PATCH: Re: ACLs Samba 4.0
Sergey Urushkin
urushkin at telros.ru
Sat Dec 15 11:29:15 MST 2012
Hi, I've just tried to run patched upgradeprovision, but after after it
samba resets all ldap connections. But KDC seems to work. So, I restored
backup.
Here is some info:
I've demoted second dc (we have 2), and then:
# samba_upgradeprovision
lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
Creating a reference provision
lpcfg_load: refreshing parameters from
/usr/local/samba/private/referenceprovisionwctFRt/etc/smb.conf
lpcfg_load: refreshing parameters from
/usr/local/samba/private/referenceprovisionwctFRt/etc/smb.conf
No IPv6 address will be assigned
key added: key=SOFTWARE,hive=NONE
key added: key=Microsoft,key=SOFTWARE,hive=NONE
key added: key=Windows NT,key=Microsoft,key=SOFTWARE,hive=NONE
key added: key=CurrentVersion,key=Windows
NT,key=Microsoft,key=SOFTWARE,hive=NONE
key added: key=SYSTEM,hive=NONE
key added: key=CurrentControlSet,key=SYSTEM,hive=NONE
key added: key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE
key added:
key=ProductOptions,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE
key added:
key=Print,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE
key added: key=Terminal
Server,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE
key added: key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
key added:
key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
key added:
key=Parameters,key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
key added:
key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
key added:
key=Parameters,key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
partition_metadata: Migrating partition metadata
DN: DC=telros,DC=ru is a NC
DN: CN=Configuration,DC=telros,DC=ru is a NC
DN: CN=Schema,CN=Configuration,DC=telros,DC=ru is a NC
DN: DC=DomainDnsZones,DC=telros,DC=ru is a NC
DN: DC=ForestDnsZones,DC=telros,DC=ru is a NC
lpcfg_load: refreshing parameters from
/usr/local/samba/private/referenceprovisionwctFRt/etc/smb.conf
Copy privilege
Update base samdb by searching difference with reference one
Update of secrets.ldb
Update machine account
Fixing very old provision SD
schema_data_modify: updates are not allowed: reject request
On
CN=ACS-Aggregate-Token-Rate-Per-User,CN=Schema,CN=Configuration,DC=telros,DC=ru
bad stuff
O:SAG:DUD:AI(A;CIID;RPLCLORC;;;AU)(A;CIID;RPWPCRCCLCLORCWOWDSW;;;SA)(A;CIID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)S:AI(AU;CIIDSA;WP;;;WD)
commit called but no ldb transactions are active!
cancel called but no ldb transactions are active!
tdb(/usr/local/samba/private/secrets.tdb): tdb_transaction_commit:
transaction error pending
tdb(/usr/local/samba/private/secrets.tdb): tdb_transaction_cancel: no
transaction
cancel called but no ldb transactions are active!
cancel called but no ldb transactions are active!
Upgrade finished!
Reopening samdb to trigger reindexing if needed after modification
Reindexing finished
# kinit user
user at TELROS.RU's Password:
# ldapsearch
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
# netstat -lptn |grep 389
tcp 0 0 0.0.0.0:389 0.0.0.0:*
LISTEN 18651/samba
tcp6 0 0 :::389 :::*
LISTEN 18651/samba
# telnet 0 389
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
Connection closed by foreign host.
### debug level 2 messages:
[2012/12/15 21:47:23, 1]
../auth/gensec/gensec_start.c:664(gensec_start_mech)
Failed to start GENSEC server mech gssapi_krb5:
NT_STATUS_CANT_ACCESS_DOMAIN_INFO
### debug level 5 messages:
ldb: Added timed event "ltdb_callback": 0x16a8bb0
ldb: Added timed event "ltdb_timeout": 0x1ccbff0
ldb: Destroying timer event 0x1ccbff0 "ltdb_timeout"
ldb: Ending timer event 0x16a8bb0 "ltdb_callback"
ldb: Added timed event "ltdb_callback": 0x1ab4620
ldb: Added timed event "ltdb_timeout": 0x1bebc30
ldb: Destroying timer event 0x1bebc30 "ltdb_timeout"
ldb: Ending timer event 0x1ab4620 "ltdb_callback"
ldb_wrap open of secrets.ldb
ldb: Added timed event "ltdb_callback": 0xdba1b0
ldb: Added timed event "ltdb_timeout": 0x126fd40
ldb: Destroying timer event 0x126fd40 "ltdb_timeout"
ldb: Ending timer event 0xdba1b0 "ltdb_callback"
Terminating connection - 'Failed to obtain server credentials, perhaps
a standalone server?: NT_STATUS_NOT_FOUND
'
imessaging: cleaning up /usr/local/samba/private/smbd.tmp/msg/msg.0.32
single_terminate: reason[Failed to obtain server credentials, perhaps a
standalone server?: NT_STATUS_NOT_FOUND
Stefan (metze) Metzmacher писал 2012-12-15 14:18:
> Here's the samba_upgradeprovision fix for this,
>
> can someone test this and push to master?
>
> metze
>
> Am 15.12.2012 11:03, schrieb Andrew Bartlett:
>> On Fri, 2012-12-14 at 16:31 +1100, Brian May wrote:
>>> Hello,
>>>
>>> Andrew Bartlett recommended I post this issue to the mailing list.
>>>
>>> I can access uidNumber fine as administrator, however as
>>> non-administrator
>>> I can only read my uidNumber. And uidNumber for computers. The
>>> other
>>> attributes don't appear.
>>>
>>> I think other attributes might be affected, uidNumber was the most
>>> obvious.
>>> So I haven't investigated the others in detail yet.
>>>
>>> Is this expected?
>>
>> I should note, particularly for others, that the workaround is to
>> set:
>>
>> acl:search=false
>>
>> in the smb.conf
>>
>> This issue came up due to the enforcement of read ACLs that we added
>> just before the release.
>>
>> Andrew Bartlett
>>
--
Best regards,
Sergey Urushkin
More information about the samba-technical
mailing list