I'm using samba 2.2.3a with OpenLDAP server.
My smbd(8) is working fine, that is, it can find user when user is
opening some share on w2k boxes:
(ldap log - local4)
Feb 21 17:21:17 click.crol.net slapd[20169]: conn=30 op=1
BIND dn="SMBSERVER=CLICK,OU=SAMBA,OU=SERVERS,DC=CROL,DC=NET"
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
And this entity has ability to read/write samba and posixAccount
atributes for users, so this is OK.
But when I try to change password or add sambaAccount with
smbpasswd(8) or pdbedit(8) i get this:
Feb 21 17:29:05 click.crol.net slapd[20149]:
daemon: conn=36 fd=25 connection from IP=192.168.0.17:44459 (IP=0.0.0.0:34049)
accepted.
Feb 21 17:29:05 click.crol.net slapd[20970]:
conn=36 op=0 BIND dn="" method=128
^^^^^^^^^^^^^
Feb 21 17:29:05 click.crol.net slapd[20970]:
conn=36 op=0 RESULT tag=97 err=0 text=
Feb 21 17:29:05 click.crol.net slapd[20151]:
conn=36 op=1 MOD dn="uid=novi,ou=People,ou=Accounts,dc=crol,dc=net"
Feb 21 17:29:05 click.crol.net slapd[20151]:
conn=36 op=1 RESULT tag=103 err=50 text=
^^^^^^^^^^^
strace -e open shows me that smbpasswd IS opening secrets.tdb
open("/etc/samba/secrets.tdb", O_RDWR|O_CREAT|O_LARGEFILE, 0600) = 3
But anyway smbpasswd(8) is binding to LDAP server like anonymous and
get of course - access denied for write operation.
in debug mode (-D 10) smbpasswd(8) is writing to stdout/stderr this:
ldap_connect_system: Binding to ldap server as
"smbserver=click,ou=Samba,ou=Servers,dc=crol,dc=net"
But this is not what he is actually doing (when I look in ldap log for
bindDN).
Im' doing this as root of course.
--
This signature intentionally left blank
Miroslav Zubcic
2002-Feb-21 11:45 UTC
[Samba] Re: Bug in LDAP code for smbpasswd and pdbedit?
[ replying to myself ... ] Miroslav Zubcic <mvz@crol.net> writes:> But when I try to change password or add sambaAccount with > smbpasswd(8) or pdbedit(8) i get this: > > Feb 21 17:29:05 click.crol.net slapd[20149]: > daemon: conn=36 fd=25 connection from IP=192.168.0.17:44459 (IP=0.0.0.0:34049) accepted. > > Feb 21 17:29:05 click.crol.net slapd[20970]: > conn=36 op=0 BIND dn="" method=128 > ^^^^^^^^^^^^^Bug located closely: My configuration was this: ldap server = crol4.crol.net click.crol.net crol4 is slave LDAP server, and click is master. So slave was first in configuration line. smbpassword(8) then get updateref from slave to contact master server for changes, he did that but in the meantime "forgot" his bindDN, and bind to master like anonymous. BTW, two servers are in "ldap server" line because things will work if first one is down, second will be contacted, like ldap_open(3) says. If I remove slave server from smb.conf(5) everything is OK. But this is still a bug - probably in source/passdb/pdb_ldap.c ? -- This signature intentionally left blank
Marshall, Joshua
2002-Feb-21 17:17 UTC
[Samba] Re: Bug in LDAP code for smbpasswd and pdbedit?
Hi Miroslav,
I too came across this bug when getting my system up and running with
2.2.3-prerelease. I fixed it by writing a patch, which I have sent to the
developers but they didn't merge it in for 2.2.3
By default, all referrals are done unauthenticated. It is up to the client
software to decide whether to authenticate when rebinding to another ldap
server. In the case of a master/slave ldap servers, I believe it should
authenticate when rebinding.
Anyway, apply the attached patch to pdb_ldap.c and recompile :)
Regards,
Joshua Marshall
Miroslav Zubcic <mvz@crol.net>
Sent by: samba-admin@lists.samba.org
22/02/2002 05:37 AM
To: samba@lists.samba.org
cc:
Subject: [Samba] Re: Bug in LDAP code for smbpasswd and pdbedit?
[ replying to myself ... ]
Miroslav Zubcic <mvz@crol.net> writes:
> But when I try to change password or add sambaAccount with
> smbpasswd(8) or pdbedit(8) i get this:
>
> Feb 21 17:29:05 click.crol.net slapd[20149]:
> daemon: conn=36 fd=25 connection from IP=192.168.0.17:44459
(IP=0.0.0.0:34049) accepted. >
> Feb 21 17:29:05 click.crol.net slapd[20970]:
> conn=36 op=0 BIND dn="" method=128
> ^^^^^^^^^^^^^
Bug located closely:
My configuration was this:
ldap server = crol4.crol.net click.crol.net
crol4 is slave LDAP server, and click is master. So slave was first in
configuration line. smbpassword(8) then get updateref from slave to
contact master server for changes, he did that but in the meantime
"forgot" his bindDN, and bind to master like anonymous.
BTW, two servers are in "ldap server" line because things will work if
first one is down, second will be contacted, like ldap_open(3) says.
If I remove slave server from smb.conf(5) everything is OK. But this
is still a bug - probably in source/passdb/pdb_ldap.c ?
--
This signature intentionally left blank
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pdb_ldap.patch
Type: application/octet-stream
Size: 1647 bytes
Desc: not available
Url :
http://lists.samba.org/archive/samba/attachments/20020221/c497bf94/pdb_ldap.obj