Hi, I just thought I'd post here some notes after a loong bugsearch.
Keywords:
failed to perform search; Unexpected EOF
using Domain Admins to add machines
The problem was that I got this in the sambalog:
_samr_create_user: Running the command `/usr/sbin/smbldap-useradd -w
"machine$"' gave 127
Part of the problem was that this isn't a lot to go on, and the command
worked if I ran it from the commandline.
To get around that, I wrote a wrapperscript that logged the output from
the command [1]. The script combined with some extra debugging output
placed in the smbldap-tools code showed that smbldap-tools expected the
user to be root and if not it would not read the file smbldap_bind.conf.
Here's part of the code:
if ($< == 0) {
( read the file )
} else {
$conf{slaveDN}=$conf{slavePw}=$conf{masterDN}=$conf{masterPw}="";
}
Thus , no bind attributes are set. Smbldaptools does not see this as
something that should be noted somehow. The reason in my case was that
someone had added a administrator user to the local users on the box
with uid 999.
I have included a patch [2] that should at least give some more warnings
when this happens. IMHO smbldaptools should not need to run as root -
but that is another issue.
I hope this post may help someone some time.
kind regards,
Tarjei
1. The wrapperscript I used to get extra logging from smbldap-useradd:
#!/usr/bin/perl -w
my $log = "/tmp/smb.log" ;
open(LOG , '>>' ,$log) or die($@);
open STDERR, ">>$log" or die($@);
$cmd = "/usr/sbin/smbldap-useradd";
print LOG `date`;
print LOG "Command: " . $cmd . " " . join(" " ,
@ARGV) . "\n";
#$ret = system($cmd, @ARGV);
$cmd = $cmd . " " . join(" " , @ARGV);
$ret = `$cmd`;
print LOG "Return: \n" . $ret . "\n";
$who = `whoami`;
print LOG "Whoami: $who\n";
close(LOG);
close(STDERR);
exit($?);
2. This patch adds better warnings to smbldaptools:
--- smbldap_tools.pm.orig 2007-01-27 15:50:05.000000000 +0100
+++ smbldap_tools.pm 2007-01-27 15:54:21.000000000 +0100
@@ -170,6 +170,7 @@
close (CONFIGFILE);
} else {
$conf{slaveDN}=$conf{slavePw}=$conf{masterDN}=$conf{masterPw}="";
+ warn ("Could not open smbLdap_bind_conf file as user with uid
$< is not root. Bind details not set\n");
}
# automatically find SID
if (not $conf{SID}) {
@@ -278,6 +279,7 @@
sub connect_ldap_master
{
+ my $mesg;
# bind to a directory with dn and password
my $ldap_master = Net::LDAP->new(
"$config{masterLDAP}",
@@ -288,16 +290,22 @@
)
or die "erreur LDAP: Can't contact master ldap server
($@)";
if ($config{ldapTLS} == 1) {
- $ldap_master->start_tls(
+ $mesg = $ldap_master->start_tls(
verify =>
"$config{verify}",
clientcert =>
"$config{clientcert}",
clientkey =>
"$config{clientkey}",
cafile =>
"$config{cafile}"
);
+ if ($mesg->code) {
+ warn("Could not start_tls: " . $mesg->error);
+ }
}
- $ldap_master->bind ( "$config{masterDN}",
+ $mesg = $ldap_master->bind ( "$config{masterDN}",
password =>
"$config{masterPw}"
);
+ if ($mesg->code) {
+ die ("Could not bind (login) to master ldapserver.
Error: " . $mesg->error);
+ }
$ldap=$ldap_master;
return($ldap_master);
}
