pdb_ldap.c, ldapsam_add_sam_account, existing poxisaccount

John Allman samba.20.kaldorg at spamgourmet.com
Thu May 26 13:54:36 GMT 2005 

Hi,

I'm assuming this is the correct mailing list for this. I've been
tracing down a problem we're having here while trying to make a
samba/ldap pdc and i think i've narrowed it down to a small block of
code in the ldapsam_add_sam_account function in passdb/pdb_ldap.c.

I'm hoping if i post the debug output i have, describe the problem i'm
having and identify the section of code i believe is responsible someone
can take a look at it and see if it's a bug.

##The problem##

We've set up samba as a pdc (configuration available on request) and are
attempting to add a machine to the domain. Sadly it craps out and so we
can't join the domain

We have:

     add machine script = /usr/local/sbin/smbldap-useradd -w '%u'

in our smb.conf and smbldap-useradd is from the idealx scripts version
0.8.7. We are running FreeBSD 5.4 and are using samba 3.0.15pre2

##Debugging##

with log level = 10 in smb.conf i find the following in the log for the
machine attempting to connect (zyphevm):

[2005/05/26 13:06:05, 2] passdb/pdb_ldap.c:init_ldap_from_sam(912)
  init_ldap_from_sam: Setting entry for user: zyphevm$
[2005/05/26 13:06:05, 1] passdb/pdb_ldap.c:ldapsam_modify_entry(1496)
  ldapsam_modify_entry: Failed to add user dn=
uid=zyphevm$,ou=people,dc=cp,dc=dias,dc=ie with: Already exists

[2005/05/26 13:06:05, 0] passdb/pdb_ldap.c:ldapsam_add_sam_account(1938)
  ldapsam_add_sam_account: failed to modify/add user with uid = zyphevm$
(dn = uid=zyphevm$,ou=people,dc=cp,dc=dias,dc=ie)
[2005/05/26 13:06:05, 0] rpc_server/srv_samr_nt.c:_samr_create_user(2044)
  could not add user/computer zyphevm$ to passdb.  Check permissions?

Ethereal analysis of the traffic shows the following packet from the
server to the joining machine:

SamrCreateUser2InDomain, response, STATUS_ACCESS_DENIED

##What i think is going wrong##

The problem as i see it is that the idealx script successfully creates
the posix user 'zyphevm$' (i can check by doing id zyphevm$ and the
entry is in our ldap database) and then samba attempts to create it
itself afterwards and fails (hence the Already exists).

Thing that gets me is that from what i can see of the code there is a
section in it that should deal with this eventuality. The following is
from passdb/pdb_ldap.c:

        /* does the entry already exist but without a samba attributes?
           we need to return the samba attributes here */

        escape_user = escape_ldap_string_alloc( username );
        pstrcpy( filter, lp_ldap_filter() );
        all_string_sub( filter, "%u", escape_user, sizeof(filter) );
        SAFE_FREE( escape_user );

        rc = smbldap_search_suffix(ldap_state->smbldap_state,
                                   filter, attr_list, &result);
        if ( rc != LDAP_SUCCESS ) {
                free_attr_list( attr_list );
                return NT_STATUS_UNSUCCESSFUL;
        }

        num_result =
ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);

        if (num_result > 1) {
                DEBUG (0, ("ldapsam_add_sam_account: More than one user
with that uid exists: bailing out!\n"));
                free_attr_list( attr_list );
                ldap_msgfree(result);
                return NT_STATUS_UNSUCCESSFUL;
        }

        /* Check if we need to update an existing entry */
        if (num_result == 1) {
                char *tmp;

                DEBUG(3,("ldapsam_add_sam_account: User exists without
samba attributes: adding them\n"));
                ldap_op = LDAP_MOD_REPLACE;
                entry = ldap_first_entry
(ldap_state->smbldap_state->ldap_struct, result);
                tmp = smbldap_get_dn
(ldap_state->smbldap_state->ldap_struct, entry);
                if (!tmp) {
                        free_attr_list( attr_list );
                        ldap_msgfree(result);
                        return NT_STATUS_UNSUCCESSFUL;
                }
                slprintf (dn, sizeof (dn) - 1, "%s", tmp);
                SAFE_FREE(tmp);

        }

Now, i might be wrong, but this looks like the block of code that should
 give the desired behaviour. We need ldap_op to be set to
LDAP_MOD_REPLACE but at all points at which this is set we have the
following debug output which does not appear in my logs:

     ldapsam_add_sam_account: User exists without samba attributes:
adding them

The "Failed to add user" line matches up with the following code in
ldapsam_modify_entry

                if (rc!=LDAP_SUCCESS) {
                        char *ld_error = NULL;

ldap_get_option(ldap_state->smbldap_state->ldap_struct,
LDAP_OPT_ERROR_STRING,
                                        &ld_error);
                        DEBUG(1, ("ldapsam_modify_entry: Failed to %s
user dn= %s with: %s\n\t%s\n",
                               ldap_op == LDAP_MOD_ADD ? "add" : "modify",
                               dn, ldap_err2string(rc),
                               ld_error?ld_error:"unknown"));
                        SAFE_FREE(ld_error);
                        return NT_STATUS_UNSUCCESSFUL;
                }

So clearly it's attempting to add a user instead of modifying an
existing user. Unfortunately i don't really understand the code that
searches for the user but i'm suspecting that's where the problem lies.
If anyone could help me with this it would be greatly appreciated. I'm
not subscribed to the list so please cc me. If this is not the
appropriate place for this mail please let me know and i will post it to
the correct one.

Thanks and sorry for the lengthly mail!

John Allman

More information about the samba-technical mailing list