[Samba] Re: Samba 3.0.3 on FC2: windows machine cannot join domain

Fri Sep 24 05:41:42 GMT 2004

Tony,

I look forward to your findings in detail.

Thanks.

- John T.

On Thursday 23 September 2004 23:35, Tony Fugere wrote:
> After further review, I don't believe this is the proper approach to the
> problem. It seems to me that the %u is being used ambiguously. The logic
> of how the published API of the variables and the call to the
> smbldap-useradd program makes it important for the documenters to
> understand what the tools are doing... not what is happening in samba.
> We can see what is happening with the tools by looking at lines 84 to 92
> of smbldap-useradd:
>
> # Read only first @ARGV
> my $userName = $ARGV[0];
>
> # For computers account, add a trailing dollar if missing
> if (defined($Options{'w'})) {
>  if ($userName =~ /[^\$]$/s) {
>    $userName .= "\$";
>  }
> }
>
> My understanding is that if I am logged into an XP machine named
> "INFERIOROS" and want to join the Domain "SAMBADOMAIN", When the request
> is placed by INFERIOROS, the machine running samba for SAMBADOMAIN tries
> to look up INFERIOROS. It sees that there is no machine in the (LDAP in
> this case) database. So, it turns to the smb.conf file to see what it
> should do to add the machine and sees:
>
> add machine script = /usr/local/sbin/smbldap-useradd -w "%m"
>
> After processing through the lines mentioned above of smbldap-useradd
> you would end up with $userName == INFERIOROS$
>
> In line 218 where the subroutine add_posix_machine from smbldap_tools.pm
> is called the $userName gets passed into line 373 of that perl module
> which reads:
>
> my $add = $ldap->add ( "uid=$user,$config{computersdn}.....
>
> Don't we want the $user passed in to be the machine name in this case
> since it is a machine we are adding and not a user?
>
> This userName gets passed into subsequent functions and I eventually end
> up with a well-formed machine in LDAP called INFERIOROS$ with the four
> objectClasses: top, inetOrgPerson, posixAccount, and sambaSAMAccount all
> filled with their respective attributes. On the other hand, when I have
> the smb.conf using:
>
> add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
>
> I end up with an incomplete machine record uid=INFERIOROS$ in LDAP that
> only holds the objectClasses: top, inetOrgPerson, and posixAccount (I
> assume this is from the module handling automatic account creation that
> you mentioned)
>
> BUT ALSO,
>
> I end up with an incomplete machine record uid=root$ (my admin user to
> join the domain) with the same three objectClasses and their attributes.
> (This is coming from the smbldap-useradd tool)
>
> The sambaSAMAccount objectClass is never created for the INFERIOROS$
> record and I get the error "Cannot join domain, the user name could not
> be found" (approximately).
>
> Obviously, this is not the desired result.
>
> Without investigation into the rpc_src and sam modules and having the
> log level configured to report their errors, it is obvious that
> something is wrong here. I understand that you, as well as many others,
> have not had trouble with %u, but the fact remains that the %u is
> ambiguous. The %m makes much more sense for machine name; especially
> since it is used elsewhere in the smb.conf. Should the ambiguity of %u
> be plucked through in the samba code so that %m is used for machines
> instead of this substitution? I will still investigate it tomorrow to
> deliver the results of debugging the modules in contest to compare and
> contrast the differences in our systems.
>
> The default shell for the tools in the smbldap.conf is /bin/bash,
> luckily we've changed ours to /bin/false because none of our users
> (except a few) need shell access. Is it also a possible security problem
> to have this root$ machine that has no password? I will investigate that
> as well to see the implications of a machine with no password and
> /bin/bash shell access.
>
> Tony Fugere
>
> -------------------
>
> Tony Fugere wrote:
>
> I'm pretty sure that we have our problems solved by using %m, but I will
> triple check and post results in a few hours. I don't really want to
> mislead anyone into having a six month struggle as I have had with this.
>
> Tony
>
> -------------------
>
> John H Terpstra wrote:
>
> Tony,
>
> I do not have any proof to contradict your information, however, the source
> code suggests that this advice is perhaps suspect.
>
> The particular module that handles automatic account creation is in
> ~samba/source/rpc_server/srv_samr_nt.c and specifically at line 2253.
> Here is the very line that does the parameter substitution:
>
>  all_string_sub(add_script, "%u", account, sizeof(add_script));
>
> As you can see, it is the "%u" parameter that is being substituted. Maybe I
> am reading this incorrectly? However, I have performed many hundreds of
> installations and have always used the "%u" parameter - and it has worked.
>
> Given this background I respectfully suggest that we should understand
> precisely what is happening in your situation by examining the samba logs
> for the use of this function give both the "%u" and again with the "%m"
> parameters. You can turn up the debug level on just this module by setting
> in smb.conf [globals]:
> 	log level = 0 rpc_srv:5 sam:5
> 	log file = /var/log/samba/%m.log
> 	max log size = 0
>
> Please would test this and report the findings. If our documentation is in
> error I want to fix it immediately.
>
> Thanks so much for your input.
>
> Cheers,
> John T.

-- 
John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668

Author:
The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
OpenLDAP by Example, ISBN: 0131488732
Other books in production.