Odd ber_scanf() error with Samba 3.0.0 and LDAP
Aurélien Degrémont
adegremont at idealx.com
Tue Oct 28 17:42:30 GMT 2003
Hi,
When I set up a Samba PDC with Samba 3.0.0 and a LDAP backend, i've got
strange errors when i try to add a domain group with NT UserManager.
smbd: ../../../libraries/liblber/decode.c:500: ber_scanf: Assertion
`((ber)->ber_opts.lbo_valid==0x2)' failed.
After long researches inside Samba code, it seems that the call in
smb_ldap_get_dn() [lib/smbldap.c], particularly the ldap_get_dn() call
makes this error (not really sure).
To reproduce this problem, we just need to try to add a group, with
usrmgr. The group is added, then, usrmgr try to set the group
description, and then the bug appeared.
This problem was tested with the following configurations :
(log.smbd (10), smb.conf, slapd.conf, and smbldap_conf.pm are attached.)
--- Red Hat 9 with
openldap-devel-2.1.22-8
perl-perl-ldap-0.29-8
openldap-2.1.22-8
nss_ldap-202-5
openldap-servers-2.1.22-8
smbldap-tools-HEAD
openldap-clients-2.1.22-8
samba-3.0.0-1
nss_ldap-202-5
-- Red Hat 7.3 with
openldap-clients-2.0.27-2.7.3
nss_ldap-189-4
openldap-2.0.27-2.7.3
perl-perl-ldap-0.2701-7
openldap-servers-2.0.27-2.7.3
smbldap-tools-HEAD
samba-3.0.0-2
nss_ldap-189-4
TIA
Aurélien Degrémont
-------------- next part --------------
Requested \PIPE\samr
[2003/10/28 10:12:56, 4] rpc_server/srv_pipe.c:api_rpcTNP(1488)
api_rpcTNP: samr op 0x15 - api_rpcTNP: rpc command: SAMR_SET_GROUPINFO
[2003/10/28 10:12:56, 6] rpc_server/srv_pipe.c:api_rpcTNP(1513)
api_rpc_cmds[31].fn == 0x8115630
[2003/10/28 10:12:56, 5] lib/util.c:print_asc(1816)
d.e.s.c.1.Found policy hnd[0] [000] 00 00 00 00 13 00 00 00 00 00 00 00 18 33 9E 3F ........ .....3.?
[010] 89 16 00 00 ....
[2003/10/28 10:12:56, 5] rpc_server/srv_samr_nt.c:access_check_samr_function(105)
_samr_set_groupinfo: access check ((granted: 0000000000; required: 0x00000002)
[2003/10/28 10:12:56, 4] rpc_server/srv_samr_nt.c:access_check_samr_function(109)
_samr_set_groupinfo: ACCESS should be DENIED (granted: 0000000000; required: 0x00000002)
but overwritten by euid == 0
[2003/10/28 10:12:56, 10] groupdb/mapping.c:get_domain_group_from_sid(513)
get_domain_group_from_sid
[2003/10/28 10:12:56, 2] passdb/pdb_ldap.c:ldapsam_search_one_group(1597)
ldapsam_search_one_group: searching for:[(&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-21-2735872836-1664859352-1216867930-3001))]
[2003/10/28 10:12:56, 2] passdb/pdb_ldap.c:init_group_from_ldap(1641)
init_group_from_ldap: Entry found for group: 1000
[2003/10/28 10:12:56, 10] lib/smbldap.c:smbldap_get_single_attribute(299)
smbldap_get_single_attribute: [description] = [<does not exist>]
[2003/10/28 10:12:56, 10] groupdb/mapping.c:get_domain_group_from_sid(519)
get_domain_group_from_sid: SID found in the TDB
[2003/10/28 10:12:56, 10] groupdb/mapping.c:get_domain_group_from_sid(526)
get_domain_group_from_sid: SID is a domain group
[2003/10/28 10:12:56, 10] groupdb/mapping.c:get_domain_group_from_sid(532)
get_domain_group_from_sid: SID is mapped to gid:1000
[2003/10/28 10:12:56, 10] groupdb/mapping.c:get_domain_group_from_sid(540)
get_domain_group_from_sid: gid exists in UNIX security
[2003/10/28 10:12:56, 2] passdb/pdb_ldap.c:ldapsam_search_one_group(1597)
ldapsam_search_one_group: searching for:[(&(objectClass=posixGroup)(gidNumber=1000))]
[2003/10/28 10:12:56, 10] lib/smbldap.c:smbldap_get_single_attribute(299)
smbldap_get_single_attribute: [description] = [<does not exist>]
smbd: ../../../libraries/liblber/decode.c:500: ber_scanf: Assertion `((ber)->ber_opts.lbo_valid==0x2)' failed.
[2003/10/28 10:12:56, 6] param/loadparm.c:lp_file_list_changed(2665)
lp_file_list_changed()
file /etc/samba/smb.conf -> /etc/samba/smb.conf last mod_time: Tue Oct 28 09:55:58 2003
[2003/10/28 10:12:56, 5] smbd/connection.c:claim_connection(170)
claiming 0
[2003/10/28 10:12:56, 5] smbd/reply.c:reply_special(141)
init msg_type=0x81 msg_flags=0x0
[2003/10/28 10:12:56, 6] lib/util_sock.c:write_socket(407)
write_socket(16,4)
[2003/10/28 10:12:56, 6] lib/util_sock.c:write_socket(410)
write_socket(16,4) wrote 4
[2003/10/28 10:12:56, 10] lib/util_sock.c:read_smb_length_return_keepalive(463)
got smb length of 133
[2003/10/28 10:12:56, 6] smbd/process.c:process_smb(889)
got message type 0x0 of len 0x85
[2003/10/28 10:12:56, 3] smbd/process.c:process_smb(890)
Transaction 1 of length 137
[2003/10/28 10:12:56, 5] lib/util.c:show_msg(456)
[2003/10/28 10:12:56, 5] lib/util.c:show_msg(459)
size=133
smb_com=0x72
smb_rcls=0
smb_reh=0
smb_err=0
smb_flg=24
smb_flg2=51283
smb_tid=0
smb_pid=65279
smb_uid=0
smb_mid=0
smt_wct=0
smb_bcc=98
-------------- next part --------------
# Global parameters
[global]
workgroup = JTO2
netbios name = JTO2
admin users = @"Domain Admins"
server string = Serveur samba %v
security = user
encrypt passwords = Yes
min passwd length = 3
obey pam restrictions = No
passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated*
passwd program = /usr/local/sbin/smbldap-passwd.pl %u
ldap passwd sync = Yes
log level = 10 rpc_parse:0
syslog = 0
log file = /var/log/samba/log.%m
max log size = 100000
time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
mangling method = hash2
Dos charset = 850
Unix charset = ISO8859-1
logon script = logon.bat
logon home = \\%L\%u\.profile
logon drive = H:
logon home =
logon path =
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
wins support = No
passdb backend = ldapsam:ldap://127.0.0.1/
ldap admin dn = cn=Manager,dc=idealx,dc=com
ldap suffix = dc=idealx,dc=com
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap ssl = no
add user script = /usr/local/sbin/smbldap-useradd.pl -m "%u"
delete user script = /usr/local/sbin/smbldap-userdel.pl "%u"
add machine script = /usr/local/sbin/smbldap-useradd.pl -w "%u"
add group script = /usr/local/sbin/smbldap-groupadd.pl -p "%g"
delete group script = /usr/local/sbin/smbldap-groupdel.pl "%g"
add user to group script = /usr/local/sbin/smbldap-groupmod.pl -m "%u" "%g"
delete user from group script = /usr/local/sbin/smbldap-groupmod.pl -x "%u" "%g"
#set primary group script = /usr/local/sbin/smbldap-usermod.pl -g '%g' '%u'
preserve case = yes
short preserve case = yes
case sensitive = no
[netlogon]
path = /home/netlogon/
# browseable = No
# locking = No
read only = yes
write list = instsoft
force user = instsoft
[profiles]
path = /home/profiles
read only = no
create mask = 0600
directory mask = 0700
browseable = No
guest ok = Yes
profile acls = yes
csc policy = disable
# next line is a great way to secure the profiles
force user = %U
# next line allows administrator to access all profiles
valid users = %U "Domain Admins"
-------------- next part --------------
# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.7 2001/09/27 20:00:31 kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
#include /etc/openldap/schema/redhat/rfc822-MailMember.schema
#include /etc/openldap/schema/redhat/autofs.schema
#include /etc/openldap/schema/redhat/kerberosobject.schema
schemacheck on
lastmod on
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
#pidfile //var/run/slapd.pid
#argsfile //var/run/slapd.args
# Create a replication log in /var/lib/ldap for use by slurpd.
#replogfile /var/lib/ldap/master-slapd.replog
# Load dynamic backend modules:
# modulepath /usr/sbin/openldap
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la
#
# The next two lines allow use of TLS for connections using a dummy test
# certificate, but you should generate a proper certificate by changing to
# /usr/share/ssl/certs, running "make slapd.pem", and fixing permissions on
# slapd.pem so that the ldap user or group can read it.
# TLSCertificateFile /usr/share/ssl/certs/slapd.pem
# TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem
#
#######################################################################
# ldbm database definitions
#######################################################################
database ldbm
suffix dc=idealx,dc=com
# if no access controls are present, the default is:
# Allow read by all
# rootdn can always write!
rootdn "cn=Manager,dc=idealx,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw secret
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd/tools. Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain
#index rid eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index objectClass,uid,uidNumber,gidNumber,memberUid eq
index cn,mail,surname,givenname eq,subinitial
# Replicas to which we should propagate changes
#replica host=ldap-1.example.com:389 tls=yes
# bindmethod=sasl saslmech=GSSAPI
# authcId=host/ldap-master.example.com at EXAMPLE.COM
# Sample Access Control
# Allow read access of root DSE
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
#
#access to dn="" by * read
#access to *
# by self write
# by users read
# by anonymous auth
# Unix password
access to *
by * write
-------------- next part --------------
#!/usr/bin/perl
use strict;
package smbldap_conf;
# $Dource: $
# $Id: smbldap_conf.pm,v 1.21 2003/09/29 07:51:51 jtournier Exp $
#
# smbldap-tools.conf : Q & D configuration file for smbldap-tools
# This code was developped by IDEALX (http://IDEALX.org/) and
# contributors (their names can be found in the CONTRIBUTORS file).
#
# Copyright (C) 2001-2002 IDEALX
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
# USA.
# Purpose :
# . be the configuration file for all smbldap-tools scripts
use vars qw($VERSION @ISA @EXPORT @EXPORT_OK %EXPORT_TAGS
$UID_START $GID_START $smbpasswd $slaveLDAP $masterLDAP
$slavePort $masterPort $ldapSSL $slaveURI $masterURI $with_smbpasswd $mk_ntpasswd
$ldap_path $ldap_opts $ldapmodify $suffix $usersdn $computersdn
$groupsdn $scope $binddn $bindpasswd
$slaveDN $slavePw $masterDN $masterPw
$_userLoginShell $_userHomePrefix $_userGecos
$_defaultUserGid $_defaultComputerGid
$_skeletonDir $_userSmbHome
$_userProfile $_userHomeDrive
$_userScript $usersou $computersou $groupsou $SID $hash_encrypt $_defaultMaxPasswordAge
);
use Exporter;
$VERSION = 1.00;
@ISA = qw(Exporter);
@EXPORT = qw(
$UID_START $GID_START $smbpasswd $slaveLDAP $masterLDAP
$slavePort $masterPort $ldapSSL $slaveURI $masterURI $with_smbpasswd $mk_ntpasswd
$ldap_path $ldap_opts $ldapmodify $suffix $usersdn
$computersdn $groupsdn $scope $binddn $bindpasswd
$slaveDN $slavePw $masterDN $masterPw
$_userLoginShell $_userHomePrefix $_userGecos
$_defaultUserGid $_defaultComputerGid $_skeletonDir
$_userSmbHome $_userProfile $_userHomeDrive $_userScript
$usersou $computersou $groupsou $SID $hash_encrypt $_defaultMaxPasswordAge
);
##############################################################################
#
# General Configuration
#
##############################################################################
# UID and GID starting at...
$UID_START = 1000;
$GID_START = 1000;
# Put your own SID
# to obtain this number do: "net getlocalsid"
$SID='S-1-5-21-2735872836-1664859352-1216867930';
##############################################################################
#
# LDAP Configuration
#
##############################################################################
# Notes: to use to dual ldap servers backend for Samba, you must patch
# Samba with the dual-head patch from IDEALX. If not using this patch
# just use the same server for slaveLDAP and masterLDAP.
# Those two servers declarations can also be used when you have
# . one master LDAP server where all writing operations must be done
# . one slave LDAP server where all reading operations must be done
# (typically a replication directory)
# Ex: $slaveLDAP = "127.0.0.1";
$slaveLDAP = "127.0.0.1";
$slavePort = "389";
# Master LDAP : needed for write operations
# Ex: $masterLDAP = "127.0.0.1";
$masterLDAP = "127.0.0.1";
$masterPort = "389";
# Use SSL for LDAP
# If set to "1", this option will use start_tls for connection
# (you should also used the port 389)
$ldapSSL = "0";
# LDAP Suffix
# Ex: $suffix = "dc=IDEALX,dc=ORG";
$suffix = "dc=idealx,dc=com";
# Where are stored Users
# Ex: $usersdn = "ou=Users,$suffix"; for ou=Users,dc=IDEALX,dc=ORG
$usersou = q(Users);
$usersdn = "ou=$usersou,$suffix";
# Where are stored Computers
# Ex: $computersdn = "ou=Computers,$suffix"; for ou=Computers,dc=IDEALX,dc=ORG
$computersou = q(Computers);
$computersdn = "ou=$computersou,$suffix";
# Where are stored Groups
# Ex $groupsdn = "ou=Groups,$suffix"; for ou=Groups,dc=IDEALX,dc=ORG
$groupsou = q(Groups);
$groupsdn = "ou=$groupsou,$suffix";
# Default scope Used
$scope = "sub";
# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA)
$hash_encrypt="SSHA";
############################
# Credential Configuration #
############################
# Bind DN used
# Ex: $binddn = "cn=Manager,$suffix"; for cn=Manager,dc=IDEALX,dc=org
$binddn = "cn=Manager,$suffix";
# Bind DN passwd used
# Ex: $bindpasswd = 'secret'; for 'secret'
$bindpasswd = "secret";
# Notes: if using dual ldap patch, you can specify to different configuration
# By default, we will use the same DN (so it will work for standard Samba
# release)
$slaveDN = $binddn;
$slavePw = $bindpasswd;
$masterDN = $binddn;
$masterPw = $bindpasswd;
##############################################################################
#
# Unix Accounts Configuration
#
##############################################################################
# Login defs
# Default Login Shell
# Ex: $_userLoginShell = q(/bin/bash);
$_userLoginShell = q(/bin/bash);
# Home directory prefix (without username)
# Ex: $_userHomePrefix = q(/home/);
$_userHomePrefix = q(/home);
# Gecos
$_userGecos = q(System User);
# Default User (POSIX and Samba) GID
$_defaultUserGid = 513;
# Default Computer (Samba) GID
$_defaultComputerGid = 553;
# Skel dir
$_skeletonDir = q(/etc/skel);
# Default password validation time (time in days) Comment the next line if
# you don't want password to be enable for $_defaultMaxPasswordAge days (be
# careful to the sambaPwdMustChange attribute's value)
$_defaultMaxPasswordAge = 45;
##############################################################################
#
# SAMBA Configuration
#
##############################################################################
# The UNC path to home drives location without the username last extension
# (will be dynamically prepended)
# Ex: q(\\\\My-PDC-netbios-name\\homes) for \\My-PDC-netbios-name\homes
# Just comment this if you want to use the smb.conf 'logon home' directive
# and/or desabling roaming profiles
$_userSmbHome = q(\\\\PDC-SRV\\homes);
# The UNC path to profiles locations without the username last extension
# (will be dynamically prepended)
# Ex: q(\\\\My-PDC-netbios-name\\profiles\\) for \\My-PDC-netbios-name\profiles
# Just comment this if you want to use the smb.conf 'logon path' directive
# and/or desabling roaming profiles
#$_userProfile = q(\\\\PDC-SRV\\profiles\\);
# The default Home Drive Letter mapping
# (will be automatically mapped at logon time if home directory exist)
# Ex: q(U:) for U:
$_userHomeDrive = q(H:);
# The default user netlogon script name
# if not used, will be automatically username.cmd
# $_userScript = q(startup.cmd); # make sure script file is edited under dos
##############################################################################
#
# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
#
##############################################################################
# Allows not to use smbpasswd (if $with_smbpasswd == 0 in smbldap_conf.pm) but
# prefer mkntpwd... most of the time, it's a wise choice :-)
$with_smbpasswd = 0;
$smbpasswd = "/usr/bin/smbpasswd";
$mk_ntpasswd = "/usr/local/sbin/mkntpwd";
# those next externals commands are kept fot the migration scripts and
# for the populate script: this will be updated as soon as possible
$slaveURI = "ldap://$slaveLDAP:$slavePort";
$masterURI = "ldap://$masterLDAP:$masterPort";
$ldap_path = "/usr/bin";
if ( $ldapSSL eq "0" ) {
$ldap_opts = "-x";
} elsif ( $ldapSSL eq "1" ) {
$ldap_opts = "-x -Z";
} else {
die "ldapSSL option must be either 0 or 1.\n";
}
#$ldapsearch = "$ldap_path/ldapsearch $ldap_opts -H $slaveURI -D '$slaveDN' -w '$slavePw'";
#$ldapsearchnobind = "$ldap_path/ldapsearch $ldap_opts -H $slaveURI";
$ldapmodify = "$ldap_path/ldapmodify $ldap_opts -H $masterURI -D '$masterDN' -w '$masterPw'";
#$ldappasswd = "$ldap_path/ldappasswd $ldap_opts -H $masterURI -D '$masterDN' -w '$masterPw'";
#$ldapadd = "$ldap_path/ldapadd $ldap_opts -H $masterURI -D '$masterDN' -w '$masterPw'";
#$ldapdelete = "$ldap_path/ldapdelete $ldap_opts -H $masterURI -D '$masterDN' -w '$masterPw'";
#$ldapmodrdn = "$ldap_path/ldapmodrdn $ldap_opts -H $masterURI -D '$masterDN' -w '$masterPw'";
1;
# - The End
More information about the samba-technical
mailing list