samba - Mar 2016 - Segmentation Fault when trying to set root samba password, IPA as a backend

On 06/03/16 17:28, Harry Jede wrote:
> On 18:11:20 wrote Rowland penny:
>> On 06/03/16 16:22, Harry Jede wrote:
>>> On 17:13:33 wrote Martin Juhl:
>>>> Hi guys
>>>>
>>>>
>>>> When trying to set root's password, I get a segmentation
fault:
>>>>
>>>> [root at bart ~]# smbpasswd -a root
>>>> No builtin backend found, trying to load plugin
>>>> Module 'ipasam' loaded
>>>> smbldap_open_connection: connection opened
>>>> ldap_connect_system: successful connection to the LDAP server
>>>> pdb_init_ipasam: support for pdb_enum_upn_suffixes enabled for
>>>> domain bolls.lan New SMB password:
>>>> Retype new SMB password:
>>>> Segmentation fault
>>>>
>>>> What to do???
>>> Have you ever seen that this is working? Could you give us a link
>>> to some docs which recommend this call with freeipa.
>> The problem was with smbpasswd, this has been fixed in master,
>> unfortunately, whilst the user now gets created in ldap with a
>> password, the command still ends with a segfault.
> I have just started an old vm with samba 3.6.6 as pdc and openlap as
> backend. smbpasswd -a someuser does not work, if someuser does not
> exist.
Are you using smbldap-tools or ldapsam:editposix ?
>
> if I create a posix user with useradd in /etc/passwd and then try to add
> this user with smbpasswd -a to openlap i get the same error.
>
> so my 2 cents on this thread:
> passwd -a someuser
> has never worked with a ldap backend.
Well, it is working for me, just because it never worked for you, 
doesn't mean it shouldn't.
>
> And as Volker said:
> "and I am out of the openldap config business long enough that I
don't
> get this set up quickly."
That doesn't mean he is saying it shouldn't work.
> I believe he has just forgotten how smbpasswd works. So currently Volker
> is trying to fix something which do not need any fix. In fact he adds
> new functionality to smbpasswd. But does this makes really any sense?
Lets put it this way, Volker probably knows more about Samba than you 
and me combined and if he thought he was wasting his time, I am sure he 
would have said something.

Rowland
>
>
>> Rowland
>>
>>>> Regards
>>>>
>>>> Martin
>

On 19:47:03 wrote Rowland penny:
> > I have just started an old vm with samba 3.6.6 as pdc and openlap
> > as backend. smbpasswd -a someuser does not work, if someuser does
> > not exist.
> 
> Are you using smbldap-tools or ldapsam:editposix ?
In this vm ldapsam:editposix.

OK. I have just created a posix-only user in openldap. And then tried
smbpasswd -a test01. Surprisingly, it works.

Here the relevant information, openldap logs with loglevel filter (256):

*before adding the samba user* :
# ldapsearch -xLLL -D cn=admin,dc=europa,dc=xx -W -b dc=europa,dc=xx -s sub
"(&(objectClass=sambaDomain)
(sambaDomainName=europa))" sambaDomainName sambaNextRid sambaNextUserRid
sambaNextGroupRid sambaSID sambaAlgorithmicRidBase
objectClass
dn: sambaDomainName=EUROPA,dc=europa,dc=xx
objectClass: top
objectClass: sambaDomain
objectClass: sambaUnixIdPool
sambaDomainName: EUROPA
sambaSID: S-1-5-21-3958726613-3318811842-4132420312
sambaAlgorithmicRidBase: 1000
sambaNextUserRid: 2000
sambaNextGroupRid: 100000
sambaNextRid: 100018

*after adding the samba user* :
# ldapsearch -xLLL -D cn=admin,dc=europa,dc=xx -W -b dc=europa,dc=xx -s sub
"(&(objectClass=sambaDomain)
(sambaDomainName=europa))" sambaDomainName sambaNextRid sambaNextUserRid
sambaNextGroupRid sambaSID sambaAlgorithmicRidBase
objectClass
dn: sambaDomainName=EUROPA,dc=europa,dc=xx
objectClass: top
objectClass: sambaDomain
objectClass: sambaUnixIdPool
sambaDomainName: EUROPA
sambaSID: S-1-5-21-3958726613-3318811842-4132420312
sambaAlgorithmicRidBase: 1000
sambaNextUserRid: 2000
sambaNextGroupRid: 100000
sambaNextRid: 100019

*sambaNextRid has changed* .

Here the resulting object:
# ldapsearch -xLLL -D cn=admin,dc=europa,dc=xx -w keins -b dc=europa,dc=xx -s
sub uid=test01
dn: uid=test01,ou=people,ou=accounts,dc=europa,dc=xx
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: systemQuotas
objectClass: sambaSamAccount
sn: test01
cn: test01
uidNumber: 33333
gidNumber: 1001
homeDirectory: /home/teachers/test01
uid: test01
sambaSID: S-1-5-21-3958726613-3318811842-4132420312-100019
userPassword::
e1NTSEF9aUdWOHdpaTRnUTB1ZEQyNVhBVBR6bzUvcnp3L3dpMTksambaNTPassword:
186CB09181E2C2ECAAC768C47C726604
sambaPasswordHistory: 00000000000000000000000000000000000000000000000000000000
 00000000
sambaPwdLastSet: 1457289571
sambaAcctFlags: [U          ]

ldap(posix) password and samba password is set. sambaLMPassword is not set.

smb.conf:
[global]
        workgroup = EUROPA
        netbios aliases = INSTALL
        server string = Schulserver %h
        interfaces = 127.0.0.1/127.255.255.255, 10.100.0.1/255.255.0.0,
10.100.1.1/255.255.255.0, 10.100.2.1/255.255.255.0,
10.100.3.1/255.255.255.0, 192.168.231.231/255.255.255.0
        bind interfaces only = Yes
        map to guest = Bad User
        obey pam restrictions = Yes
        passdb backend = ldapsam:ldapi:///
        pam password change = Yes
        passwd program = /usr/sbin/smbldap-passwd %u
        passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully*
        log file = /var/log/samba/log.%m
        max protocol = SMB2
        time server = Yes
        printcap name = cups
        add machine script = /usr/sbin/smbldap-useradd -a -W "%u"
        logon script = %a.bat
        logon path = \\%L\profile\%G\%U\%a
        logon drive = U:
        domain logons = Yes
        os level = 255
        preferred master = Yes
        domain master = Yes
        dns proxy = No
        wins proxy = Yes
        wins support = Yes
        ldap admin dn = cn=admin,dc=europa,dc=xx
        ldap delete dn = Yes
        ldap group suffix = ou=groups
        ldap machine suffix = ou=machines,ou=accounts
        ldap passwd sync = yes
        ldap suffix = dc=europa,dc=xx
        ldap ssl = no
        ldap user suffix = ou=people,ou=accounts
        ldapsam:editposix = yes
        ldapsam:trusted = yes
        idmap config * : backend = tdb
        admin users = adm, root
        ea support = Yes
        case sensitive = No
        veto files = /*.eml/*.nws/riched20.dll/autorun.inf/
        map archive = No
        map readonly = no
        mangled names = No
        store dos attributes = Yes



-- 

Regards
	Harry Jede

On 06/03/16 19:07, Harry Jede wrote:
> On 19:47:03 wrote Rowland penny:
>>> I have just started an old vm with samba 3.6.6 as pdc and openlap
>>> as backend. smbpasswd -a someuser does not work, if someuser does
>>> not exist.
>> Are you using smbldap-tools or ldapsam:editposix ?
> In this vm ldapsam:editposix.
>
> OK. I have just created a posix-only user in openldap. And then tried
> smbpasswd -a test01. Surprisingly, it works.
>
> Here the relevant information, openldap logs with loglevel filter (256):
>
> *before adding the samba user* :
> # ldapsearch -xLLL -D cn=admin,dc=europa,dc=xx -W -b dc=europa,dc=xx -s sub
"(&(objectClass=sambaDomain)
> (sambaDomainName=europa))" sambaDomainName sambaNextRid
sambaNextUserRid sambaNextGroupRid sambaSID sambaAlgorithmicRidBase
> objectClass
> dn: sambaDomainName=EUROPA,dc=europa,dc=xx
> objectClass: top
> objectClass: sambaDomain
> objectClass: sambaUnixIdPool
> sambaDomainName: EUROPA
> sambaSID: S-1-5-21-3958726613-3318811842-4132420312
> sambaAlgorithmicRidBase: 1000
> sambaNextUserRid: 2000
> sambaNextGroupRid: 100000
> sambaNextRid: 100018
>
> *after adding the samba user* :
> # ldapsearch -xLLL -D cn=admin,dc=europa,dc=xx -W -b dc=europa,dc=xx -s sub
"(&(objectClass=sambaDomain)
> (sambaDomainName=europa))" sambaDomainName sambaNextRid
sambaNextUserRid sambaNextGroupRid sambaSID sambaAlgorithmicRidBase
> objectClass
> dn: sambaDomainName=EUROPA,dc=europa,dc=xx
> objectClass: top
> objectClass: sambaDomain
> objectClass: sambaUnixIdPool
> sambaDomainName: EUROPA
> sambaSID: S-1-5-21-3958726613-3318811842-4132420312
> sambaAlgorithmicRidBase: 1000
> sambaNextUserRid: 2000
> sambaNextGroupRid: 100000
> sambaNextRid: 100019
>
> *sambaNextRid has changed* .
>
> Here the resulting object:
> # ldapsearch -xLLL -D cn=admin,dc=europa,dc=xx -w keins -b dc=europa,dc=xx
-s sub uid=test01
> dn: uid=test01,ou=people,ou=accounts,dc=europa,dc=xx
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: shadowAccount
> objectClass: systemQuotas
> objectClass: sambaSamAccount
> sn: test01
> cn: test01
> uidNumber: 33333
> gidNumber: 1001
> homeDirectory: /home/teachers/test01
> uid: test01
> sambaSID: S-1-5-21-3958726613-3318811842-4132420312-100019
> userPassword:: e1NTSEF9aUdWOHdpaTRnUTB1ZEQyNVhBVBR6bzUvcnp3L3dpMTk>
sambaNTPassword: 186CB09181E2C2ECAAC768C47C726604
> sambaPasswordHistory:
00000000000000000000000000000000000000000000000000000000
>   00000000
> sambaPwdLastSet: 1457289571
> sambaAcctFlags: [U          ]
>
> ldap(posix) password and samba password is set. sambaLMPassword is not set.
>
> smb.conf:
> [global]
>          workgroup = EUROPA
>          netbios aliases = INSTALL
>          server string = Schulserver %h
>          interfaces = 127.0.0.1/127.255.255.255, 10.100.0.1/255.255.0.0,
10.100.1.1/255.255.255.0, 10.100.2.1/255.255.255.0,
> 10.100.3.1/255.255.255.0, 192.168.231.231/255.255.255.0
>          bind interfaces only = Yes
>          map to guest = Bad User
>          obey pam restrictions = Yes
>          passdb backend = ldapsam:ldapi:///
>          pam password change = Yes
>          passwd program = /usr/sbin/smbldap-passwd %u
>          passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully*
>          log file = /var/log/samba/log.%m
>          max protocol = SMB2
>          time server = Yes
>          printcap name = cups
>          add machine script = /usr/sbin/smbldap-useradd -a -W
"%u"
>          logon script = %a.bat
>          logon path = \\%L\profile\%G\%U\%a
>          logon drive = U:
>          domain logons = Yes
>          os level = 255
>          preferred master = Yes
>          domain master = Yes
>          dns proxy = No
>          wins proxy = Yes
>          wins support = Yes
>          ldap admin dn = cn=admin,dc=europa,dc=xx
>          ldap delete dn = Yes
>          ldap group suffix = ou=groups
>          ldap machine suffix = ou=machines,ou=accounts
>          ldap passwd sync = yes
>          ldap suffix = dc=europa,dc=xx
>          ldap ssl = no
>          ldap user suffix = ou=people,ou=accounts
>          ldapsam:editposix = yes
>          ldapsam:trusted = yes
>          idmap config * : backend = tdb
>          admin users = adm, root
>          ea support = Yes
>          case sensitive = No
>          veto files = /*.eml/*.nws/riched20.dll/autorun.inf/
>          map archive = No
>          map readonly = no
>          mangled names = No
>          store dos attributes = Yes
>
>
>
You seem to be using smbldap-tools and ldapsam:editposix is meant to be 
a replacement for this, if you read the smb.conf manpage, you will find 
this:

        ldapsam:editposix (G)

            Editposix is an option that leverages ldapsam:trusted to make it
            simpler to manage a domain controller eliminating the need 
to set
            up custom scripts to add and manage the posix users and groups.
            This option will instead directly manipulate the ldap tree to
            create, remove and modify user and group entries. This 
option also
            requires a running winbindd as it is used to allocate new 
uids/gids
            on user/group creation. The allocation range must be therefore
            configured.

This means that the samba tools will do what smbldap-tools does.

Rowland