[Samba] debugging smbldap-useradd failures

Sat Jan 27 15:11:33 GMT 2007

Hi, I just thought I'd post here some notes after a loong bugsearch.

Keywords:
failed to perform search; Unexpected EOF
using Domain Admins to add machines


The problem was that I got this in the sambalog:
_samr_create_user: Running the command `/usr/sbin/smbldap-useradd -w 
"machine$"' gave 127

Part of the problem was that this isn't a lot to go on, and the command 
worked if I ran it from the commandline.

To get around that, I wrote a wrapperscript that logged the output from 
the command [1]. The script combined with some extra debugging output 
placed in the smbldap-tools code showed that smbldap-tools expected the 
user to be root and if not it would not read the file smbldap_bind.conf. 
Here's part of the code:
    if ($< == 0) {
( read the file )
    } else {
      $conf{slaveDN}=$conf{slavePw}=$conf{masterDN}=$conf{masterPw}="";
    }

Thus , no bind attributes are set. Smbldaptools does not see this as 
something that should be noted somehow.  The reason in my case was that 
someone had added a administrator user to the local users on the box 
with uid 999.

I have included a patch [2] that should at least give some more warnings 
when this happens. IMHO smbldaptools should not need to run as root - 
but that is another issue.


I hope this post may help someone some time.

kind regards,
Tarjei

1.  The wrapperscript I used to get extra logging from smbldap-useradd:
#!/usr/bin/perl -w
my $log = "/tmp/smb.log" ;
open(LOG , '>>' ,$log) or die($@);
open STDERR, ">>$log" or die($@);
$cmd = "/usr/sbin/smbldap-useradd";
print LOG `date`;
print LOG "Command: " . $cmd . " " .  join(" " , @ARGV) . "\n";
#$ret = system($cmd, @ARGV);
$cmd = $cmd . " " . join(" " , @ARGV);
$ret = `$cmd`;
print LOG "Return: \n" . $ret . "\n";
$who = `whoami`;
print LOG "Whoami: $who\n";
close(LOG);
close(STDERR);
exit($?);

2. This patch adds better warnings to smbldaptools:

--- smbldap_tools.pm.orig       2007-01-27 15:50:05.000000000 +0100
+++ smbldap_tools.pm    2007-01-27 15:54:21.000000000 +0100
@@ -170,6 +170,7 @@
          close (CONFIGFILE);
        } else {
          $conf{slaveDN}=$conf{slavePw}=$conf{masterDN}=$conf{masterPw}="";
+         warn ("Could not open smbLdap_bind_conf file as user with uid 
$< is not root. Bind details not set\n");
        }
        # automatically find SID
        if (not $conf{SID}) {
@@ -278,6 +279,7 @@
 
 sub connect_ldap_master
   {
+       my $mesg;
        # bind to a directory with dn and password
        my $ldap_master = Net::LDAP->new(
                                                                         
"$config{masterLDAP}",
@@ -288,16 +290,22 @@
                                                                        )
          or die "erreur LDAP: Can't contact master ldap server ($@)";
        if ($config{ldapTLS} == 1) {
-         $ldap_master->start_tls(
+         $mesg = $ldap_master->start_tls(
                                                          verify => 
"$config{verify}",
                                                          clientcert => 
"$config{clientcert}",
                                                          clientkey => 
"$config{clientkey}",
                                                          cafile => 
"$config{cafile}"
                                                         );
+         if ($mesg->code) {
+                 warn("Could not start_tls: " . $mesg->error);
+         }
        }
-       $ldap_master->bind ( "$config{masterDN}",
+       $mesg = $ldap_master->bind ( "$config{masterDN}",
                                                 password => 
"$config{masterPw}"
                                           );
+       if ($mesg->code) {
+               die ("Could not bind (login) to master ldapserver. 
Error: " . $mesg->error);
+       }
        $ldap=$ldap_master;
        return($ldap_master);
   }


