[Samba] Order of getpwnam call in Get_Pwnam_internals.

hhyy ww hywusmb at gmail.com
Thu Jan 25 12:54:07 UTC 2024 

Rowland Penny via samba <samba at lists.samba.org> 於 2024年1月25日 週四 下午6:42寫道:

> On Thu, 25 Jan 2024 18:27:48 +0800
> hhyy ww via samba <samba at lists.samba.org> wrote:
>
> > Hi list,
> >
> > My case :
> > Local UNIX user : ZTEST
> > domain : uuq.ork
> > domain user : UUQ\ztest
> > smb.conf for standalone samba : /home/hywu/smb.conf
> >
> > [/home/hywu] # cat /home/hywu/smb.conf
> > [global]
> > passdb backend = smbpasswd
> > workgroup = WORKGROUP
> > security=user
>
> Why is the smb.conf file in /home/hywu instead of somewhere like
> /etc/samba ?
>
> >
> > Smbpasswd fail to change local UNIX user password (ZTEST) when samba
> > role is DC. I want to change password of local UNIX user "ZTEST" but
> > get domain user "UUQ\ztest" from
>
> You shouldn't have local and domain users with the same name.
>

> >
> >
> > root at uuu:/# getent passwd | tail
> > hywu:x:1000:1000 hywu,,,:/home/hywu:/bin/bash
> > sshd:X:128:65534::/run/sshd:/usr/sbin/nologin
> > jone:x:1001:1001:,,,:/home/jone:/bin/bash
> > ZTEST:X:1002:1002:,,,:/home/ZTEST: /bin/bash
> > UUQ\administrator:*:0:100::/home/UUQ/administrator:/bin/false
> > UUQ\guest:*:3000008:100::/home/UUQ/guest :/bin/false
> > UUQ\krbtgt:*:3000012:100::/home/UUQ/krbtgt:/bin/false
> > UUQ\ztest:*:3000013:100::/home/UUQ/ztest:/bin/false
>
> Go on, I give in, how did you get a domain user into /etc/passwd (where
> it doesn't belong).
>

After samba role become DC ,I add winbind to passwd and group section in
/etc/nsswitch.conf

>

> root at uuu:/#
> > root at uuu:/#smbpasswd -c /home/hywu/smb.conf -U ZTEST -D 2
> > rlimit max:increasing (1024) to minimum Windows limit (16384)
> > New SMB password:
> > Retype new SMB password:
> > Cannot update entry for user UUQ\ztest, as they don't exist in the
> > smbpasswd file!
> > smbpasswd_update_sam_account: mod_smbfilepud_entry failed!
> > Failed to modify entry for user ZTEST.
> > root at uuu:/# uname -a
> > Linux uuu 6.5.0-14-generic #14~22.04.1-Ubuntu SMP...
> >
> >
> > I checked samba code then I found the problem is order of gerpwnam
> > call in Get_Pwnam_internals(). Lowercase first order will get domain
> > user (UUQ/ztest) but local account(ZTEST).
> >
> > local_password_change()
> >  pdb_getsampwnam()
> >   smbpasswd_getsampwnam()
> >     build_sam_account()
> >      Get_Pwnam_alloc()
> >       Get_Pwnam_internals() <-- turn "ZTEST" to "ztest"
> >        getpwnam_alloc_cached()
> >         getpwnam()
> >          (nss_winbinadd)
> >           winbindd_getpwnam_send()
> >            parse_domain_user() <-- add "UUQ" to domain and namespace.
> >             assume_domain()
> >
> > When samba role is DC , "winbind use default domain" does not work in
> > assume_domain(). Then getpwnam() get domain user.
> >
> > I have checked the following list and commit
> >
> https://lists.samba.org/archive/samba-technical/2008-March/058508.htmlhttps://git.samba.org/?p=samba.git;a=commitdiff;h=ea4a0d509ef70e91baedc5eebf4f4bcff10dac96
> >
> > Why the order of getpwnam call in Get_Pwnam_internals() change from
> > original name first to lowercase first?
> >
> > HY Wu.
>
> I think you need to give us more details:
> What OS ?
>
ubuntu 22.04

> What version of Samba ?
>
samba-4.15

> Is there another smb.conf file somewhere ?
>
Before samba role become DC , samba use this smb.conf.
[/home/hywu] # cat /home/hywu/smb.conf [global] passdb backend = smbpasswd
workgroup = WORKGROUP security=user

After samba role become DC, samba use smb.conf generated by samba-tool
domain prvision.


> If there is, what is in it ?
> How did you provision the domain, what was the actual command ?
>
 samba-tool domain provision --use-rfc2307 --realm=uuq.ork --domain=UUQ
--server-role=DC --adminpass=xxxxxx
I install samba following there links
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Introduction
https://wiki.samba.org/index.php/Distribution-specific_Package_Installation#Debian/Ubuntu

> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

I need to sync account password in  /etc/passwd and smbpasswd so when I
change local user password I run smbpasswd command to set the same password.
Before samba become DC, "smbpasswd -c /home/hywu/smb.conf -U ZTEST" works
well.
After samba become DC, this command fail to change password.
I check debug log and samba code, I find the order of getpwnam call in
Get_Pwnam_internals cause this problem.

HY Wu.

More information about the samba mailing list