RE pdb_ldap.c, ldapsam_add_sam_account, existing poxisaccount
spu at corman.be
spu at corman.be
Thu May 26 14:09:15 GMT 2005
Hi,
I know this problem and I don't have the solution.
The solution is add the machine two times, the first time your connect will
be failed, the second time, it work because samba see the entry and try to
modify the entry which made sucessfuly.
I resume
add machine to domain first time : failed
add machine to domain a second time (directly) : OK
-----------------------------------
Stéphane PURNELLE stephane.purnelle at corman.be
Service Informatique Corman S.A. Tel : 00 32 087/342467
samba-technical-bounces+stephane.purnelle=corman.be at lists.samba.org a écrit
sur 26/05/2005 15:54:36 :
> Hi,
>
> I'm assuming this is the correct mailing list for this. I've been
> tracing down a problem we're having here while trying to make a
> samba/ldap pdc and i think i've narrowed it down to a small block of
> code in the ldapsam_add_sam_account function in passdb/pdb_ldap.c.
>
> I'm hoping if i post the debug output i have, describe the problem i'm
> having and identify the section of code i believe is responsible someone
> can take a look at it and see if it's a bug.
>
> ##The problem##
>
> We've set up samba as a pdc (configuration available on request) and are
> attempting to add a machine to the domain. Sadly it craps out and so we
> can't join the domain
>
> We have:
>
> add machine script = /usr/local/sbin/smbldap-useradd -w '%u'
>
> in our smb.conf and smbldap-useradd is from the idealx scripts version
> 0.8.7. We are running FreeBSD 5.4 and are using samba 3.0.15pre2
>
> ##Debugging##
>
> with log level = 10 in smb.conf i find the following in the log for the
> machine attempting to connect (zyphevm):
>
> [2005/05/26 13:06:05, 2] passdb/pdb_ldap.c:init_ldap_from_sam(912)
> init_ldap_from_sam: Setting entry for user: zyphevm$
> [2005/05/26 13:06:05, 1] passdb/pdb_ldap.c:ldapsam_modify_entry(1496)
> ldapsam_modify_entry: Failed to add user dn=
> uid=zyphevm$,ou=people,dc=cp,dc=dias,dc=ie with: Already exists
>
> [2005/05/26 13:06:05, 0] passdb/pdb_ldap.c:ldapsam_add_sam_account(1938)
> ldapsam_add_sam_account: failed to modify/add user with uid = zyphevm$
> (dn = uid=zyphevm$,ou=people,dc=cp,dc=dias,dc=ie)
> [2005/05/26 13:06:05, 0] rpc_server/srv_samr_nt.c:_samr_create_user(2044)
> could not add user/computer zyphevm$ to passdb. Check permissions?
>
> Ethereal analysis of the traffic shows the following packet from the
> server to the joining machine:
>
> SamrCreateUser2InDomain, response, STATUS_ACCESS_DENIED
>
> ##What i think is going wrong##
>
> The problem as i see it is that the idealx script successfully creates
> the posix user 'zyphevm$' (i can check by doing id zyphevm$ and the
> entry is in our ldap database) and then samba attempts to create it
> itself afterwards and fails (hence the Already exists).
>
> Thing that gets me is that from what i can see of the code there is a
> section in it that should deal with this eventuality. The following is
> from passdb/pdb_ldap.c:
>
> /* does the entry already exist but without a samba attributes?
> we need to return the samba attributes here */
>
> escape_user = escape_ldap_string_alloc( username );
> pstrcpy( filter, lp_ldap_filter() );
> all_string_sub( filter, "%u", escape_user, sizeof(filter) );
> SAFE_FREE( escape_user );
>
> rc = smbldap_search_suffix(ldap_state->smbldap_state,
> filter, attr_list, &result);
> if ( rc != LDAP_SUCCESS ) {
> free_attr_list( attr_list );
> return NT_STATUS_UNSUCCESSFUL;
> }
>
> num_result =
> ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
>
> if (num_result > 1) {
> DEBUG (0, ("ldapsam_add_sam_account: More than one user
> with that uid exists: bailing out!\n"));
> free_attr_list( attr_list );
> ldap_msgfree(result);
> return NT_STATUS_UNSUCCESSFUL;
> }
>
> /* Check if we need to update an existing entry */
> if (num_result == 1) {
> char *tmp;
>
> DEBUG(3,("ldapsam_add_sam_account: User exists without
> samba attributes: adding them\n"));
> ldap_op = LDAP_MOD_REPLACE;
> entry = ldap_first_entry
> (ldap_state->smbldap_state->ldap_struct, result);
> tmp = smbldap_get_dn
> (ldap_state->smbldap_state->ldap_struct, entry);
> if (!tmp) {
> free_attr_list( attr_list );
> ldap_msgfree(result);
> return NT_STATUS_UNSUCCESSFUL;
> }
> slprintf (dn, sizeof (dn) - 1, "%s", tmp);
> SAFE_FREE(tmp);
>
> }
>
> Now, i might be wrong, but this looks like the block of code that should
> give the desired behaviour. We need ldap_op to be set to
> LDAP_MOD_REPLACE but at all points at which this is set we have the
> following debug output which does not appear in my logs:
>
> ldapsam_add_sam_account: User exists without samba attributes:
> adding them
>
> The "Failed to add user" line matches up with the following code in
> ldapsam_modify_entry
>
> if (rc!=LDAP_SUCCESS) {
> char *ld_error = NULL;
>
> ldap_get_option(ldap_state->smbldap_state->ldap_struct,
> LDAP_OPT_ERROR_STRING,
> &ld_error);
> DEBUG(1, ("ldapsam_modify_entry: Failed to %s
> user dn= %s with: %s\n\t%s\n",
> ldap_op == LDAP_MOD_ADD ? "add" :
"modify",
> dn, ldap_err2string(rc),
> ld_error?ld_error:"unknown"));
> SAFE_FREE(ld_error);
> return NT_STATUS_UNSUCCESSFUL;
> }
>
> So clearly it's attempting to add a user instead of modifying an
> existing user. Unfortunately i don't really understand the code that
> searches for the user but i'm suspecting that's where the problem lies.
> If anyone could help me with this it would be greatly appreciated. I'm
> not subscribed to the list so please cc me. If this is not the
> appropriate place for this mail please let me know and i will post it to
> the correct one.
>
> Thanks and sorry for the lengthly mail!
>
> John Allman
More information about the samba-technical
mailing list