samba with openldap provisioning

Nadezhda Ivanova nivanova at samba.org
Thu Aug 29 08:42:47 MDT 2013 

Hi Andrew,
I have re-introduces some of the removed provision options, and committed
them in my repo: git://git.samba.org/nivanova/samba.git
The branch is openldap_provision.

The environment:
I am running ubuntu 13.04 and installed cyrus sasl and  the latest version
of berkeley db (6.0.20) from here:
http://www.oracle.com/technetwork/products/berkeleydb/downloads/index.html

I installed the latest OpenLdap from the repo: git://
git.openldap.org/openldap.git

This is my openldap configure command:
LD_LIBRARY_PATH="/usr/lib:/usr/local/lib:/usr/local/BerkeleyDB.6.0/lib:/usr/local/ssl/lib"
LDFLAGS="-L/usr/local/lib -L/usr/local/BerkeleyDB.4.2/lib
-L/usr/local/ssl/lib" CPPFLAGS="-I/usr/local/include
-I/usr/local/BerkeleyDB.6.0/include -I/usr/local/ssl/include" ./configure
--enable-modules --enable-overlays=mod --with-cyrus-sasl

And installed the samba4 overlays as described here:

http://web.archive.org/web/20110210123448/http://wiki.samba.org/index.php/Samba4/LDAP_Backend/OpenLDAP

Turning ntlm off did solve that particular problem, but there is an error
later - it appears to be a new part of the script which attempts to use ldb
with tdb instead of the openldap backend:

Attempting to register passdb backend smbpasswd
Successfully added passdb backend 'smbpasswd'
Attempting to register passdb backend tdbsam
Successfully added passdb backend 'tdbsam'
Attempting to register passdb backend wbc_sam
Successfully added passdb backend 'wbc_sam'
Attempting to register passdb backend samba_dsdb
Successfully added passdb backend 'samba_dsdb'
Attempting to register passdb backend samba4
Successfully added passdb backend 'samba4'
Attempting to register passdb backend ldapsam
Successfully added passdb backend 'ldapsam'
Attempting to register passdb backend NDS_ldapsam
Successfully added passdb backend 'NDS_ldapsam'
Attempting to register passdb backend IPA_ldapsam
Successfully added passdb backend 'IPA_ldapsam'
Attempting to find a passdb backend to match
samba_dsdb:/usr/local/samba/private/sam.ldb (samba_dsdb)
Found pdb backend samba_dsdb
ldb: ldb error (ldb_wait: Operations error (1)) occurred searching for
modules, bailing out
ldb: Unable to load modules for /usr/local/samba/private/secrets.ldb:
ldb_wait: Operations error (1)
Could not find machine account in secrets database: Failed to fetch machine
account password from secrets.ldb: Could not open secrets.ldb and failed to
fetch SECRETS/MACHINE_PASSWORD.PREV/TESTDOMAIN from
/usr/local/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Searching for dsServiceName in rootDSE failed: operations error at
../source4/dsdb/samdb/ldb_modules/rootdse.c:501
Failed to find our own NTDS Settings DN in the ldb!
ldb: schema_load_init: no schema head present: (skip schema loading)

ldb: module schema_load initialization failed : No such object
ldb: module rootdse initialization failed : No such object
ldb: module samba_dsdb initialization failed : No such object
ldb: Unable to load modules for /usr/local/samba/private/sam.ldb: (null)
samdb_connect failed
pdb backend samba_dsdb:/usr/local/samba/private/sam.ldb did not correctly
init (error was NT_STATUS_INTERNAL_ERROR)
ERROR(<class 'passdb.error'>): uncaught exception - Cannot re-open passdb
backend samba_dsdb:/usr/local/samba/private/sam.ldb
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
    return self.run(*args, **kwargs)
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py", line
400, in run
    use_rfc2307=use_rfc2307, skip_sysvolacl=False)
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 2155, in provision
    skip_sysvolacl=skip_sysvolacl)
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1768, in provision_fill
    names.domaindn, lp, use_ntvfs)
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1536, in setsysvolacl
    passdb.reload_static_pdb()

I'll keep digging.

Thanks so much for your help!



On Wed, Aug 28, 2013 at 9:12 AM, Andrew Bartlett <abartlet at samba.org> wrote:

> On Sun, 2013-08-25 at 20:59 +0300, Nadezhda Ivanova wrote:
> > Hi Andrew,
> > I need some more advice - it appears that provisioning fails because we
> > cannot do a sasl bind, here i what appears in the log:
> > .
> > .
> > .
> >
> >
> > Successfully loaded vfs module [acl_xattr] with the new modules system
> > Initialising custom vfs hooks from [dfs_samba4]
> > Successfully loaded vfs module [dfs_samba4] with the new modules system
> > connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> and
> > 'force unknown acl user = true' for service Unknown Service (snum == -1)
> > config file testing succeeded
> > lpcfg_servicenumber: couldn't find ldb
> > Failed to inquire of target's available sasl mechs in rootdse search:
> > NT_STATUS_UNEXPECTED_NETWORK_ERROR
> > Failed to bind - LDAP client internal error:
> > NT_STATUS_UNEXPECTED_NETWORK_ERROR
> > Failed to connect to
> > 'ldapi://%2Fusr%2Flocal%2Fsamba%2Fprivate%2Fldap%2Fldapi' with backend
> > 'ldapi': (null)
> > lpcfg_servicenumber: couldn't find ldb
> > Failed to inquire of target's available sasl mechs in rootdse search:
> > NT_STATUS_UNEXPECTED_NETWORK_ERROR
> > Failed to bind - LDAP client internal error:
> > NT_STATUS_UNEXPECTED_NETWORK_ERROR
> > Failed to connect to
> > 'ldapi://%2Fusr%2Flocal%2Fsamba%2Fprivate%2Fldap%2Fldapi' with backend
> > 'ldapi': (null)
> > lpcfg_servicenumber: couldn't find ldb
> > GENSEC backend 'gssapi_spnego' registered
> > GENSEC backend 'gssapi_krb5' registered
> > GENSEC backend 'gssapi_krb5_sasl' registered
> > GENSEC backend 'sasl-DIGEST-MD5' registered
> > GENSEC backend 'schannel' registered
> > GENSEC backend 'spnego' registered
> > GENSEC backend 'ntlmssp' registered
> > GENSEC backend 'krb5' registered
> > GENSEC backend 'fake_gssapi_krb5' registered
> > Starting GENSEC mechanism ntlmssp
> > Got challenge flags:
> > Got NTLMSSP neg_flags=0x00028205
> >   NTLMSSP_NEGOTIATE_UNICODE
> >   NTLMSSP_REQUEST_TARGET
> >   NTLMSSP_NEGOTIATE_NTLM
> >   NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>
> > Server did not provide 'target information', required for NTLMv2
>
> > Failed to bind - LDAP client internal error: NT_STATUS_INVALID_PARAMETER
> > Failed to connect to
> > 'ldapi://%2Fusr%2Flocal%2Fsamba%2Fprivate%2Fldap%2Fldapi' with backend
> > 'ldapi': (null)
>
> So, I think we have found the root cause of your issues here.  It seems
> at some point (by your later digging, between alpha13 and alpha14) our
> NTLMv2 code got much stricter, and so won't talk to the Cyrus SASL NTLM
> mech being used by OpenLDAP any more.
>
> There are other approaches that might work here.  We do build with
> cyrus-sasl, so as to have digest-md5 support.  If (and that's a big if)
> that was to work, we wouldn't need to use NTLM, which sucks generally...
>
> So, where to go from here:
>
>   You could turn off NTLMv2 - 'client ntlmv2 auth = no' should do it.
>
> This is almost certainly the change that happened between the two
> versions that last worked and didn't.  It's also clear that I need to
> give you a much more hands-on hand to get started.  Can you prepare a
> scratch git branch with whatever changes you have so far, and
> instructions so I can reproduce your environment?  Perhaps I can get you
> a bit more of a jump-start?
>
> I'm sorry this is so infuriating.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett
> http://samba.org/~abartlet/
> Authentication Developer, Samba Team           http://samba.org
> Samba Developer, Catalyst IT                   http://catalyst.net.nz
>
>
>

More information about the samba-technical mailing list