samba 3.0.x to Samba-3.2.x PDC/LDAP migration problem

Ignacio Coupeau icoupeau at unav.es
Thu Sep 25 17:20:04 GMT 2008 

Volker Lendecke wrote:
> On Wed, Sep 24, 2008 at 12:38:37PM +0200, Ignacio Coupeau wrote:
>> base="sambaDomainName=UNAV-PDC-01,sambaDomainName=unav-pdc-01,ou=smb,o=accounts,dc=..."
>> and filter
>> filter="(&(objectClass=sambaTrustedDomainPassword)(sambaDomainName=unav-pdc-01))"
> 
> Can you get us debug level 10 logs of those ops?
> 
>> 1. The dn shows an additional "sambaDomainName=UNAV-PDC-01" in 
>> uppercase, added by samba;
> 
> This is the data model for trusted domain accounts. I wonder
> why it is trying those with non-trust related ops. Thus my
> question for debug level 10 logs.

Volker,
Thanks for the level 10 reminder: solved.

I found the problem: for historical reasons we have two uid for the 
users (a migration process). Until now samba don't checked if more than 
one uid are returned (we have this in production from years), fetch the 
first and if runs. Now checks if only one exists. I think is a good 
idea, but as uid maybe multi valuated, this should be documented.

With debug level 1-9 the only error reported is:
"init_sam_from_ldap: No uid attribute found for this user!"
So, as the only ldap error I found was the trust error (err=32) I 
thought that was the "same" error.

With debug level set to 10, the real error is displayed in two lines:
"attribute uid has 2 values, expected only one
init_sam_from_ldap: No uid attribute found for this user!"

Also, I don't know it the search of trusted domains may be a bit tunned 
or perhaps omitted if "allow trusted domains = No"

TXH,
Ignacio

PS: The log about the trusted stuff (with "allow trusted domains = No") 
is this:

   file /usr/local/etc2/samba_PDC10/lib/smb.conf -> 
/usr/local/etc2/samba_PDC10/lib/smb.conf  last mod_time: Wed Sep 24 
19:56:51 2008

[2008/09/24 20:09:36,  5] auth/auth_util.c:make_user_info_map(206)
   make_user_info_map: Mapping user [UNAV-PDC-01]\[root] from 
workstation [10.1.0.10]
[2008/09/24 20:09:36,  3] smbd/sec_ctx.c:push_sec_ctx(224)
   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2008/09/24 20:09:36,  3] smbd/uid.c:push_conn_ctx(357)
   push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2008/09/24 20:09:36,  3] smbd/sec_ctx.c:set_sec_ctx(324)
   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2008/09/24 20:09:36,  5] auth/token_util.c:debug_nt_user_token(464)
   NT user token: (NULL)
[2008/09/24 20:09:36,  5] auth/token_util.c:debug_unix_user_token(490)
   UNIX token of user 0
   Primary group is 0 and contains 0 supplementary groups
[2008/09/24 20:09:36,  5] auth/auth_util.c:is_trusted_domain(2055)
   is_trusted_domain: Checking for domain trust with [UNAV-PDC-01]
[2008/09/24 20:09:36, 10] passdb/pdb_ldap.c:ldapsam_get_trusteddom_pw(5823)
   ldapsam_get_trusteddom_pw called for domain UNAV-PDC-01
[2008/09/24 20:09:36,  5] lib/smbldap.c:smbldap_search_ext(1207)
   smbldap_search_ext: base => 
[sambaDomainName=UNAV-PDC-01,sambaDomainName=unav-pdc-01,ou=smb,o=accounts,dc=unav,dc=es], 
filter => 
[(&(objectClass=sambaTrustedDomainPassword)(sambaDomainName=UNAV-PDC-01))], 
scope => [2]
[2008/09/24 20:09:36,  5] lib/smbldap.c:smbldap_close(1110)
   The connection to the LDAP server was closed
[2008/09/24 20:09:36, 10] lib/smbldap.c:smb_ldap_setup_conn(616)
   smb_ldap_setup_connection: ldap://10.1.0.15/
[2008/09/24 20:09:36,  3] lib/smbldap.c:smb_ldap_start_tls(600)
   StartTLS issued: using a TLS connection
[2008/09/24 20:09:36,  2] lib/smbldap.c:smbldap_open_connection(796)
   smbldap_open_connection: connection opened
[2008/09/24 20:09:36, 10] lib/smbldap.c:smbldap_connect_system(961)
   ldap_connect_system: Binding to ldap server ldap://10.1.0.15/ as 
"cn=smbAdmin,dc=unav,dc=es"
[2008/09/24 20:09:36,  3] lib/smbldap.c:smbldap_check_root_dse(1725)
   smbldap_check_root_dse: Expected one rootDSE, got 0
[2008/09/24 20:09:36,  3] lib/smbldap.c:smbldap_connect_system(1007)
   ldap_connect_system: successful connection to the LDAP server
   ldap_connect_system: LDAP server does not support paged results
[2008/09/24 20:09:36, 10] lib/events.c:event_add_timed(128)
   Added timed event "smbldap_idle_fn": 9d7e170
[2008/09/24 20:09:36,  4] lib/smbldap.c:smbldap_open(1090)
   The LDAP server is successfully connected
[2008/09/24 20:09:36, 10] lib/smbldap.c:smbldap_search_ext(1271)
   Failed search for base: 
sambaDomainName=UNAV-PDC-01,sambaDomainName=unav-pdc-01,ou=smb,o=accounts,dc=unav,dc=es, 
error: 32 (No such object) ()
[2008/09/24 20:09:36,  3] smbd/sec_ctx.c:pop_sec_ctx(432)
   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2008/09/24 20:09:36, 10] lib/gencache.c:gencache_get(194)
   Cache entry with key = TDOM/UNAV-PDC-01 couldn't be found
[2008/09/24 20:09:36,  5] libsmb/trustdom_cache.c:trustdom_cache_fetch(183)
   no entry for trusted domain UNAV-PDC-01 found.
[2008/09/24 20:09:36,  5] auth/auth_util.c:make_user_info(120)
   attempting to make a user_info for root (root)
...

-- 
________________________________________________________
Dr. Ignacio Coupeau
Systems and Network Services Director
IT Services
University of Navarra           http://www.unav.edu/
Pamplona, SPAIN                 http://www.unav.es/SI/

More information about the samba-technical mailing list