[Samba] Segmentation Fault when trying to set root samba password, IPA as a backend

Rowland penny rpenny at samba.org
Mon Feb 29 14:16:13 UTC 2016 

On 29/02/16 13:44, Martin Juhl wrote:
> Hi
>
>
>>> First thing is, you shouldn't have a user called 'root' in your domain,
> I know, was just saying that the error message changed when I added the user....
>
>>> use a usermap to map 'Administrator' to 'root'
> I have now tried adding:
>
> username map = /var/lib/samba/usermap.txt
>
> to my [global]
>
> and /var/lib/samba/usermap.txt:
>
> mj = Adminstrator
>
>
>>> Can you try and create a new user with smbpasswd ?
> [root at bart samba]# smbpasswd -a test
> No builtin backend found, trying to load plugin
> Module 'ipasam' loaded
> smbldap_open_connection: connection opened
> ldap_connect_system: successful connection to the LDAP server
> pdb_init_ipasam: support for pdb_enum_upn_suffixes enabled for domain bolls.lan
> New SMB password:
> Retype new SMB password:
> Could not find user test and no add script defined
> Failed to add entry for user test.
>
>
>>> I think you may be hitting the same problem that I have, smbpasswd will
>>> create the user, but then segfaults when trying to add the password.
>
> /Martin
>
> ----- Original meddelelse -----
> Fra: "Rowland penny" <rpenny at samba.org>
> Til: "samba" <samba at lists.samba.org>
> Sendt: mandag, 29. februar 2016 11:34:14
> Emne: Re: [Samba] Segmentation Fault when trying to set root samba password, IPA as a backend
>
> On 29/02/16 10:04, Martin Juhl wrote:
>> Hi
>>
>> This is samba-4.2.3-11.el7_2.x86_64 on CentOS...
>>
>> I'm trying to setup a Samba NT4 domain, with FreeIPA as a backend...
>>
>> Right now everything works.. except that I need a Domain Adminstrator...
>>
>> smbpasswd -a root, segfaults... probably because the user doesn't exist in FreeIPA
>>
>> If I create the root user in FreeIPA, it instead gives:
>>
>> [root at bart samba]# LANG=en smbpasswd -a root
>> No builtin backend found, trying to load plugin
>> Module 'ipasam' loaded
>> smbldap_open_connection: connection opened
>> ldap_connect_system: successful connection to the LDAP server
>> pdb_init_ipasam: support for pdb_enum_upn_suffixes enabled for domain bolls.lan
>> New SMB password:
>> Retype new SMB password:
>> init_sam_from_ldap: Entry found for user: root
>> ERROR: Got 0 entries for gid 0, expected at least one
>> ERROR: Got 0 entries for gid 0, expected at least one
>> Forcing Primary Group to 'Domain Users' for root
>> Failed to modify entry for user root.
>>
>>
>> I can't create a user with uid=0 or gid=0 in FreeIPA...
>>
>> I have also tried changing the administrator user:
>>
>> pdbedit -U S-1-5-21-3189138339-1730592290-4215248117-500 -u mj -r -d 7
>>
>> but it also fails:
>>
>> http://pastebin.com/8tpuD6Eg
>>
>>
>> Config:
>>
>> [global]
>> bind interfaces only = yes
>> enable privileges = yes
>> workgroup = BOLLS
>> netbios name = BART
>> realm = BOLLS.LAN
>> kerberos method = dedicated keytab
>> dedicated keytab file = FILE:/etc/samba/samba.keytab
>> create krb5 conf = no
>> security = user
>> domain master = yes
>> domain logons = yes
>> log level = 3
>> max log size = 100000
>> log file = /var/log/samba/log.%m
>> passdb backend = ipasam:ldaps://lisa.bolls.lan
>> disable spoolss = yes
>> ldapsam:trusted = yes
>> ldap ssl = off
>> ldap suffix = dc=bolls,dc=lan
>> ldap user suffix = cn=users,cn=accounts
>> ldap group suffix = cn=groups,cn=accounts
>> ldap machine suffix = cn=computers,cn=accounts
>> rpc_server:epmapper = external
>> rpc_server:lsarpc = external
>> rpc_server:lsass = external
>> rpc_server:lsasd = external
>> rpc_server:samr = external
>> rpc_server:netlogon = external
>> rpc_server:tcpip = yes
>> rpc_daemon:epmd = fork
>> rpc_daemon:lsasd = fork
>> logon path = \\%L\Profiles\%U
>> logon drive = H:
>> logon home = \\%L\%U
>>
>> [homes]
>> comment = Home Directories
>> valid users = %S
>> read only = No
>> browseable = No
>> [printers]
>> comment = All Printers
>> path = /var/spool/samba
>> printer admin = root, mj
>> create mask = 0600
>> guest ok = Yes
>> printable = Yes
>> browseable = No
>> [print$]
>> comment = Printer Drivers Share
>> path = /var/lib/samba/drivers
>> write list = mj, root
>> printer admin = mj, root
>> [netlogon]
>> comment = Network Logon Service
>> path = /var/lib/samba/netlogon
>> admin users = root, mj
>> guest ok = Yes
>> browseable = No
>> # For profiles to work, create a user directory under the path
>> # shown. i.e., mkdir -p /var/lib/samba/profiles/mj
>> [Profiles]
>> comment = Roaming Profile Share
>> path = /var/lib/samba/profiles
>> read only = No
>> profile acls = Yes
>>
>>


OK, You are running Samba as a NT4-style PDC, so you probably don't need 
these lines:

realm = BOLLS.LAN
kerberos method = dedicated keytab
dedicated keytab file = FILE:/etc/samba/samba.keytab
create krb5 conf = no

You also don't have any of the smbldap-tools lines, but you do have 
'ldapsam:trusted = yes ', on a PDC you are expected to also have 
'ldapsam:editposix=yes' (or so I believe), see here: 
https://wiki.samba.org/index.php/Ldapsam_Editposix

You either have to use smbldap-tools (which now appears to finally dead) 
or ldapsam:editposix, only problem with this is that smbpasswd doesn't 
seem to work, it creates the user in ldap and then segfaults when trying 
to add the password.

I have spent all weekend trying to make ldapsam:editposix work, but keep 
coming up against the password problem.

Rowland

More information about the samba mailing list