PATCH: Re: ACLs Samba 4.0

Sergey Urushkin urushkin at
Sat Dec 15 11:29:15 MST 2012

Hi, I've just tried to run patched upgradeprovision, but after after it 
samba resets all ldap connections. But KDC seems to work. So, I restored 
Here is some info:

I've demoted second dc (we have 2), and then:

# samba_upgradeprovision
lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
Creating a reference provision
lpcfg_load: refreshing parameters from 
lpcfg_load: refreshing parameters from 
No IPv6 address will be assigned
key added: key=SOFTWARE,hive=NONE
key added: key=Microsoft,key=SOFTWARE,hive=NONE
key added: key=Windows NT,key=Microsoft,key=SOFTWARE,hive=NONE
key added: key=CurrentVersion,key=Windows 
key added: key=SYSTEM,hive=NONE
key added: key=CurrentControlSet,key=SYSTEM,hive=NONE
key added: key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE
key added: 
key added: 
key added: key=Terminal 
key added: key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
key added: 
key added: 
key added: 
key added: 
partition_metadata: Migrating partition metadata
DN: DC=telros,DC=ru is a NC
DN: CN=Configuration,DC=telros,DC=ru is a NC
DN: CN=Schema,CN=Configuration,DC=telros,DC=ru is a NC
DN: DC=DomainDnsZones,DC=telros,DC=ru is a NC
DN: DC=ForestDnsZones,DC=telros,DC=ru is a NC
lpcfg_load: refreshing parameters from 
Copy privilege
Update base samdb by searching difference with reference one
Update of secrets.ldb
Update machine account
Fixing very old provision SD
schema_data_modify: updates are not allowed: reject request

bad stuff 
commit called but no ldb transactions are active!
cancel called but no ldb transactions are active!
tdb(/usr/local/samba/private/secrets.tdb): tdb_transaction_commit: 
transaction error pending
tdb(/usr/local/samba/private/secrets.tdb): tdb_transaction_cancel: no 
cancel called but no ldb transactions are active!
cancel called but no ldb transactions are active!
Upgrade finished!
Reopening samdb to trigger reindexing if needed after modification
Reindexing finished

# kinit user
user at TELROS.RU's Password:

# ldapsearch
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)

# netstat -lptn |grep 389
tcp        0      0   *               
LISTEN      18651/samba
tcp6       0      0 :::389                  :::*                    
LISTEN      18651/samba

# telnet 0 389
Connected to 0.
Escape character is '^]'.
Connection closed by foreign host.

### debug level 2 messages:
[2012/12/15 21:47:23,  1] 
   Failed to start GENSEC server mech gssapi_krb5: 

### debug level 5 messages:
ldb: Added timed event "ltdb_callback": 0x16a8bb0

ldb: Added timed event "ltdb_timeout": 0x1ccbff0

ldb: Destroying timer event 0x1ccbff0 "ltdb_timeout"

ldb: Ending timer event 0x16a8bb0 "ltdb_callback"

ldb: Added timed event "ltdb_callback": 0x1ab4620

ldb: Added timed event "ltdb_timeout": 0x1bebc30

ldb: Destroying timer event 0x1bebc30 "ltdb_timeout"

ldb: Ending timer event 0x1ab4620 "ltdb_callback"

ldb_wrap open of secrets.ldb
ldb: Added timed event "ltdb_callback": 0xdba1b0

ldb: Added timed event "ltdb_timeout": 0x126fd40

ldb: Destroying timer event 0x126fd40 "ltdb_timeout"

ldb: Ending timer event 0xdba1b0 "ltdb_callback"

Terminating connection - 'Failed to obtain server credentials, perhaps 
a standalone server?: NT_STATUS_NOT_FOUND
imessaging: cleaning up /usr/local/samba/private/smbd.tmp/msg/msg.0.32
single_terminate: reason[Failed to obtain server credentials, perhaps a 
standalone server?: NT_STATUS_NOT_FOUND

Stefan (metze) Metzmacher писал 2012-12-15 14:18:
> Here's the samba_upgradeprovision fix for this,
> can someone test this and push to master?
> metze
> Am 15.12.2012 11:03, schrieb Andrew Bartlett:
>> On Fri, 2012-12-14 at 16:31 +1100, Brian May wrote:
>>> Hello,
>>> Andrew Bartlett recommended I post this issue to the mailing list.
>>> I can access uidNumber fine as administrator, however as 
>>> non-administrator
>>> I can only read my uidNumber. And uidNumber for computers. The 
>>> other
>>> attributes don't appear.
>>> I think other attributes might be affected, uidNumber was the most 
>>> obvious.
>>> So I haven't investigated the others in detail yet.
>>> Is this expected?
>> I should note, particularly for others, that the workaround is to 
>> set:
>> acl:search=false
>> in the smb.conf
>> This issue came up due to the enforcement of read ACLs that we added
>> just before the release.
>> Andrew Bartlett

Best regards,
Sergey Urushkin

More information about the samba-technical mailing list