samba with openldap provisioning
Nadezhda Ivanova
nivanova at samba.org
Thu Aug 29 08:42:47 MDT 2013
Hi Andrew,
I have re-introduces some of the removed provision options, and committed
them in my repo: git://git.samba.org/nivanova/samba.git
The branch is openldap_provision.
The environment:
I am running ubuntu 13.04 and installed cyrus sasl and the latest version
of berkeley db (6.0.20) from here:
http://www.oracle.com/technetwork/products/berkeleydb/downloads/index.html
I installed the latest OpenLdap from the repo: git://
git.openldap.org/openldap.git
This is my openldap configure command:
LD_LIBRARY_PATH="/usr/lib:/usr/local/lib:/usr/local/BerkeleyDB.6.0/lib:/usr/local/ssl/lib"
LDFLAGS="-L/usr/local/lib -L/usr/local/BerkeleyDB.4.2/lib
-L/usr/local/ssl/lib" CPPFLAGS="-I/usr/local/include
-I/usr/local/BerkeleyDB.6.0/include -I/usr/local/ssl/include" ./configure
--enable-modules --enable-overlays=mod --with-cyrus-sasl
And installed the samba4 overlays as described here:
http://web.archive.org/web/20110210123448/http://wiki.samba.org/index.php/Samba4/LDAP_Backend/OpenLDAP
Turning ntlm off did solve that particular problem, but there is an error
later - it appears to be a new part of the script which attempts to use ldb
with tdb instead of the openldap backend:
Attempting to register passdb backend smbpasswd
Successfully added passdb backend 'smbpasswd'
Attempting to register passdb backend tdbsam
Successfully added passdb backend 'tdbsam'
Attempting to register passdb backend wbc_sam
Successfully added passdb backend 'wbc_sam'
Attempting to register passdb backend samba_dsdb
Successfully added passdb backend 'samba_dsdb'
Attempting to register passdb backend samba4
Successfully added passdb backend 'samba4'
Attempting to register passdb backend ldapsam
Successfully added passdb backend 'ldapsam'
Attempting to register passdb backend NDS_ldapsam
Successfully added passdb backend 'NDS_ldapsam'
Attempting to register passdb backend IPA_ldapsam
Successfully added passdb backend 'IPA_ldapsam'
Attempting to find a passdb backend to match
samba_dsdb:/usr/local/samba/private/sam.ldb (samba_dsdb)
Found pdb backend samba_dsdb
ldb: ldb error (ldb_wait: Operations error (1)) occurred searching for
modules, bailing out
ldb: Unable to load modules for /usr/local/samba/private/secrets.ldb:
ldb_wait: Operations error (1)
Could not find machine account in secrets database: Failed to fetch machine
account password from secrets.ldb: Could not open secrets.ldb and failed to
fetch SECRETS/MACHINE_PASSWORD.PREV/TESTDOMAIN from
/usr/local/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Searching for dsServiceName in rootDSE failed: operations error at
../source4/dsdb/samdb/ldb_modules/rootdse.c:501
Failed to find our own NTDS Settings DN in the ldb!
ldb: schema_load_init: no schema head present: (skip schema loading)
ldb: module schema_load initialization failed : No such object
ldb: module rootdse initialization failed : No such object
ldb: module samba_dsdb initialization failed : No such object
ldb: Unable to load modules for /usr/local/samba/private/sam.ldb: (null)
samdb_connect failed
pdb backend samba_dsdb:/usr/local/samba/private/sam.ldb did not correctly
init (error was NT_STATUS_INTERNAL_ERROR)
ERROR(<class 'passdb.error'>): uncaught exception - Cannot re-open passdb
backend samba_dsdb:/usr/local/samba/private/sam.ldb
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py", line
400, in run
use_rfc2307=use_rfc2307, skip_sysvolacl=False)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 2155, in provision
skip_sysvolacl=skip_sysvolacl)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1768, in provision_fill
names.domaindn, lp, use_ntvfs)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1536, in setsysvolacl
passdb.reload_static_pdb()
I'll keep digging.
Thanks so much for your help!
On Wed, Aug 28, 2013 at 9:12 AM, Andrew Bartlett <abartlet at samba.org> wrote:
> On Sun, 2013-08-25 at 20:59 +0300, Nadezhda Ivanova wrote:
> > Hi Andrew,
> > I need some more advice - it appears that provisioning fails because we
> > cannot do a sasl bind, here i what appears in the log:
> > .
> > .
> > .
> >
> >
> > Successfully loaded vfs module [acl_xattr] with the new modules system
> > Initialising custom vfs hooks from [dfs_samba4]
> > Successfully loaded vfs module [dfs_samba4] with the new modules system
> > connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
> and
> > 'force unknown acl user = true' for service Unknown Service (snum == -1)
> > config file testing succeeded
> > lpcfg_servicenumber: couldn't find ldb
> > Failed to inquire of target's available sasl mechs in rootdse search:
> > NT_STATUS_UNEXPECTED_NETWORK_ERROR
> > Failed to bind - LDAP client internal error:
> > NT_STATUS_UNEXPECTED_NETWORK_ERROR
> > Failed to connect to
> > 'ldapi://%2Fusr%2Flocal%2Fsamba%2Fprivate%2Fldap%2Fldapi' with backend
> > 'ldapi': (null)
> > lpcfg_servicenumber: couldn't find ldb
> > Failed to inquire of target's available sasl mechs in rootdse search:
> > NT_STATUS_UNEXPECTED_NETWORK_ERROR
> > Failed to bind - LDAP client internal error:
> > NT_STATUS_UNEXPECTED_NETWORK_ERROR
> > Failed to connect to
> > 'ldapi://%2Fusr%2Flocal%2Fsamba%2Fprivate%2Fldap%2Fldapi' with backend
> > 'ldapi': (null)
> > lpcfg_servicenumber: couldn't find ldb
> > GENSEC backend 'gssapi_spnego' registered
> > GENSEC backend 'gssapi_krb5' registered
> > GENSEC backend 'gssapi_krb5_sasl' registered
> > GENSEC backend 'sasl-DIGEST-MD5' registered
> > GENSEC backend 'schannel' registered
> > GENSEC backend 'spnego' registered
> > GENSEC backend 'ntlmssp' registered
> > GENSEC backend 'krb5' registered
> > GENSEC backend 'fake_gssapi_krb5' registered
> > Starting GENSEC mechanism ntlmssp
> > Got challenge flags:
> > Got NTLMSSP neg_flags=0x00028205
> > NTLMSSP_NEGOTIATE_UNICODE
> > NTLMSSP_REQUEST_TARGET
> > NTLMSSP_NEGOTIATE_NTLM
> > NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>
> > Server did not provide 'target information', required for NTLMv2
>
> > Failed to bind - LDAP client internal error: NT_STATUS_INVALID_PARAMETER
> > Failed to connect to
> > 'ldapi://%2Fusr%2Flocal%2Fsamba%2Fprivate%2Fldap%2Fldapi' with backend
> > 'ldapi': (null)
>
> So, I think we have found the root cause of your issues here. It seems
> at some point (by your later digging, between alpha13 and alpha14) our
> NTLMv2 code got much stricter, and so won't talk to the Cyrus SASL NTLM
> mech being used by OpenLDAP any more.
>
> There are other approaches that might work here. We do build with
> cyrus-sasl, so as to have digest-md5 support. If (and that's a big if)
> that was to work, we wouldn't need to use NTLM, which sucks generally...
>
> So, where to go from here:
>
> You could turn off NTLMv2 - 'client ntlmv2 auth = no' should do it.
>
> This is almost certainly the change that happened between the two
> versions that last worked and didn't. It's also clear that I need to
> give you a much more hands-on hand to get started. Can you prepare a
> scratch git branch with whatever changes you have so far, and
> instructions so I can reproduce your environment? Perhaps I can get you
> a bit more of a jump-start?
>
> I'm sorry this is so infuriating.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett
> http://samba.org/~abartlet/
> Authentication Developer, Samba Team http://samba.org
> Samba Developer, Catalyst IT http://catalyst.net.nz
>
>
>
More information about the samba-technical
mailing list