[Samba] samba-3.0.0: bugs in PDC/BDC mode with LDAP
Joerg Pulz
Joerg.Pulz at frm2.tum.de
Mon Nov 3 17:52:01 GMT 2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
hi,
i've send this mail to the samba-technical list last week, but there was
no reaction, so i try it here. sorry, if samba-technical was not the
right place for these things..
- ---
october the 25th. i updated our samba servers to 3.0.0 and i found some
bugs during the whole week, which i couldn't fix alone, cause i'm no good
programmer.
first my infrastructure:
3 hosts
all running FreeBSD-5.1 on ix86
all have OpenLDAP-2.1.22 and nss_ldap
1 host configured as PDC and LDAP master
2 hosts configured as BDC and LDAP replicator
[Profiles] are stored on the PDC.
the complete setup was working for a long time with samba-2.2.8a
i compiled samba-3.0.0 with '--with-ldap --with-ldapsam --with-quotas
- --with-sys-quotas --with-ads --with-syslog --with-utmp --with-msdfs
- --with-krb5=/usr --with-acl-support --with-libiconv'
configure and make was running without problems. converting the current
LDAP tree was also no problem. everything was fine and very fast.
the first problem i saw was an error when logging of from a
windows2000-SP4 domain member. the profile data wasn't written back.
the logfile shows a "PANIC" line like this:
- -> PANIC: sys_[sg]et_vfs_quota: called with NULL pointer
sorry, don't know if it was "set" or "get".
i recompiled samba without --with-sys-quotas and everything was fine
again.
the next problem i saw was another error message in the log's similar to
#281 in bugzilla
the complete message is:
- ----
[2003/10/28 20:21:12, 1] smbd/service.c:make_connection_snum(698)
ts3 (172.25.1.96) connect to service Profiles initially as user tester
(uid=12345, gid=3456) (pid 25364)
[2003/10/28 20:21:12, 0] lib/smbldap.c:smbldap_open(799)
smbldap_open: cannot access LDAP when not root..
[2003/10/28 20:21:12, 1] lib/smbldap.c:smbldap_retry_open(888)
Connection to LDAP Server failed for the 1 try!
[2003/10/28 20:21:12, 0] passdb/pdb_ldap.c:ldapsam_search_one_group(1612)
ldapsam_search_one_group: Problem during the LDAP search: LDAP error:
(Insufficient access)smbldap_open: cannot access LDAP when not root..
[2003/10/28 20:21:12, 1] lib/smbldap.c:smbldap_retry_open(888)
Connection to LDAP Server failed for the 1 try!
[2003/10/28 20:21:12, 0] passdb/pdb_ldap.c:ldapsam_search_one_group(1612)
ldapsam_search_one_group: Problem during the LDAP search: LDAP error:
(Insufficient access)ts3 (172.25.1.96) connect to service netlogon
initially
as user tester (uid=12345, gid=3456) (pid 25364)
- ----
this error isn't shown at every login, it only occurs sometimes, but it
prevents the windows host to correctly load and save the profile, which
leads to errors at the next login to this host. the options 'profile acls
= yes' and 'nt acl support = yes' are set for the [profiles] share and
'profile acls = yes' is shown by 'testparm -v' but 'nt acl support = yes'
isn't shown, i don't know why.
the next problem is the same as already mentioned in #576 and #623 in
bugzilla.
my procedure to create a user/machine was: run a script manually to add a
user/machine entry with posix attributes to the LDAP directory and later
add samba attributes with 'pdbedit' or 'smbpasswd'. this procedure was
working fine in samba-2.2.8a.
this isn't working in 3.0.0 anymore. if the user/machine is already in the
LDAP directory the error is:
- ----
ldapsam_add_sam_account: Adding new user
init_ldap_from_sam: Setting entry for user: test$
ldapsam_modify_entry: Failed to add user
dn= uid=test$,ou=Computer,dc=domain,dc=de with: Already exists
ldapsam_add_sam_account: failed to modify/add user with uid = test$
(dn = uid=test$,ou=Computer,dc=domain,dc=de)
Unable to add machine! (does it already exist?)
- ----
if the user/machine account is in the directory with posix but without
samba attributes and i try to join the domain, the error is the same.
i think it's the same function that is used for both cases.
if the account is NOT in the LDAP directory the error is:
- ----
ldapsam_add_sam_account: Adding new user
init_ldap_from_sam: Setting entry for user: test$
ldapsam_modify_entry: Failed to add user
dn= uid=test$,ou=Computer,dc=domain,dc=de with: Object class violation
object class 'sambaSamAccount' requires attribute 'sambaSID'
ldapsam_add_sam_account: failed to modify/add user with uid = test$
(dn = uid=test$,ou=Computer,dc=domain,dc=de)
Unable to add machine! (does it already exist?)
- ----
so a possible solution for the first error could be to add an smb.conf
option similar to 'ldap delete dn = yes/no' maybe something like
'ldap add/create dn = yes/no'.
so, if 'ldap add/create dn' is set to 'yes', the complete entry will be
created, otherwise only samba attributes will be added to the existing
entry.
the second error looks to me like a 'two step used' where 'one step is
needed'.
clearly:
- ----
- -> first step
dn: ....
add: objectClass
objectClass: sambaSamAccount
- -
- -> the error occurs here
- -> second step
dn: ....
add: sambaSID
sambaSID: S-....
- -
- ----
and it should be:
- -> first step
dn: ....
add: objectClass
objectClass: sambaSamAccount
- -
add: sambaSID
sambaSID: S-....
- -
- -> no error occured
- ----
the next thing i found belongs to 'maybe unnecessary' changes to the LDAP
entries for machine accounts. my replog file shows such entries:
- ----
dn: uid=pc-210$,ou=Computer,dc=domain,dc=de
changetype: modify
add: sambaPwdCanChange
sambaPwdCanChange: 1067459841
- -
delete: sambaPwdCanChange
sambaPwdCanChange: 1067458941
- -
add: sambaPwdLastSet
sambaPwdLastSet: 1067459841
- -
delete: sambaPwdLastSet
sambaPwdLastSet: 1067458941
- -
replace: entryCSN
entryCSN: 2003102920:37:21Z#0x0001#0#0000
- -
replace: modifiersName
modifiersName: cn=samba,dc=domain,dc=de
- -
replace: modifyTimestamp
modifyTimestamp: 20031029203721Z
- -
- ----
these entries come up every 15 mins. !!!! for every windows domain member!
but it seems, that the password hashes for these accoutns haven't changed.
okay, i think that these timestamps are relevant, but isn't it cheaper to
use 'replace: ...' than 'add: ....' and one step later 'delete: ....'
i mentioned, due to my own fault, that using samba-3.0.0 on a BDC/LDAP
replica with an write-enabled account is really a bad idea!
i think in this special case samba isn't acting right on LDAP referrals.
samba should go to he LDAP master to change things, but is changing some
attributes in the replicated directory, which leads to replica rejections
on the master with errors like: 'ERROR: value exists' or 'ERROR: no such
attribute', where i don't understand why 'no such attribute' is given as
error, but thats another thing.
after changing some ACL's for LDAP i saw, that the samba BDC still tries
to write some stuff to the LDAP master, but it failes because the changes
are already made by the samba PDC. isn't the BPC a read-only thing that
should never change things in the account database??
okay, thats enough for the moment and i want to thank everyone who
contributes to the samba project and makes it the thing it currently is.
feel free to ask for detailed logfiles if needed to track down all the
problematic points i found.
regards
Joerg
- -> i tried the whole scenario without '--with-ldapsam' but that didn't
changed anything.
- --> i was currently not able to try 3.0.1-pre1 but the Changlog shows
nothing about the above problems, so i think they are still open.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (FreeBSD)
iD8DBQE/ppXESPOsGF+KA+MRAtI3AKCYk1Qz2omPF8NJ2tPxv/SY7JgYzwCdHIMY
L/e8JLtHhulEKiPci5EChpM=
=hfmu
-----END PGP SIGNATURE-----
More information about the samba
mailing list