[Samba] [PATCH] Re: Samba 4.1.17 classic update w/LDAP - parsing error

Mgr. Peter Tuharsky tuharsky at misbb.sk
Wed Oct 28 13:35:16 UTC 2015 

Hallo,

I have two news. The first one: the patch probably works. Second: there
is another bug.

When I encountered the bug again after patching, I have raised debug
level and figured out that the problem is with user "guest" - he was in
our old domain, however samba-tool probably creates him automatically
and then couldn't import him.

So, please fix the tool so that it ignores such user, or update the DOCS
so that forbidden users are known for admin before attempting the
classicupdate.

The import FINALLY works with patched 4.3.1. But when I tested again
with 4.1.17, it ends up with the bug. So the patch seems working for its
purpose, but there is the bug with guest user and that needs to get fixed.



Dňa 27.10.2015 o 16:38 Mgr. Peter Tuharsky napísal(a):
> I have tested the patch against 4.3.1 compiled from sources but it does
> not seem to work. Either I did something wrong while compiling, or the
> patch dosen't fix the problem.
>
> ERROR(<type 'exceptions.ValueError'>): uncaught exception - unable to
> parse dn string
>   File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 175, in _run
>     return self.run(*args, **kwargs)
>   File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py",
> line 1460, in run
>     useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
>   File "/usr/local/samba/lib/python2.7/site-packages/samba/upgrade.py",
> line 771, in upgrade_from_samba3
>     add_group_from_mapping_entry(result.samdb, g, logger)
>   File "/usr/local/samba/lib/python2.7/site-packages/samba/upgrade.py",
> line 275, in add_group_from_mapping_entry
>     m.dn = ldb.Dn(samdb, "CN=%s,CN=Users,%s" % (groupmap.nt_name,
> samdb.get_default_basedn()))
>
> Dňa 08.10.2015 o 08:47 Mgr. Peter Tuharsky napísal(a):
>> Well, since I have no answer from Debian in order of patch, I'm trying
>> to do the import using group names with no special character at all.
>>
>> Strange thing - it dosen't work.
>> I have also removed all diacritics from displayname attributes for all
>> groups - dosen't help either.
>>
>> So i'm not sure, what the problem really is.
>>
>> Dňa 24.09.2015 o 13:52 Mgr. Peter Tuharsky napísal(a):
>>> As of 4, I have tested import of renamed domain and the classicupdate is
>>> still parsing badly. So the netbios name seems not to be an issue for now.
>>>
>>> Dňa 24.09.2015 o 10:45 Mgr. Peter Tuharsky napísal(a):
>>>> Hi all,
>>>>
>>>> thank You for Your answers and the help.
>>>>
>>>> 1, I have never applied a patch to Samba in Debian. Please, is there any
>>>> howto or documentation?
>>>> 2, If the patch worked for the import, would it be possible to revert to
>>>> a distributional (unpatched) Samba afterwards?
>>>> 3, We don't use any of the mentioned symbols in group names, just . and -
>>>> 4, Unfortunately, we have a . in the NT4 (netbios) domain name. We
>>>> already have issues with that, but only in Windows 8. Could this be the
>>>> reason of the import error? I doubt that though because other import
>>>> steps finished flawlessly, including netbios name registration during
>>>> import process.
>>>> 5, (Might be OT, depending on previous answer): If needed in order to
>>>> resolve the problem, is it possible to simply and without consequences
>>>> change the domain (netbios) name in LDAP, providing that SID would
>>>> remain untouched and change in smb.conf would reflect the new name? Or
>>>> the Windows clients use both the netbios name and SID in order to access
>>>> their domain and they would drop off domain?
>>>>
>>>> Peter
>>>>
>>>> Dňa 24.09.2015 o 09:57 Andrew Bartlett napísal(a):
>>>>> On Thu, 2015-09-24 at 09:12 +0200, Michael Wood wrote:
>>>>>> Hi
>>>>>> On 23 Sep 2015 9:47 PM, "Andrew Bartlett" <abartlet at samba.org> wrote:
>>>>>>> On Thu, 2015-09-24 at 06:59 +1200, Andrew Bartlett wrote:
>>>>>>>> That looks like a bug.  My guess is that, as Roland suggested,
>>>>>> the
>>>>>>>> group name isn't just normal characters.  We do support other
>>>>>> chars
>>>>>>>> in
>>>>>>>> group names, but the bug here was not to escape the values.  You
>>>>>>>> could
>>>>>>>> expect a particular problem with any of these in particular: =,()
>>>>>>> Can you confirm this patch (against master, but should apply back
>>>>>> to
>>>>>>> 4.1) works for you?
>>>>>>>
>>>>>>> If so, can I get a second team member to review/push?
>>>>>> Does that still result in them being in CN=Users? Or is that not
>>>>>> important?
>>>>> Indeed, that is what I get for writing patches at 7 in the morning :-)
>>>>>
>>>>> Try the attached.  We really, really need some good expected-value
>>>>> testing of the upgrade system.
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Andrew Bartlett
>>>>>
>

More information about the samba mailing list