[Samba] Segmentation Fault when trying to set root samba password, IPA as a backend

Rowland penny rpenny at samba.org
Sun Mar 6 19:24:56 UTC 2016 

On 06/03/16 19:07, Harry Jede wrote:
> On 19:47:03 wrote Rowland penny:
>>> I have just started an old vm with samba 3.6.6 as pdc and openlap
>>> as backend. smbpasswd -a someuser does not work, if someuser does
>>> not exist.
>> Are you using smbldap-tools or ldapsam:editposix ?
> In this vm ldapsam:editposix.
>
> OK. I have just created a posix-only user in openldap. And then tried
> smbpasswd -a test01. Surprisingly, it works.
>
> Here the relevant information, openldap logs with loglevel filter (256):
>
> *before adding the samba user* :
> # ldapsearch -xLLL -D cn=admin,dc=europa,dc=xx -W -b dc=europa,dc=xx -s sub "(&(objectClass=sambaDomain)
> (sambaDomainName=europa))" sambaDomainName sambaNextRid sambaNextUserRid sambaNextGroupRid sambaSID sambaAlgorithmicRidBase
> objectClass
> dn: sambaDomainName=EUROPA,dc=europa,dc=xx
> objectClass: top
> objectClass: sambaDomain
> objectClass: sambaUnixIdPool
> sambaDomainName: EUROPA
> sambaSID: S-1-5-21-3958726613-3318811842-4132420312
> sambaAlgorithmicRidBase: 1000
> sambaNextUserRid: 2000
> sambaNextGroupRid: 100000
> sambaNextRid: 100018
>
> *after adding the samba user* :
> # ldapsearch -xLLL -D cn=admin,dc=europa,dc=xx -W -b dc=europa,dc=xx -s sub "(&(objectClass=sambaDomain)
> (sambaDomainName=europa))" sambaDomainName sambaNextRid sambaNextUserRid sambaNextGroupRid sambaSID sambaAlgorithmicRidBase
> objectClass
> dn: sambaDomainName=EUROPA,dc=europa,dc=xx
> objectClass: top
> objectClass: sambaDomain
> objectClass: sambaUnixIdPool
> sambaDomainName: EUROPA
> sambaSID: S-1-5-21-3958726613-3318811842-4132420312
> sambaAlgorithmicRidBase: 1000
> sambaNextUserRid: 2000
> sambaNextGroupRid: 100000
> sambaNextRid: 100019
>
> *sambaNextRid has changed* .
>
> Here the resulting object:
> # ldapsearch -xLLL -D cn=admin,dc=europa,dc=xx -w keins -b dc=europa,dc=xx -s sub uid=test01
> dn: uid=test01,ou=people,ou=accounts,dc=europa,dc=xx
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: shadowAccount
> objectClass: systemQuotas
> objectClass: sambaSamAccount
> sn: test01
> cn: test01
> uidNumber: 33333
> gidNumber: 1001
> homeDirectory: /home/teachers/test01
> uid: test01
> sambaSID: S-1-5-21-3958726613-3318811842-4132420312-100019
> userPassword:: e1NTSEF9aUdWOHdpaTRnUTB1ZEQyNVhBVBR6bzUvcnp3L3dpMTk=
> sambaNTPassword: 186CB09181E2C2ECAAC768C47C726604
> sambaPasswordHistory: 00000000000000000000000000000000000000000000000000000000
>   00000000
> sambaPwdLastSet: 1457289571
> sambaAcctFlags: [U          ]
>
> ldap(posix) password and samba password is set. sambaLMPassword is not set.
>
> smb.conf:
> [global]
>          workgroup = EUROPA
>          netbios aliases = INSTALL
>          server string = Schulserver %h
>          interfaces = 127.0.0.1/127.255.255.255, 10.100.0.1/255.255.0.0, 10.100.1.1/255.255.255.0, 10.100.2.1/255.255.255.0,
> 10.100.3.1/255.255.255.0, 192.168.231.231/255.255.255.0
>          bind interfaces only = Yes
>          map to guest = Bad User
>          obey pam restrictions = Yes
>          passdb backend = ldapsam:ldapi:///
>          pam password change = Yes
>          passwd program = /usr/sbin/smbldap-passwd %u
>          passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully*
>          log file = /var/log/samba/log.%m
>          max protocol = SMB2
>          time server = Yes
>          printcap name = cups
>          add machine script = /usr/sbin/smbldap-useradd -a -W "%u"
>          logon script = %a.bat
>          logon path = \\%L\profile\%G\%U\%a
>          logon drive = U:
>          domain logons = Yes
>          os level = 255
>          preferred master = Yes
>          domain master = Yes
>          dns proxy = No
>          wins proxy = Yes
>          wins support = Yes
>          ldap admin dn = cn=admin,dc=europa,dc=xx
>          ldap delete dn = Yes
>          ldap group suffix = ou=groups
>          ldap machine suffix = ou=machines,ou=accounts
>          ldap passwd sync = yes
>          ldap suffix = dc=europa,dc=xx
>          ldap ssl = no
>          ldap user suffix = ou=people,ou=accounts
>          ldapsam:editposix = yes
>          ldapsam:trusted = yes
>          idmap config * : backend = tdb
>          admin users = adm, root
>          ea support = Yes
>          case sensitive = No
>          veto files = /*.eml/*.nws/riched20.dll/autorun.inf/
>          map archive = No
>          map readonly = no
>          mangled names = No
>          store dos attributes = Yes
>
>
>

You seem to be using smbldap-tools and ldapsam:editposix is meant to be 
a replacement for this, if you read the smb.conf manpage, you will find 
this:

        ldapsam:editposix (G)

            Editposix is an option that leverages ldapsam:trusted to make it
            simpler to manage a domain controller eliminating the need 
to set
            up custom scripts to add and manage the posix users and groups.
            This option will instead directly manipulate the ldap tree to
            create, remove and modify user and group entries. This 
option also
            requires a running winbindd as it is used to allocate new 
uids/gids
            on user/group creation. The allocation range must be therefore
            configured.

This means that the samba tools will do what smbldap-tools does.

Rowland

More information about the samba mailing list