[Samba] Segmentation Fault when trying to set root samba password, IPA as a backend

Martin Juhl mj at casalogic.dk
Mon Feb 29 14:57:52 UTC 2016


Hi

Please notice that i'm not using ldapsam, but ipasam... from freeipa server... So I think I need those things in my configuration file....

I'm having trouble finding documentation on the ipasam extension....

Seems as though our problems are similiar


----- Original meddelelse -----
Fra: "Rowland penny" <rpenny at samba.org>
Til: "samba" <samba at lists.samba.org>
Sendt: mandag, 29. februar 2016 15:16:13
Emne: Re: [Samba] Segmentation Fault when trying to set root samba password, IPA as a backend

On 29/02/16 13:44, Martin Juhl wrote: 
> Hi 
> 
> 
>>> First thing is, you shouldn't have a user called 'root' in your domain, 
> I know, was just saying that the error message changed when I added the user.... 
> 
>>> use a usermap to map 'Administrator' to 'root' 
> I have now tried adding: 
> 
> username map = /var/lib/samba/usermap.txt 
> 
> to my [global] 
> 
> and /var/lib/samba/usermap.txt: 
> 
> mj = Adminstrator 
> 
> 
>>> Can you try and create a new user with smbpasswd ? 
> [root at bart samba]# smbpasswd -a test 
> No builtin backend found, trying to load plugin 
> Module 'ipasam' loaded 
> smbldap_open_connection: connection opened 
> ldap_connect_system: successful connection to the LDAP server 
> pdb_init_ipasam: support for pdb_enum_upn_suffixes enabled for domain bolls.lan 
> New SMB password: 
> Retype new SMB password: 
> Could not find user test and no add script defined 
> Failed to add entry for user test. 
> 
> 
>>> I think you may be hitting the same problem that I have, smbpasswd will 
>>> create the user, but then segfaults when trying to add the password. 
> 
> /Martin 
> 
> ----- Original meddelelse ----- 
> Fra: "Rowland penny" <rpenny at samba.org> 
> Til: "samba" <samba at lists.samba.org> 
> Sendt: mandag, 29. februar 2016 11:34:14 
> Emne: Re: [Samba] Segmentation Fault when trying to set root samba password, IPA as a backend 
> 
> On 29/02/16 10:04, Martin Juhl wrote: 
>> Hi 
>> 
>> This is samba-4.2.3-11.el7_2.x86_64 on CentOS... 
>> 
>> I'm trying to setup a Samba NT4 domain, with FreeIPA as a backend... 
>> 
>> Right now everything works.. except that I need a Domain Adminstrator... 
>> 
>> smbpasswd -a root, segfaults... probably because the user doesn't exist in FreeIPA 
>> 
>> If I create the root user in FreeIPA, it instead gives: 
>> 
>> [root at bart samba]# LANG=en smbpasswd -a root 
>> No builtin backend found, trying to load plugin 
>> Module 'ipasam' loaded 
>> smbldap_open_connection: connection opened 
>> ldap_connect_system: successful connection to the LDAP server 
>> pdb_init_ipasam: support for pdb_enum_upn_suffixes enabled for domain bolls.lan 
>> New SMB password: 
>> Retype new SMB password: 
>> init_sam_from_ldap: Entry found for user: root 
>> ERROR: Got 0 entries for gid 0, expected at least one 
>> ERROR: Got 0 entries for gid 0, expected at least one 
>> Forcing Primary Group to 'Domain Users' for root 
>> Failed to modify entry for user root. 
>> 
>> 
>> I can't create a user with uid=0 or gid=0 in FreeIPA... 
>> 
>> I have also tried changing the administrator user: 
>> 
>> pdbedit -U S-1-5-21-3189138339-1730592290-4215248117-500 -u mj -r -d 7 
>> 
>> but it also fails: 
>> 
>> http://pastebin.com/8tpuD6Eg 
>> 
>> 
>> Config: 
>> 
>> [global] 
>> bind interfaces only = yes 
>> enable privileges = yes 
>> workgroup = BOLLS 
>> netbios name = BART 
>> realm = BOLLS.LAN 
>> kerberos method = dedicated keytab 
>> dedicated keytab file = FILE:/etc/samba/samba.keytab 
>> create krb5 conf = no 
>> security = user 
>> domain master = yes 
>> domain logons = yes 
>> log level = 3 
>> max log size = 100000 
>> log file = /var/log/samba/log.%m 
>> passdb backend = ipasam:ldaps://lisa.bolls.lan 
>> disable spoolss = yes 
>> ldapsam:trusted = yes 
>> ldap ssl = off 
>> ldap suffix = dc=bolls,dc=lan 
>> ldap user suffix = cn=users,cn=accounts 
>> ldap group suffix = cn=groups,cn=accounts 
>> ldap machine suffix = cn=computers,cn=accounts 
>> rpc_server:epmapper = external 
>> rpc_server:lsarpc = external 
>> rpc_server:lsass = external 
>> rpc_server:lsasd = external 
>> rpc_server:samr = external 
>> rpc_server:netlogon = external 
>> rpc_server:tcpip = yes 
>> rpc_daemon:epmd = fork 
>> rpc_daemon:lsasd = fork 
>> logon path = \\%L\Profiles\%U 
>> logon drive = H: 
>> logon home = \\%L\%U 
>> 
>> [homes] 
>> comment = Home Directories 
>> valid users = %S 
>> read only = No 
>> browseable = No 
>> [printers] 
>> comment = All Printers 
>> path = /var/spool/samba 
>> printer admin = root, mj 
>> create mask = 0600 
>> guest ok = Yes 
>> printable = Yes 
>> browseable = No 
>> [print$] 
>> comment = Printer Drivers Share 
>> path = /var/lib/samba/drivers 
>> write list = mj, root 
>> printer admin = mj, root 
>> [netlogon] 
>> comment = Network Logon Service 
>> path = /var/lib/samba/netlogon 
>> admin users = root, mj 
>> guest ok = Yes 
>> browseable = No 
>> # For profiles to work, create a user directory under the path 
>> # shown. i.e., mkdir -p /var/lib/samba/profiles/mj 
>> [Profiles] 
>> comment = Roaming Profile Share 
>> path = /var/lib/samba/profiles 
>> read only = No 
>> profile acls = Yes 
>> 
>> 


OK, You are running Samba as a NT4-style PDC, so you probably don't need 
these lines: 

realm = BOLLS.LAN 
kerberos method = dedicated keytab 
dedicated keytab file = FILE:/etc/samba/samba.keytab 
create krb5 conf = no 

You also don't have any of the smbldap-tools lines, but you do have 
'ldapsam:trusted = yes ', on a PDC you are expected to also have 
'ldapsam:editposix=yes' (or so I believe), see here: 
https://wiki.samba.org/index.php/Ldapsam_Editposix 

You either have to use smbldap-tools (which now appears to finally dead) 
or ldapsam:editposix, only problem with this is that smbpasswd doesn't 
seem to work, it creates the user in ldap and then segfaults when trying 
to add the password. 

I have spent all weekend trying to make ldapsam:editposix work, but keep 
coming up against the password problem. 

Rowland 

-- 
To unsubscribe from this list go to the following URL and read the 
instructions: https://lists.samba.org/mailman/options/samba 




More information about the samba mailing list