samba 3.0.x to Samba-3.2.x PDC/LDAP migration problem
Ignacio Coupeau
icoupeau at unav.es
Thu Sep 25 17:20:04 GMT 2008
Volker Lendecke wrote:
> On Wed, Sep 24, 2008 at 12:38:37PM +0200, Ignacio Coupeau wrote:
>> base="sambaDomainName=UNAV-PDC-01,sambaDomainName=unav-pdc-01,ou=smb,o=accounts,dc=..."
>> and filter
>> filter="(&(objectClass=sambaTrustedDomainPassword)(sambaDomainName=unav-pdc-01))"
>
> Can you get us debug level 10 logs of those ops?
>
>> 1. The dn shows an additional "sambaDomainName=UNAV-PDC-01" in
>> uppercase, added by samba;
>
> This is the data model for trusted domain accounts. I wonder
> why it is trying those with non-trust related ops. Thus my
> question for debug level 10 logs.
Volker,
Thanks for the level 10 reminder: solved.
I found the problem: for historical reasons we have two uid for the
users (a migration process). Until now samba don't checked if more than
one uid are returned (we have this in production from years), fetch the
first and if runs. Now checks if only one exists. I think is a good
idea, but as uid maybe multi valuated, this should be documented.
With debug level 1-9 the only error reported is:
"init_sam_from_ldap: No uid attribute found for this user!"
So, as the only ldap error I found was the trust error (err=32) I
thought that was the "same" error.
With debug level set to 10, the real error is displayed in two lines:
"attribute uid has 2 values, expected only one
init_sam_from_ldap: No uid attribute found for this user!"
Also, I don't know it the search of trusted domains may be a bit tunned
or perhaps omitted if "allow trusted domains = No"
TXH,
Ignacio
PS: The log about the trusted stuff (with "allow trusted domains = No")
is this:
file /usr/local/etc2/samba_PDC10/lib/smb.conf ->
/usr/local/etc2/samba_PDC10/lib/smb.conf last mod_time: Wed Sep 24
19:56:51 2008
[2008/09/24 20:09:36, 5] auth/auth_util.c:make_user_info_map(206)
make_user_info_map: Mapping user [UNAV-PDC-01]\[root] from
workstation [10.1.0.10]
[2008/09/24 20:09:36, 3] smbd/sec_ctx.c:push_sec_ctx(224)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2008/09/24 20:09:36, 3] smbd/uid.c:push_conn_ctx(357)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2008/09/24 20:09:36, 3] smbd/sec_ctx.c:set_sec_ctx(324)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2008/09/24 20:09:36, 5] auth/token_util.c:debug_nt_user_token(464)
NT user token: (NULL)
[2008/09/24 20:09:36, 5] auth/token_util.c:debug_unix_user_token(490)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2008/09/24 20:09:36, 5] auth/auth_util.c:is_trusted_domain(2055)
is_trusted_domain: Checking for domain trust with [UNAV-PDC-01]
[2008/09/24 20:09:36, 10] passdb/pdb_ldap.c:ldapsam_get_trusteddom_pw(5823)
ldapsam_get_trusteddom_pw called for domain UNAV-PDC-01
[2008/09/24 20:09:36, 5] lib/smbldap.c:smbldap_search_ext(1207)
smbldap_search_ext: base =>
[sambaDomainName=UNAV-PDC-01,sambaDomainName=unav-pdc-01,ou=smb,o=accounts,dc=unav,dc=es],
filter =>
[(&(objectClass=sambaTrustedDomainPassword)(sambaDomainName=UNAV-PDC-01))],
scope => [2]
[2008/09/24 20:09:36, 5] lib/smbldap.c:smbldap_close(1110)
The connection to the LDAP server was closed
[2008/09/24 20:09:36, 10] lib/smbldap.c:smb_ldap_setup_conn(616)
smb_ldap_setup_connection: ldap://10.1.0.15/
[2008/09/24 20:09:36, 3] lib/smbldap.c:smb_ldap_start_tls(600)
StartTLS issued: using a TLS connection
[2008/09/24 20:09:36, 2] lib/smbldap.c:smbldap_open_connection(796)
smbldap_open_connection: connection opened
[2008/09/24 20:09:36, 10] lib/smbldap.c:smbldap_connect_system(961)
ldap_connect_system: Binding to ldap server ldap://10.1.0.15/ as
"cn=smbAdmin,dc=unav,dc=es"
[2008/09/24 20:09:36, 3] lib/smbldap.c:smbldap_check_root_dse(1725)
smbldap_check_root_dse: Expected one rootDSE, got 0
[2008/09/24 20:09:36, 3] lib/smbldap.c:smbldap_connect_system(1007)
ldap_connect_system: successful connection to the LDAP server
ldap_connect_system: LDAP server does not support paged results
[2008/09/24 20:09:36, 10] lib/events.c:event_add_timed(128)
Added timed event "smbldap_idle_fn": 9d7e170
[2008/09/24 20:09:36, 4] lib/smbldap.c:smbldap_open(1090)
The LDAP server is successfully connected
[2008/09/24 20:09:36, 10] lib/smbldap.c:smbldap_search_ext(1271)
Failed search for base:
sambaDomainName=UNAV-PDC-01,sambaDomainName=unav-pdc-01,ou=smb,o=accounts,dc=unav,dc=es,
error: 32 (No such object) ()
[2008/09/24 20:09:36, 3] smbd/sec_ctx.c:pop_sec_ctx(432)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2008/09/24 20:09:36, 10] lib/gencache.c:gencache_get(194)
Cache entry with key = TDOM/UNAV-PDC-01 couldn't be found
[2008/09/24 20:09:36, 5] libsmb/trustdom_cache.c:trustdom_cache_fetch(183)
no entry for trusted domain UNAV-PDC-01 found.
[2008/09/24 20:09:36, 5] auth/auth_util.c:make_user_info(120)
attempting to make a user_info for root (root)
...
--
________________________________________________________
Dr. Ignacio Coupeau
Systems and Network Services Director
IT Services
University of Navarra http://www.unav.edu/
Pamplona, SPAIN http://www.unav.es/SI/
More information about the samba-technical
mailing list