samba - Feb 2016 - Segmentation Fault when trying to set root samba password, IPA as a backend

Hi

This is samba-4.2.3-11.el7_2.x86_64 on CentOS...

I'm trying to setup a Samba NT4 domain, with FreeIPA as a backend...

Right now everything works.. except that I need a Domain Adminstrator...

smbpasswd -a root, segfaults... probably because the user doesn't exist in
FreeIPA

If I create the root user in FreeIPA, it instead gives:

[root at bart samba]# LANG=en smbpasswd -a root
No builtin backend found, trying to load plugin
Module 'ipasam' loaded
smbldap_open_connection: connection opened
ldap_connect_system: successful connection to the LDAP server
pdb_init_ipasam: support for pdb_enum_upn_suffixes enabled for domain bolls.lan
New SMB password:
Retype new SMB password:
init_sam_from_ldap: Entry found for user: root
ERROR: Got 0 entries for gid 0, expected at least one
ERROR: Got 0 entries for gid 0, expected at least one
Forcing Primary Group to 'Domain Users' for root
Failed to modify entry for user root.


I can't create a user with uid=0 or gid=0 in FreeIPA...

I have also tried changing the administrator user:

pdbedit -U S-1-5-21-3189138339-1730592290-4215248117-500 -u mj -r -d 7

but it also fails:

http://pastebin.com/8tpuD6Eg


Config:

[global]
        bind interfaces only = yes
        enable privileges = yes
        workgroup = BOLLS
        netbios name = BART
        realm = BOLLS.LAN
        kerberos method = dedicated keytab
        dedicated keytab file = FILE:/etc/samba/samba.keytab
        create krb5 conf = no
        security = user
        domain master = yes
        domain logons = yes
        log level = 3
        max log size = 100000
        log file = /var/log/samba/log.%m
        passdb backend = ipasam:ldaps://lisa.bolls.lan
        disable spoolss = yes
        ldapsam:trusted = yes
        ldap ssl = off
        ldap suffix = dc=bolls,dc=lan
        ldap user suffix = cn=users,cn=accounts
        ldap group suffix = cn=groups,cn=accounts
        ldap machine suffix = cn=computers,cn=accounts
        rpc_server:epmapper = external
        rpc_server:lsarpc = external
        rpc_server:lsass = external
        rpc_server:lsasd = external
        rpc_server:samr = external
        rpc_server:netlogon = external
        rpc_server:tcpip = yes
        rpc_daemon:epmd = fork
        rpc_daemon:lsasd = fork
        logon path = \\%L\Profiles\%U
        logon drive = H:
        logon home = \\%L\%U

[homes]
        comment = Home Directories
        valid users = %S
        read only = No
        browseable = No
[printers]
        comment = All Printers
        path = /var/spool/samba
        printer admin = root, mj
        create mask = 0600
        guest ok = Yes
        printable = Yes
        browseable = No
[print$]
        comment = Printer Drivers Share
        path = /var/lib/samba/drivers
        write list = mj, root
        printer admin = mj, root
[netlogon]
        comment = Network Logon Service
        path = /var/lib/samba/netlogon
        admin users = root, mj
        guest ok = Yes
        browseable = No
# For profiles to work, create a user directory under the path
# shown. i.e., mkdir -p /var/lib/samba/profiles/mj
        [Profiles]
        comment = Roaming Profile Share
        path = /var/lib/samba/profiles
        read only = No
        profile acls = Yes




----- Original meddelelse -----
Fra: "Rowland penny" <rpenny at samba.org>
Til: "samba" <samba at lists.samba.org>
Sendt: mandag, 29. februar 2016 10:14:09
Emne: Re: [Samba] Segmentation Fault when trying to set root samba password, IPA
as a backend

On 29/02/16 09:06, Martin Juhl wrote: 
> Hi guys 
> 
> 
> When trying to set root's password, I get a segmentation fault: 
> 
> [root at bart ~]# smbpasswd -a root 
> No builtin backend found, trying to load plugin 
> Module 'ipasam' loaded 
> smbldap_open_connection: connection opened 
> ldap_connect_system: successful connection to the LDAP server 
> pdb_init_ipasam: support for pdb_enum_upn_suffixes enabled for domain
bolls.lan
> New SMB password: 
> Retype new SMB password: 
> Segmentation fault 
> 
> What to do??? 
> 
> Regards 
> 
> Martin 
> 
Hi, what version of Samba is this ? 
Also, how have you set up Samba ? 

Rowland 


-- 
To unsubscribe from this list go to the following URL and read the 
instructions: https://lists.samba.org/mailman/options/samba

I think this will not work with samba 4  anymore.


EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen 
Tel.: 07071/206-463, Fax: 07071/206-499
eMail: mueller at tropenklinik.de
Internet: www.tropenklinik.de 




-----Ursprüngliche Nachricht-----
Von: Martin Juhl [mailto:mj at casalogic.dk] 
Gesendet: Montag, 29. Februar 2016 11:05
An: Rowland penny <rpenny at samba.org>
Cc: samba at lists.samba.org
Betreff: Re: [Samba] Segmentation Fault when trying to set root samba password,
IPA as a backend

Hi

This is samba-4.2.3-11.el7_2.x86_64 on CentOS...

I'm trying to setup a Samba NT4 domain, with FreeIPA as a backend...

Right now everything works.. except that I need a Domain Adminstrator...

smbpasswd -a root, segfaults... probably because the user doesn't exist in
FreeIPA

If I create the root user in FreeIPA, it instead gives:

[root at bart samba]# LANG=en smbpasswd -a root No builtin backend found, trying
to load plugin Module 'ipasam' loaded
smbldap_open_connection: connection opened
ldap_connect_system: successful connection to the LDAP server
pdb_init_ipasam: support for pdb_enum_upn_suffixes enabled for domain bolls.lan
New SMB password:
Retype new SMB password:
init_sam_from_ldap: Entry found for user: root
ERROR: Got 0 entries for gid 0, expected at least one
ERROR: Got 0 entries for gid 0, expected at least one Forcing Primary Group to
'Domain Users' for root Failed to modify entry for user root.


I can't create a user with uid=0 or gid=0 in FreeIPA...

I have also tried changing the administrator user:

pdbedit -U S-1-5-21-3189138339-1730592290-4215248117-500 -u mj -r -d 7

but it also fails:

http://pastebin.com/8tpuD6Eg


Config:

[global]
        bind interfaces only = yes
        enable privileges = yes
        workgroup = BOLLS
        netbios name = BART
        realm = BOLLS.LAN
        kerberos method = dedicated keytab
        dedicated keytab file = FILE:/etc/samba/samba.keytab
        create krb5 conf = no
        security = user
        domain master = yes
        domain logons = yes
        log level = 3
        max log size = 100000
        log file = /var/log/samba/log.%m
        passdb backend = ipasam:ldaps://lisa.bolls.lan
        disable spoolss = yes
        ldapsam:trusted = yes
        ldap ssl = off
        ldap suffix = dc=bolls,dc=lan
        ldap user suffix = cn=users,cn=accounts
        ldap group suffix = cn=groups,cn=accounts
        ldap machine suffix = cn=computers,cn=accounts
        rpc_server:epmapper = external
        rpc_server:lsarpc = external
        rpc_server:lsass = external
        rpc_server:lsasd = external
        rpc_server:samr = external
        rpc_server:netlogon = external
        rpc_server:tcpip = yes
        rpc_daemon:epmd = fork
        rpc_daemon:lsasd = fork
        logon path = \\%L\Profiles\%U
        logon drive = H:
        logon home = \\%L\%U

[homes]
        comment = Home Directories
        valid users = %S
        read only = No
        browseable = No
[printers]
        comment = All Printers
        path = /var/spool/samba
        printer admin = root, mj
        create mask = 0600
        guest ok = Yes
        printable = Yes
        browseable = No
[print$]
        comment = Printer Drivers Share
        path = /var/lib/samba/drivers
        write list = mj, root
        printer admin = mj, root
[netlogon]
        comment = Network Logon Service
        path = /var/lib/samba/netlogon
        admin users = root, mj
        guest ok = Yes
        browseable = No
# For profiles to work, create a user directory under the path # shown. i.e.,
mkdir -p /var/lib/samba/profiles/mj
        [Profiles]
        comment = Roaming Profile Share
        path = /var/lib/samba/profiles
        read only = No
        profile acls = Yes




----- Original meddelelse -----
Fra: "Rowland penny" <rpenny at samba.org>
Til: "samba" <samba at lists.samba.org>
Sendt: mandag, 29. februar 2016 10:14:09
Emne: Re: [Samba] Segmentation Fault when trying to set root samba password, IPA
as a backend

On 29/02/16 09:06, Martin Juhl wrote: 
> Hi guys
> 
> 
> When trying to set root's password, I get a segmentation fault: 
> 
> [root at bart ~]# smbpasswd -a root
> No builtin backend found, trying to load plugin Module 'ipasam'
loaded
> smbldap_open_connection: connection opened
> ldap_connect_system: successful connection to the LDAP server
> pdb_init_ipasam: support for pdb_enum_upn_suffixes enabled for domain 
> bolls.lan New SMB password:
> Retype new SMB password: 
> Segmentation fault
> 
> What to do??? 
> 
> Regards
> 
> Martin
> 
Hi, what version of Samba is this ? 
Also, how have you set up Samba ? 

Rowland 


-- 
To unsubscribe from this list go to the following URL and read the 
instructions: https://lists.samba.org/mailman/options/samba 


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

On 29/02/16 10:04, Martin Juhl wrote:
> Hi
>
> This is samba-4.2.3-11.el7_2.x86_64 on CentOS...
>
> I'm trying to setup a Samba NT4 domain, with FreeIPA as a backend...
>
> Right now everything works.. except that I need a Domain Adminstrator...
>
> smbpasswd -a root, segfaults... probably because the user doesn't exist
in FreeIPA
>
> If I create the root user in FreeIPA, it instead gives:
>
> [root at bart samba]# LANG=en smbpasswd -a root
> No builtin backend found, trying to load plugin
> Module 'ipasam' loaded
> smbldap_open_connection: connection opened
> ldap_connect_system: successful connection to the LDAP server
> pdb_init_ipasam: support for pdb_enum_upn_suffixes enabled for domain
bolls.lan
> New SMB password:
> Retype new SMB password:
> init_sam_from_ldap: Entry found for user: root
> ERROR: Got 0 entries for gid 0, expected at least one
> ERROR: Got 0 entries for gid 0, expected at least one
> Forcing Primary Group to 'Domain Users' for root
> Failed to modify entry for user root.
>
>
> I can't create a user with uid=0 or gid=0 in FreeIPA...
>
> I have also tried changing the administrator user:
>
> pdbedit -U S-1-5-21-3189138339-1730592290-4215248117-500 -u mj -r -d 7
>
> but it also fails:
>
> http://pastebin.com/8tpuD6Eg
>
>
> Config:
>
> [global]
>          bind interfaces only = yes
>          enable privileges = yes
>          workgroup = BOLLS
>          netbios name = BART
>          realm = BOLLS.LAN
>          kerberos method = dedicated keytab
>          dedicated keytab file = FILE:/etc/samba/samba.keytab
>          create krb5 conf = no
>          security = user
>          domain master = yes
>          domain logons = yes
>          log level = 3
>          max log size = 100000
>          log file = /var/log/samba/log.%m
>          passdb backend = ipasam:ldaps://lisa.bolls.lan
>          disable spoolss = yes
>          ldapsam:trusted = yes
>          ldap ssl = off
>          ldap suffix = dc=bolls,dc=lan
>          ldap user suffix = cn=users,cn=accounts
>          ldap group suffix = cn=groups,cn=accounts
>          ldap machine suffix = cn=computers,cn=accounts
>          rpc_server:epmapper = external
>          rpc_server:lsarpc = external
>          rpc_server:lsass = external
>          rpc_server:lsasd = external
>          rpc_server:samr = external
>          rpc_server:netlogon = external
>          rpc_server:tcpip = yes
>          rpc_daemon:epmd = fork
>          rpc_daemon:lsasd = fork
>          logon path = \\%L\Profiles\%U
>          logon drive = H:
>          logon home = \\%L\%U
>
> [homes]
>          comment = Home Directories
>          valid users = %S
>          read only = No
>          browseable = No
> [printers]
>          comment = All Printers
>          path = /var/spool/samba
>          printer admin = root, mj
>          create mask = 0600
>          guest ok = Yes
>          printable = Yes
>          browseable = No
> [print$]
>          comment = Printer Drivers Share
>          path = /var/lib/samba/drivers
>          write list = mj, root
>          printer admin = mj, root
> [netlogon]
>          comment = Network Logon Service
>          path = /var/lib/samba/netlogon
>          admin users = root, mj
>          guest ok = Yes
>          browseable = No
> # For profiles to work, create a user directory under the path
> # shown. i.e., mkdir -p /var/lib/samba/profiles/mj
>          [Profiles]
>          comment = Roaming Profile Share
>          path = /var/lib/samba/profiles
>          read only = No
>          profile acls = Yes
>
>
>
>
> ----- Original meddelelse -----
> Fra: "Rowland penny" <rpenny at samba.org>
> Til: "samba" <samba at lists.samba.org>
> Sendt: mandag, 29. februar 2016 10:14:09
> Emne: Re: [Samba] Segmentation Fault when trying to set root samba
password, IPA as a backend
>
> On 29/02/16 09:06, Martin Juhl wrote:
>> Hi guys
>>
>>
>> When trying to set root's password, I get a segmentation fault:
>>
>> [root at bart ~]# smbpasswd -a root
>> No builtin backend found, trying to load plugin
>> Module 'ipasam' loaded
>> smbldap_open_connection: connection opened
>> ldap_connect_system: successful connection to the LDAP server
>> pdb_init_ipasam: support for pdb_enum_upn_suffixes enabled for domain
bolls.lan
>> New SMB password:
>> Retype new SMB password:
>> Segmentation fault
>>
>> What to do???
>>
>> Regards
>>
>> Martin
>>
> Hi, what version of Samba is this ?
> Also, how have you set up Samba ?
>
> Rowland
>
>
First thing is, you shouldn't have a user called 'root' in your
domain,
use a usermap to map 'Administrator' to 'root'

Can you try and create a new user with smbpasswd ?

I think you may be hitting the same problem that I have, smbpasswd will 
create the user, but then segfaults when trying to add the password.

Rowland

Hi 

>> First thing is, you shouldn't have a user called 'root' in
your domain,
I know, was just saying that the error message changed when I added the user....
>> use a usermap to map 'Administrator' to 'root' 
I have now tried adding:

username map = /var/lib/samba/usermap.txt

to my [global]

and /var/lib/samba/usermap.txt:

mj = Adminstrator

>> Can you try and create a new user with smbpasswd ? 
[root at bart samba]# smbpasswd -a test
No builtin backend found, trying to load plugin
Module 'ipasam' loaded
smbldap_open_connection: connection opened
ldap_connect_system: successful connection to the LDAP server
pdb_init_ipasam: support for pdb_enum_upn_suffixes enabled for domain bolls.lan
New SMB password:
Retype new SMB password:
Could not find user test and no add script defined
Failed to add entry for user test.

>> I think you may be hitting the same problem that I have, smbpasswd will
>> create the user, but then segfaults when trying to add the password. 

/Martin

----- Original meddelelse -----
Fra: "Rowland penny" <rpenny at samba.org>
Til: "samba" <samba at lists.samba.org>
Sendt: mandag, 29. februar 2016 11:34:14
Emne: Re: [Samba] Segmentation Fault when trying to set root samba password, IPA
as a backend

On 29/02/16 10:04, Martin Juhl wrote: 
> Hi 
> 
> This is samba-4.2.3-11.el7_2.x86_64 on CentOS... 
> 
> I'm trying to setup a Samba NT4 domain, with FreeIPA as a backend... 
> 
> Right now everything works.. except that I need a Domain Adminstrator... 
> 
> smbpasswd -a root, segfaults... probably because the user doesn't exist
in FreeIPA
> 
> If I create the root user in FreeIPA, it instead gives: 
> 
> [root at bart samba]# LANG=en smbpasswd -a root 
> No builtin backend found, trying to load plugin 
> Module 'ipasam' loaded 
> smbldap_open_connection: connection opened 
> ldap_connect_system: successful connection to the LDAP server 
> pdb_init_ipasam: support for pdb_enum_upn_suffixes enabled for domain
bolls.lan
> New SMB password: 
> Retype new SMB password: 
> init_sam_from_ldap: Entry found for user: root 
> ERROR: Got 0 entries for gid 0, expected at least one 
> ERROR: Got 0 entries for gid 0, expected at least one 
> Forcing Primary Group to 'Domain Users' for root 
> Failed to modify entry for user root. 
> 
> 
> I can't create a user with uid=0 or gid=0 in FreeIPA... 
> 
> I have also tried changing the administrator user: 
> 
> pdbedit -U S-1-5-21-3189138339-1730592290-4215248117-500 -u mj -r -d 7 
> 
> but it also fails: 
> 
> http://pastebin.com/8tpuD6Eg 
> 
> 
> Config: 
> 
> [global] 
> bind interfaces only = yes 
> enable privileges = yes 
> workgroup = BOLLS 
> netbios name = BART 
> realm = BOLLS.LAN 
> kerberos method = dedicated keytab 
> dedicated keytab file = FILE:/etc/samba/samba.keytab 
> create krb5 conf = no 
> security = user 
> domain master = yes 
> domain logons = yes 
> log level = 3 
> max log size = 100000 
> log file = /var/log/samba/log.%m 
> passdb backend = ipasam:ldaps://lisa.bolls.lan 
> disable spoolss = yes 
> ldapsam:trusted = yes 
> ldap ssl = off 
> ldap suffix = dc=bolls,dc=lan 
> ldap user suffix = cn=users,cn=accounts 
> ldap group suffix = cn=groups,cn=accounts 
> ldap machine suffix = cn=computers,cn=accounts 
> rpc_server:epmapper = external 
> rpc_server:lsarpc = external 
> rpc_server:lsass = external 
> rpc_server:lsasd = external 
> rpc_server:samr = external 
> rpc_server:netlogon = external 
> rpc_server:tcpip = yes 
> rpc_daemon:epmd = fork 
> rpc_daemon:lsasd = fork 
> logon path = \\%L\Profiles\%U 
> logon drive = H: 
> logon home = \\%L\%U 
> 
> [homes] 
> comment = Home Directories 
> valid users = %S 
> read only = No 
> browseable = No 
> [printers] 
> comment = All Printers 
> path = /var/spool/samba 
> printer admin = root, mj 
> create mask = 0600 
> guest ok = Yes 
> printable = Yes 
> browseable = No 
> [print$] 
> comment = Printer Drivers Share 
> path = /var/lib/samba/drivers 
> write list = mj, root 
> printer admin = mj, root 
> [netlogon] 
> comment = Network Logon Service 
> path = /var/lib/samba/netlogon 
> admin users = root, mj 
> guest ok = Yes 
> browseable = No 
> # For profiles to work, create a user directory under the path 
> # shown. i.e., mkdir -p /var/lib/samba/profiles/mj 
> [Profiles] 
> comment = Roaming Profile Share 
> path = /var/lib/samba/profiles 
> read only = No 
> profile acls = Yes 
> 
> 
> 
> 
> ----- Original meddelelse ----- 
> Fra: "Rowland penny" <rpenny at samba.org> 
> Til: "samba" <samba at lists.samba.org> 
> Sendt: mandag, 29. februar 2016 10:14:09 
> Emne: Re: [Samba] Segmentation Fault when trying to set root samba
password, IPA as a backend
> 
> On 29/02/16 09:06, Martin Juhl wrote: 
>> Hi guys 
>> 
>> 
>> When trying to set root's password, I get a segmentation fault: 
>> 
>> [root at bart ~]# smbpasswd -a root 
>> No builtin backend found, trying to load plugin 
>> Module 'ipasam' loaded 
>> smbldap_open_connection: connection opened 
>> ldap_connect_system: successful connection to the LDAP server 
>> pdb_init_ipasam: support for pdb_enum_upn_suffixes enabled for domain
bolls.lan
>> New SMB password: 
>> Retype new SMB password: 
>> Segmentation fault 
>> 
>> What to do??? 
>> 
>> Regards 
>> 
>> Martin 
>> 
> Hi, what version of Samba is this ? 
> Also, how have you set up Samba ? 
> 
> Rowland 
> 
> 
First thing is, you shouldn't have a user called 'root' in your
domain,
use a usermap to map 'Administrator' to 'root' 

Can you try and create a new user with smbpasswd ? 

I think you may be hitting the same problem that I have, smbpasswd will 
create the user, but then segfaults when trying to add the password. 

Rowland 

-- 
To unsubscribe from this list go to the following URL and read the 
instructions: https://lists.samba.org/mailman/options/samba