Tony Fugere
2004-Sep-24 05:35 UTC
[Samba] Re: Samba 3.0.3 on FC2: windows machine cannot join domain
After further review, I don't believe this is the proper approach to the problem. It seems to me that the %u is being used ambiguously. The logic of how the published API of the variables and the call to the smbldap-useradd program makes it important for the documenters to understand what the tools are doing... not what is happening in samba. We can see what is happening with the tools by looking at lines 84 to 92 of smbldap-useradd: # Read only first @ARGV my $userName = $ARGV[0]; # For computers account, add a trailing dollar if missing if (defined($Options{'w'})) { if ($userName =~ /[^\$]$/s) { $userName .= "\$"; } } My understanding is that if I am logged into an XP machine named "INFERIOROS" and want to join the Domain "SAMBADOMAIN", When the request is placed by INFERIOROS, the machine running samba for SAMBADOMAIN tries to look up INFERIOROS. It sees that there is no machine in the (LDAP in this case) database. So, it turns to the smb.conf file to see what it should do to add the machine and sees: add machine script = /usr/local/sbin/smbldap-useradd -w "%m" After processing through the lines mentioned above of smbldap-useradd you would end up with $userName == INFERIOROS$ In line 218 where the subroutine add_posix_machine from smbldap_tools.pm is called the $userName gets passed into line 373 of that perl module which reads: my $add = $ldap->add ( "uid=$user,$config{computersdn}..... Don't we want the $user passed in to be the machine name in this case since it is a machine we are adding and not a user? This userName gets passed into subsequent functions and I eventually end up with a well-formed machine in LDAP called INFERIOROS$ with the four objectClasses: top, inetOrgPerson, posixAccount, and sambaSAMAccount all filled with their respective attributes. On the other hand, when I have the smb.conf using: add machine script = /usr/local/sbin/smbldap-useradd -w "%u" I end up with an incomplete machine record uid=INFERIOROS$ in LDAP that only holds the objectClasses: top, inetOrgPerson, and posixAccount (I assume this is from the module handling automatic account creation that you mentioned) BUT ALSO, I end up with an incomplete machine record uid=root$ (my admin user to join the domain) with the same three objectClasses and their attributes. (This is coming from the smbldap-useradd tool) The sambaSAMAccount objectClass is never created for the INFERIOROS$ record and I get the error "Cannot join domain, the user name could not be found" (approximately). Obviously, this is not the desired result. Without investigation into the rpc_src and sam modules and having the log level configured to report their errors, it is obvious that something is wrong here. I understand that you, as well as many others, have not had trouble with %u, but the fact remains that the %u is ambiguous. The %m makes much more sense for machine name; especially since it is used elsewhere in the smb.conf. Should the ambiguity of %u be plucked through in the samba code so that %m is used for machines instead of this substitution? I will still investigate it tomorrow to deliver the results of debugging the modules in contest to compare and contrast the differences in our systems. The default shell for the tools in the smbldap.conf is /bin/bash, luckily we've changed ours to /bin/false because none of our users (except a few) need shell access. Is it also a possible security problem to have this root$ machine that has no password? I will investigate that as well to see the implications of a machine with no password and /bin/bash shell access. Tony Fugere ------------------- Tony Fugere wrote: I'm pretty sure that we have our problems solved by using %m, but I will triple check and post results in a few hours. I don't really want to mislead anyone into having a six month struggle as I have had with this. Tony ------------------- John H Terpstra wrote: Tony, I do not have any proof to contradict your information, however, the source code suggests that this advice is perhaps suspect. The particular module that handles automatic account creation is in ~samba/source/rpc_server/srv_samr_nt.c and specifically at line 2253. Here is the very line that does the parameter substitution: all_string_sub(add_script, "%u", account, sizeof(add_script)); As you can see, it is the "%u" parameter that is being substituted. Maybe I am reading this incorrectly? However, I have performed many hundreds of installations and have always used the "%u" parameter - and it has worked. Given this background I respectfully suggest that we should understand precisely what is happening in your situation by examining the samba logs for the use of this function give both the "%u" and again with the "%m" parameters. You can turn up the debug level on just this module by setting in smb.conf [globals]: log level = 0 rpc_srv:5 sam:5 log file = /var/log/samba/%m.log max log size = 0 Please would test this and report the findings. If our documentation is in error I want to fix it immediately. Thanks so much for your input. Cheers, John T.
John H Terpstra
2004-Sep-24 05:41 UTC
[Samba] Re: Samba 3.0.3 on FC2: windows machine cannot join domain
Tony, I look forward to your findings in detail. Thanks. - John T. On Thursday 23 September 2004 23:35, Tony Fugere wrote:> After further review, I don't believe this is the proper approach to the > problem. It seems to me that the %u is being used ambiguously. The logic > of how the published API of the variables and the call to the > smbldap-useradd program makes it important for the documenters to > understand what the tools are doing... not what is happening in samba. > We can see what is happening with the tools by looking at lines 84 to 92 > of smbldap-useradd: > > # Read only first @ARGV > my $userName = $ARGV[0]; > > # For computers account, add a trailing dollar if missing > if (defined($Options{'w'})) { > if ($userName =~ /[^\$]$/s) { > $userName .= "\$"; > } > } > > My understanding is that if I am logged into an XP machine named > "INFERIOROS" and want to join the Domain "SAMBADOMAIN", When the request > is placed by INFERIOROS, the machine running samba for SAMBADOMAIN tries > to look up INFERIOROS. It sees that there is no machine in the (LDAP in > this case) database. So, it turns to the smb.conf file to see what it > should do to add the machine and sees: > > add machine script = /usr/local/sbin/smbldap-useradd -w "%m" > > After processing through the lines mentioned above of smbldap-useradd > you would end up with $userName == INFERIOROS$ > > In line 218 where the subroutine add_posix_machine from smbldap_tools.pm > is called the $userName gets passed into line 373 of that perl module > which reads: > > my $add = $ldap->add ( "uid=$user,$config{computersdn}..... > > Don't we want the $user passed in to be the machine name in this case > since it is a machine we are adding and not a user? > > This userName gets passed into subsequent functions and I eventually end > up with a well-formed machine in LDAP called INFERIOROS$ with the four > objectClasses: top, inetOrgPerson, posixAccount, and sambaSAMAccount all > filled with their respective attributes. On the other hand, when I have > the smb.conf using: > > add machine script = /usr/local/sbin/smbldap-useradd -w "%u" > > I end up with an incomplete machine record uid=INFERIOROS$ in LDAP that > only holds the objectClasses: top, inetOrgPerson, and posixAccount (I > assume this is from the module handling automatic account creation that > you mentioned) > > BUT ALSO, > > I end up with an incomplete machine record uid=root$ (my admin user to > join the domain) with the same three objectClasses and their attributes. > (This is coming from the smbldap-useradd tool) > > The sambaSAMAccount objectClass is never created for the INFERIOROS$ > record and I get the error "Cannot join domain, the user name could not > be found" (approximately). > > Obviously, this is not the desired result. > > Without investigation into the rpc_src and sam modules and having the > log level configured to report their errors, it is obvious that > something is wrong here. I understand that you, as well as many others, > have not had trouble with %u, but the fact remains that the %u is > ambiguous. The %m makes much more sense for machine name; especially > since it is used elsewhere in the smb.conf. Should the ambiguity of %u > be plucked through in the samba code so that %m is used for machines > instead of this substitution? I will still investigate it tomorrow to > deliver the results of debugging the modules in contest to compare and > contrast the differences in our systems. > > The default shell for the tools in the smbldap.conf is /bin/bash, > luckily we've changed ours to /bin/false because none of our users > (except a few) need shell access. Is it also a possible security problem > to have this root$ machine that has no password? I will investigate that > as well to see the implications of a machine with no password and > /bin/bash shell access. > > Tony Fugere > > ------------------- > > Tony Fugere wrote: > > I'm pretty sure that we have our problems solved by using %m, but I will > triple check and post results in a few hours. I don't really want to > mislead anyone into having a six month struggle as I have had with this. > > Tony > > ------------------- > > John H Terpstra wrote: > > Tony, > > I do not have any proof to contradict your information, however, the source > code suggests that this advice is perhaps suspect. > > The particular module that handles automatic account creation is in > ~samba/source/rpc_server/srv_samr_nt.c and specifically at line 2253. > Here is the very line that does the parameter substitution: > > all_string_sub(add_script, "%u", account, sizeof(add_script)); > > As you can see, it is the "%u" parameter that is being substituted. Maybe I > am reading this incorrectly? However, I have performed many hundreds of > installations and have always used the "%u" parameter - and it has worked. > > Given this background I respectfully suggest that we should understand > precisely what is happening in your situation by examining the samba logs > for the use of this function give both the "%u" and again with the "%m" > parameters. You can turn up the debug level on just this module by setting > in smb.conf [globals]: > log level = 0 rpc_srv:5 sam:5 > log file = /var/log/samba/%m.log > max log size = 0 > > Please would test this and report the findings. If our documentation is in > error I want to fix it immediately. > > Thanks so much for your input. > > Cheers, > John T.-- John H Terpstra Samba-Team Member Phone: +1 (650) 580-8668 Author: The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556 Samba-3 by Example, ISBN: 0131472216 Hardening Linux, ISBN: 0072254971 OpenLDAP by Example, ISBN: 0131488732 Other books in production.