PATCH: Re: ACLs Samba 4.0

Sergey Urushkin urushkin at telros.ru
Sat Dec 15 11:29:15 MST 2012 

Hi, I've just tried to run patched upgradeprovision, but after after it 
samba resets all ldap connections. But KDC seems to work. So, I restored 
backup.
Here is some info:

I've demoted second dc (we have 2), and then:

# samba_upgradeprovision
lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
Creating a reference provision
lpcfg_load: refreshing parameters from 
/usr/local/samba/private/referenceprovisionwctFRt/etc/smb.conf
lpcfg_load: refreshing parameters from 
/usr/local/samba/private/referenceprovisionwctFRt/etc/smb.conf
No IPv6 address will be assigned
key added: key=SOFTWARE,hive=NONE
key added: key=Microsoft,key=SOFTWARE,hive=NONE
key added: key=Windows NT,key=Microsoft,key=SOFTWARE,hive=NONE
key added: key=CurrentVersion,key=Windows 
NT,key=Microsoft,key=SOFTWARE,hive=NONE
key added: key=SYSTEM,hive=NONE
key added: key=CurrentControlSet,key=SYSTEM,hive=NONE
key added: key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE
key added: 
key=ProductOptions,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE
key added: 
key=Print,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE
key added: key=Terminal 
Server,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE
key added: key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
key added: 
key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
key added: 
key=Parameters,key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
key added: 
key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
key added: 
key=Parameters,key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
partition_metadata: Migrating partition metadata
DN: DC=telros,DC=ru is a NC
DN: CN=Configuration,DC=telros,DC=ru is a NC
DN: CN=Schema,CN=Configuration,DC=telros,DC=ru is a NC
DN: DC=DomainDnsZones,DC=telros,DC=ru is a NC
DN: DC=ForestDnsZones,DC=telros,DC=ru is a NC
lpcfg_load: refreshing parameters from 
/usr/local/samba/private/referenceprovisionwctFRt/etc/smb.conf
Copy privilege
Update base samdb by searching difference with reference one
Update of secrets.ldb
Update machine account
Fixing very old provision SD
schema_data_modify: updates are not allowed: reject request

On 
CN=ACS-Aggregate-Token-Rate-Per-User,CN=Schema,CN=Configuration,DC=telros,DC=ru 
bad stuff 
O:SAG:DUD:AI(A;CIID;RPLCLORC;;;AU)(A;CIID;RPWPCRCCLCLORCWOWDSW;;;SA)(A;CIID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)S:AI(AU;CIIDSA;WP;;;WD)
commit called but no ldb transactions are active!
cancel called but no ldb transactions are active!
tdb(/usr/local/samba/private/secrets.tdb): tdb_transaction_commit: 
transaction error pending
tdb(/usr/local/samba/private/secrets.tdb): tdb_transaction_cancel: no 
transaction
cancel called but no ldb transactions are active!
cancel called but no ldb transactions are active!
Upgrade finished!
Reopening samdb to trigger reindexing if needed after modification
Reindexing finished


# kinit user
user at TELROS.RU's Password:

# ldapsearch
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)

# netstat -lptn |grep 389
tcp        0      0 0.0.0.0:389             0.0.0.0:*               
LISTEN      18651/samba
tcp6       0      0 :::389                  :::*                    
LISTEN      18651/samba

# telnet 0 389
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
Connection closed by foreign host.

### debug level 2 messages:
[2012/12/15 21:47:23,  1] 
../auth/gensec/gensec_start.c:664(gensec_start_mech)
   Failed to start GENSEC server mech gssapi_krb5: 
NT_STATUS_CANT_ACCESS_DOMAIN_INFO


### debug level 5 messages:
ldb: Added timed event "ltdb_callback": 0x16a8bb0

ldb: Added timed event "ltdb_timeout": 0x1ccbff0

ldb: Destroying timer event 0x1ccbff0 "ltdb_timeout"

ldb: Ending timer event 0x16a8bb0 "ltdb_callback"

ldb: Added timed event "ltdb_callback": 0x1ab4620

ldb: Added timed event "ltdb_timeout": 0x1bebc30

ldb: Destroying timer event 0x1bebc30 "ltdb_timeout"

ldb: Ending timer event 0x1ab4620 "ltdb_callback"

ldb_wrap open of secrets.ldb
ldb: Added timed event "ltdb_callback": 0xdba1b0

ldb: Added timed event "ltdb_timeout": 0x126fd40

ldb: Destroying timer event 0x126fd40 "ltdb_timeout"

ldb: Ending timer event 0xdba1b0 "ltdb_callback"

Terminating connection - 'Failed to obtain server credentials, perhaps 
a standalone server?: NT_STATUS_NOT_FOUND
'
imessaging: cleaning up /usr/local/samba/private/smbd.tmp/msg/msg.0.32
single_terminate: reason[Failed to obtain server credentials, perhaps a 
standalone server?: NT_STATUS_NOT_FOUND


Stefan (metze) Metzmacher писал 2012-12-15 14:18:
> Here's the samba_upgradeprovision fix for this,
>
> can someone test this and push to master?
>
> metze
>
> Am 15.12.2012 11:03, schrieb Andrew Bartlett:
>> On Fri, 2012-12-14 at 16:31 +1100, Brian May wrote:
>>> Hello,
>>>
>>> Andrew Bartlett recommended I post this issue to the mailing list.
>>>
>>> I can access uidNumber fine as administrator, however as 
>>> non-administrator
>>> I can only read my uidNumber. And uidNumber for computers. The 
>>> other
>>> attributes don't appear.
>>>
>>> I think other attributes might be affected, uidNumber was the most 
>>> obvious.
>>> So I haven't investigated the others in detail yet.
>>>
>>> Is this expected?
>>
>> I should note, particularly for others, that the workaround is to 
>> set:
>>
>> acl:search=false
>>
>> in the smb.conf
>>
>> This issue came up due to the enforcement of read ACLs that we added
>> just before the release.
>>
>> Andrew Bartlett
>>

-- 
Best regards,
Sergey Urushkin

More information about the samba-technical mailing list