003/11/23 12:23:41, 5] rpc_parse/parse_prs.c:prs_uint32(635)
0000 data1: 00000000
[2003/11/23 12:23:41, 5] rpc_parse/parse_prs.c:prs_uint32(635)
0004 data2: 00000000
[2003/11/23 12:23:41, 5] rpc_parse/parse_prs.c:prs_uint16(606)
0008 data3: 0000
[2003/11/23 12:23:41, 5] rpc_parse/parse_prs.c:prs_uint16(606)
000a data4: 0000
[2003/11/23 12:23:41, 5] rpc_parse/parse_prs.c:prs_uint8s(722)
000c data5: 00 00 00 00 00 00 00 00
[2003/11/23 12:23:41, 5] rpc_parse/parse_prs.c:prs_uint32(635)
0014 access_granted: 00000000
[2003/11/23 12:23:41, 5] rpc_parse/parse_prs.c:prs_uint32(635)
0018 user_rid : 00000000
[2003/11/23 12:23:41, 5] rpc_parse/parse_prs.c:prs_ntstatus(665)
001c status: NT_STATUS_ACCESS_DENIED
The result is ok, the error message is a bit disapointing :-)
2)
When using the helper Skript without the -a flag,
-the posix user is added from the helper Skript
-the passwd is set with the chat programm (the chat programm is not used
in case 1, why??)
-the user is added to the group Domain -Users (which is not the case in
1) with the following command
[2003/11/23 12:32:57, 3] groupdb/mapping.c:smb_set_primary_group(830)
smb_set_primary_group: Running the command
`/usr/local/sbin/smbldap-usermod.pl -g "Domain Users" "aaaa"' gave 0
[2003/11/23 12:32:57, 4] passdb/pdb_ldap.c:ldapsam_update_sam_account(1358)
ldapsam_update_sam_account: user aaaa to be modified has dn:
uid=aaaa,ou=Users,dc=itsd,dc=de
[2003/11/23 12:32:57, 11] passdb/pdb_get_set.c:pdb_get_init_flags(18)
-the following operation fails and therefore the complete operation fails
[2003/11/23 12:32:57, 11] passdb/pdb_get_set.c:pdb_get_init_flags(194)
element 32: CHANGED
[2003/11/23 12:32:57, 10] lib/smbldap.c:smbldap_get_single_attribute(300)
smbldap_get_single_attribute: [sambaNTPassword] = [<does not exist>]
[2003/11/23 12:32:57, 11] passdb/pdb_get_set.c:pdb_get_init_flags(189)
element 20: SET
[2003/11/23 12:32:57, 11] passdb/pdb_get_set.c:pdb_get_init_flags(194)
element 20: CHANGED
[2003/11/23 12:32:57, 10] lib/smbldap.c:smbldap_get_single_attribute(300)
smbldap_get_single_attribute: [sambaPwdLastSet] = [<does not exist>]
[2003/11/23 12:32:57, 11] passdb/pdb_get_set.c:pdb_get_init_flags(189)
element 19: SET
[2003/11/23 12:32:57, 11] lib/smbldap.c:smbldap_open(821)
smbldap_open: already connected to the LDAP server
[2003/11/23 12:32:57, 1] passdb/pdb_ldap.c:ldapsam_modify_entry(1191)
ldapsam_modify_entry: Failed to modify user dn=
uid=aaaa,ou=Users,dc=itsd,dc=de with: No such attribute
modify/delete: sambaPrimaryGroupSID: no such value
[2003/11/23 12:32:57, 0] passdb/pdb_ldap.c:ldapsam_update_sam_account(1385)
ldapsam_update_sam_account: failed to modify user with uid = aaaa,
error: modify/delete: sambaPrimaryGroupSID: no such value (Success)
[2003/11/23 12:32:57, 5] rpc_parse/parse_prs.c:prs_debug(82)
000000 samr_io_r_set_userinfo
[2003/11/23 12:32:57, 5] rpc_parse/parse_prs.c:prs_ntstatus(665)
0000 status: NT_STATUS_ACCESS_DENIED
-the user is deleted completly with the helper Skript.
-Afterwards samba tries to delete sambaSamAccount entries
[2003/11/23 12:32:58, 3] rpc_server/srv_samr_nt.c:smb_delete_user(3797)
smb_delete_user: Running the command
`/usr/local/sbin/smbldap-userdel.pl "aaaa"' gave 0
[2003/11/23 12:32:58, 3] passdb/pdb_ldap.c:ldapsam_delete_sam_account(1279)
ldapsam_delete_sam_account: Deleting user aaaa from LDAP.
[2003/11/23 12:32:58, 2] lib/smbldap.c:smbldap_search_suffix(1067)
smbldap_search_suffix: searching
for:[(&(uid=aaaa)(objectclass=sambaSamAccount))]
[2003/11/23 12:32:58, 11] lib/smbldap.c:smbldap_open(821)
smbldap_open: already connected to the LDAP server
[2003/11/23 12:32:58, 0] passdb/pdb_ldap.c:ldapsam_delete_entry(269)
ldapsam_delete_entry: Entry must exist exactly once!
[2003/11/23 12:32:58, 5]
rpc_server/srv_samr_nt.c:_samr_delete_dom_user(3844)
_samr_delete_dom_user:Failed to delete entry for user aaaa.
I have read a message from Stefan Metzmacher abount "some ldap fixes"
Therefore i tried openldap-2.1.22 instead of 2.0 (in RH9) and I compiled
samba with this new ladap libs,
but both without success.
-Adding groups with usrmgr.exe works.
-Deleting users and groups works, but usrmgr.exe returns an error (this
may be the case, becouse the posix settings are deleted
with the helpercommand and therefore the user doen's exist anymore for
the ongoing operation.
If somebody has some ideas/fixes, I will try it out soon.
Thank you very much
Greetings from Munich
Hansjörg
passdb backend = ldapsam:ldap://zweigelt.itsd.de
ldap server = zweigelt.itsd.de
ldap suffix = dc=itsd,dc=de
ldap admin dn = cn=Manager,dc=itsd,dc=de
ldap port = 389
ldap ssl = off
#ldap delete dn = yes
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
#ldap filter = (&(uid=%u)(objectclass=sambaSamAccount))
ldap passwd sync = no
add user script = /usr/local/sbin/smbldap-useradd.pl "%u"
#add user script = /usr/local/sbin/smbldap-useradd.pl -a "%u"
add user to group script = /usr/local/sbin/smbldap-groupmod.pl -m "%u" "%g"
delete user from group script = /usr/local/sbin/smbldap-groupmod.pl -x
"%u" "%g"
set primary group script = /usr/local/sbin/smbldap-usermod.pl -g "%g" "%u"
delete user script = /usr/local/sbin/smbldap-userdel.pl "%u"
add group script = /usr/local/sbin/smbldap-groupadd.pl "%g"
delete group script = /usr/local/sbin/smbldap-groupdel.pl "%g"
add machine script = /usr/local/sbin/smbldap-useradd.pl -w "%m"
passwd program = /usr/local/sbin/smbldap-passwd.pl "%u"
passwd chat debug = Yes
passwd chat = *ew*password* %n\n *ew*password* %n\n *OK*
unix password sync = Yes
More information about the samba-technical
mailing list