Mgr. Peter Tuharsky
2015-Oct-27 15:38 UTC
[Samba] [PATCH] Re: Samba 4.1.17 classic update w/LDAP - parsing error
I have tested the patch against 4.3.1 compiled from sources but it does not seem to work. Either I did something wrong while compiling, or the patch dosen't fix the problem. ERROR(<type 'exceptions.ValueError'>): uncaught exception - unable to parse dn string File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run return self.run(*args, **kwargs) File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py", line 1460, in run useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs) File "/usr/local/samba/lib/python2.7/site-packages/samba/upgrade.py", line 771, in upgrade_from_samba3 add_group_from_mapping_entry(result.samdb, g, logger) File "/usr/local/samba/lib/python2.7/site-packages/samba/upgrade.py", line 275, in add_group_from_mapping_entry m.dn = ldb.Dn(samdb, "CN=%s,CN=Users,%s" % (groupmap.nt_name, samdb.get_default_basedn())) Dňa 08.10.2015 o 08:47 Mgr. Peter Tuharsky napísal(a):> Well, since I have no answer from Debian in order of patch, I'm trying > to do the import using group names with no special character at all. > > Strange thing - it dosen't work. > I have also removed all diacritics from displayname attributes for all > groups - dosen't help either. > > So i'm not sure, what the problem really is. > > Dňa 24.09.2015 o 13:52 Mgr. Peter Tuharsky napísal(a): >> As of 4, I have tested import of renamed domain and the classicupdate is >> still parsing badly. So the netbios name seems not to be an issue for now. >> >> Dňa 24.09.2015 o 10:45 Mgr. Peter Tuharsky napísal(a): >>> Hi all, >>> >>> thank You for Your answers and the help. >>> >>> 1, I have never applied a patch to Samba in Debian. Please, is there any >>> howto or documentation? >>> 2, If the patch worked for the import, would it be possible to revert to >>> a distributional (unpatched) Samba afterwards? >>> 3, We don't use any of the mentioned symbols in group names, just . and - >>> 4, Unfortunately, we have a . in the NT4 (netbios) domain name. We >>> already have issues with that, but only in Windows 8. Could this be the >>> reason of the import error? I doubt that though because other import >>> steps finished flawlessly, including netbios name registration during >>> import process. >>> 5, (Might be OT, depending on previous answer): If needed in order to >>> resolve the problem, is it possible to simply and without consequences >>> change the domain (netbios) name in LDAP, providing that SID would >>> remain untouched and change in smb.conf would reflect the new name? Or >>> the Windows clients use both the netbios name and SID in order to access >>> their domain and they would drop off domain? >>> >>> Peter >>> >>> Dňa 24.09.2015 o 09:57 Andrew Bartlett napísal(a): >>>> On Thu, 2015-09-24 at 09:12 +0200, Michael Wood wrote: >>>>> Hi >>>>> On 23 Sep 2015 9:47 PM, "Andrew Bartlett" <abartlet at samba.org> wrote: >>>>>> On Thu, 2015-09-24 at 06:59 +1200, Andrew Bartlett wrote: >>>>>>> That looks like a bug. My guess is that, as Roland suggested, >>>>> the >>>>>>> group name isn't just normal characters. We do support other >>>>> chars >>>>>>> in >>>>>>> group names, but the bug here was not to escape the values. You >>>>>>> could >>>>>>> expect a particular problem with any of these in particular: =,() >>>>>> Can you confirm this patch (against master, but should apply back >>>>> to >>>>>> 4.1) works for you? >>>>>> >>>>>> If so, can I get a second team member to review/push? >>>>> Does that still result in them being in CN=Users? Or is that not >>>>> important? >>>> Indeed, that is what I get for writing patches at 7 in the morning :-) >>>> >>>> Try the attached. We really, really need some good expected-value >>>> testing of the upgrade system. >>>> >>>> Thanks, >>>> >>>> Andrew Bartlett >>>> >
Mgr. Peter Tuharsky
2015-Oct-28 13:35 UTC
[Samba] [PATCH] Re: Samba 4.1.17 classic update w/LDAP - parsing error
Hallo, I have two news. The first one: the patch probably works. Second: there is another bug. When I encountered the bug again after patching, I have raised debug level and figured out that the problem is with user "guest" - he was in our old domain, however samba-tool probably creates him automatically and then couldn't import him. So, please fix the tool so that it ignores such user, or update the DOCS so that forbidden users are known for admin before attempting the classicupdate. The import FINALLY works with patched 4.3.1. But when I tested again with 4.1.17, it ends up with the bug. So the patch seems working for its purpose, but there is the bug with guest user and that needs to get fixed. Dňa 27.10.2015 o 16:38 Mgr. Peter Tuharsky napísal(a):> I have tested the patch against 4.3.1 compiled from sources but it does > not seem to work. Either I did something wrong while compiling, or the > patch dosen't fix the problem. > > ERROR(<type 'exceptions.ValueError'>): uncaught exception - unable to > parse dn string > File > "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", > line 175, in _run > return self.run(*args, **kwargs) > File > "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py", > line 1460, in run > useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs) > File "/usr/local/samba/lib/python2.7/site-packages/samba/upgrade.py", > line 771, in upgrade_from_samba3 > add_group_from_mapping_entry(result.samdb, g, logger) > File "/usr/local/samba/lib/python2.7/site-packages/samba/upgrade.py", > line 275, in add_group_from_mapping_entry > m.dn = ldb.Dn(samdb, "CN=%s,CN=Users,%s" % (groupmap.nt_name, > samdb.get_default_basedn())) > > Dňa 08.10.2015 o 08:47 Mgr. Peter Tuharsky napísal(a): >> Well, since I have no answer from Debian in order of patch, I'm trying >> to do the import using group names with no special character at all. >> >> Strange thing - it dosen't work. >> I have also removed all diacritics from displayname attributes for all >> groups - dosen't help either. >> >> So i'm not sure, what the problem really is. >> >> Dňa 24.09.2015 o 13:52 Mgr. Peter Tuharsky napísal(a): >>> As of 4, I have tested import of renamed domain and the classicupdate is >>> still parsing badly. So the netbios name seems not to be an issue for now. >>> >>> Dňa 24.09.2015 o 10:45 Mgr. Peter Tuharsky napísal(a): >>>> Hi all, >>>> >>>> thank You for Your answers and the help. >>>> >>>> 1, I have never applied a patch to Samba in Debian. Please, is there any >>>> howto or documentation? >>>> 2, If the patch worked for the import, would it be possible to revert to >>>> a distributional (unpatched) Samba afterwards? >>>> 3, We don't use any of the mentioned symbols in group names, just . and - >>>> 4, Unfortunately, we have a . in the NT4 (netbios) domain name. We >>>> already have issues with that, but only in Windows 8. Could this be the >>>> reason of the import error? I doubt that though because other import >>>> steps finished flawlessly, including netbios name registration during >>>> import process. >>>> 5, (Might be OT, depending on previous answer): If needed in order to >>>> resolve the problem, is it possible to simply and without consequences >>>> change the domain (netbios) name in LDAP, providing that SID would >>>> remain untouched and change in smb.conf would reflect the new name? Or >>>> the Windows clients use both the netbios name and SID in order to access >>>> their domain and they would drop off domain? >>>> >>>> Peter >>>> >>>> Dňa 24.09.2015 o 09:57 Andrew Bartlett napísal(a): >>>>> On Thu, 2015-09-24 at 09:12 +0200, Michael Wood wrote: >>>>>> Hi >>>>>> On 23 Sep 2015 9:47 PM, "Andrew Bartlett" <abartlet at samba.org> wrote: >>>>>>> On Thu, 2015-09-24 at 06:59 +1200, Andrew Bartlett wrote: >>>>>>>> That looks like a bug. My guess is that, as Roland suggested, >>>>>> the >>>>>>>> group name isn't just normal characters. We do support other >>>>>> chars >>>>>>>> in >>>>>>>> group names, but the bug here was not to escape the values. You >>>>>>>> could >>>>>>>> expect a particular problem with any of these in particular: =,() >>>>>>> Can you confirm this patch (against master, but should apply back >>>>>> to >>>>>>> 4.1) works for you? >>>>>>> >>>>>>> If so, can I get a second team member to review/push? >>>>>> Does that still result in them being in CN=Users? Or is that not >>>>>> important? >>>>> Indeed, that is what I get for writing patches at 7 in the morning :-) >>>>> >>>>> Try the attached. We really, really need some good expected-value >>>>> testing of the upgrade system. >>>>> >>>>> Thanks, >>>>> >>>>> Andrew Bartlett >>>>> >
Andrew Bartlett
2015-Oct-31 08:51 UTC
[Samba] [PATCH] Re: Samba 4.1.17 classic update w/LDAP - parsing error
On Wed, 2015-10-28 at 14:35 +0100, Mgr. Peter Tuharsky wrote:> Hallo, > > I have two news. The first one: the patch probably works. Second: > there > is another bug. > > When I encountered the bug again after patching, I have raised debug > level and figured out that the problem is with user "guest" - he was > in > our old domain, however samba-tool probably creates him automatically > and then couldn't import him. > > So, please fix the tool so that it ignores such user, or update the > DOCS > so that forbidden users are known for admin before attempting the > classicupdate. > > The import FINALLY works with patched 4.3.1. But when I tested again > with 4.1.17, it ends up with the bug. So the patch seems working for > its > purpose, but there is the bug with guest user and that needs to get > fixed.You are welcome to apply for an account to change the wiki page: https://wiki.samba.org/index.php/Samba4/samba-tool/domain/classicupgrad e/HOWTO#Preparations Thanks! Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Possibly Parallel Threads
- [PATCH] Re: Samba 4.1.17 classic update w/LDAP - parsing error
- [PATCH] Re: Samba 4.1.17 classic update w/LDAP - parsing error
- [PATCH] Re: Samba 4.1.17 classic update w/LDAP - parsing error
- [PATCH] Re: Samba 4.1.17 classic update w/LDAP - parsing error
- [PATCH] Re: Samba 4.1.17 classic update w/LDAP - parsing error