samba - Mar 2019 - samba 4.9.5 - joining Samba DC to existing Samba AD failed (ldbsearch has not -U and -V)

On Fri, 29 Mar 2019 09:28:37 +0100
Franta Hanzlík <franta at hanzlici.cz> wrote:
> On Wed, 27 Mar 2019 13:11:08 +0000
> Rowland Penny via samba <samba at lists.samba.org> wrote:
> 
> > On Wed, 27 Mar 2019 13:00:42 +0100
> > Franta Hanzlík <franta at hanzlici.cz> wrote:
> >   
> > > Yes, is no difference between '-UAdministrator' and
'-U
> > > Administrator'. But it seems, as ldbsearch in 4.9.5 is
different
> > > than 4.9.4-. (I was furious with that, because I found lot
> > > articles on net, where -U _username_ was stated.
> > > 
> > > My ldbsearch is from pure Samba-4.9.5, self compiled on Fedora 29
> > > x86_64. And now I see it even has not '-V' switch:
> > > 
> > > [root at dc1 bind-dns]# ldbsearch --usage
> > > Usage: [-?viraS] [-?|--help] [--usage] [-H|--url=URL]
> > > [-b|--basedn=DN] [-e|--editor=PROGRAM] [-s|--scope=SCOPE]
> > > [-v|--verbose] [--trace] [-i|--interactive] [-r|--recursive]
> > > [--modules-path=PATH] [--num-searches=INT] [--num-records=INT]
> > > [-a|--all] [--nosync] [-S|--sorted] [-o=OPTION]
> > > [--controls=STRING] [--show-binary] [--paged] [--show-deleted]
> > > [--show-recycled] [--show-deactivated-link] [--reveal] [--relax]
> > > [--cross-ncs] [--extended-dn] [root at dc1 bind-dns]# ldbsearch
-V
> > > Invalid option -V: unknown option Usage: ldbsearch
<options>
> > > <expression> <attrs...> Usage: [OPTION...] -H,
> > > --url=URL                   database URL -b,
> > > --basedn=DN                 base DN -e, --editor=PROGRAM external
> > > editor -s, --scope=SCOPE               search scope -v,
> > > --verbose                   increase verbosity
> > > --trace                     enable tracing -i,
> > > --interactive               input from stdin -r,
> > > --recursive                 recursive delete
> > > --modules-path=PATH         modules path --num-searches=INT
> > > number of test searches --num-records=INT           number of
> > > test records -a, --all (|(objectClass=*)(distinguishedName=*))
> > > --nosync non-synchronous transactions -S,
> > > --sorted                    sort attributes
> > > -o=OPTION                       ldb_connect option
> > > --controls=STRING           controls --show-binary
> > > display binary LDIF --paged                     use a paged
search
> > >       --show-deleted              show deleted objects
> > >       --show-recycled             show recycled objects
> > >       --show-deactivated-link     show deactivated links
> > >       --reveal                    reveal ldb internals
> > >       --relax                     pass relax control
> > >       --cross-ncs                 search across NC boundaries
> > >       --extended-dn               show extended DNs
> > > 
> > > Help options:
> > >   -?, --help                      Show this help message
> > >       --usage                     Display brief usage message    
> > 
> > How did you compile Samba ?
> > 
> > You seem to have lost a lot of the options :-)
> > 
> > on Debian 4.9.5, you get this:
> > 
> > ldbsearch --usage
> > Usage: [-?viraSNPeV] [-?|--help] [--usage] [-H|--url=URL]
> > [-b|--basedn=DN] [-e|--editor=PROGRAM] [-s|--scope=SCOPE]
> > [-v|--verbose] [--trace] [-i|--interactive] [-r|--recursive]
> > [--modules-path=PATH] [--num-searches=INT] [--num-records=INT]
> > [-a|--all] [--nosync] [-S|--sorted] [-o=OPTION] [--controls=STRING]
> > [--show-binary] [--paged] [--show-deleted] [--show-recycled]
> >         [--show-deactivated-link] [--reveal] [--relax] [--cross-ncs]
> >         [--extended-dn] [-d|--debuglevel=DEBUGLEVEL]
> > [--debug-stderr] [-s|--configfile=CONFIGFILE] [--option=name=value]
> >         [-l|--log-basename=LOGFILEBASE] [--leak-report]
> > [--leak-report-full] [-U|--user=[DOMAIN/]USERNAME[%PASSWORD]]
> > [-N|--no-pass] [--password=STRING] [-A|--authentication-file=FILE]
> >         [-P|--machine-pass] [--simple-bind-dn=STRING]
> > [-k|--kerberos=STRING] [--krb5-ccache=STRING] [-S|--sign]
> > [-e|--encrypt] [-R|--name-resolve=NAME-RESOLVE-ORDER]
> >         [-O|--socket-options=SOCKETOPTIONS]
> > [-n|--netbiosname=NETBIOSNAME] [-S|--signing=on|off|required]
> > [-W|--workgroup=WORKGROUP] [--realm=REALM] [-i|--scope=SCOPE]
> > [-m|--maxprotocol=MAXPROTOCOL] [-V|--version]
> > 
> > It looks like you have lost these:
> > 
> > Usage: [-NPeV]         
> >         [--reveal] [--relax] [--cross-ncs]
> >         [--extended-dn] [-d|--debuglevel=DEBUGLEVEL]
> > [--debug-stderr] [-s|--configfile=CONFIGFILE] [--option=name=value]
> >         [-l|--log-basename=LOGFILEBASE] [--leak-report]
> > [--leak-report-full] [-U|--user=[DOMAIN/]USERNAME[%PASSWORD]]
> > [-N|--no-pass] [--password=STRING] [-A|--authentication-file=FILE]
> >         [-P|--machine-pass] [--simple-bind-dn=STRING]
> > [-k|--kerberos=STRING] [--krb5-ccache=STRING] [-S|--sign]
> > [-e|--encrypt] [-R|--name-resolve=NAME-RESOLVE-ORDER]
> >         [-O|--socket-options=SOCKETOPTIONS]
> > [-n|--netbiosname=NETBIOSNAME] [-S|--signing=on|off|required]
> > [-W|--workgroup=WORKGROUP] [--realm=REALM] [-i|--scope=SCOPE]
> > [-m|--maxprotocol=MAXPROTOCOL] [-V|--version]
> > 
> > Rowland  
> 
> Hi Rowland,
> I was looking into Samba-4.9.5 sources (as they are on URL
> https://download.samba.org/pub/samba/stable/samba-4.9.5.tar.gz
> ) and (but I'm not programmer) it seems to me, as my ldbsearch (and
> other ldb-utils) behaves according them. So it may be that version in
> Debian is somehow modified, extended by remote LDB file access, etc.
This is possible, but it is more likely that they are throttled on
red-hat distro's because they are not expected to be provisioned as a
DC.

I did some checking and I have a couple of extra libs linked to
ldbsearch:

libtdb.so.1 => /lib64/libtdb.so.1 (0x00007f9a7905e000)
libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007f9a79022000)

Can you post the configure options used to compile your Samba packages.

Rowland

On Fri, 29 Mar 2019 09:00:08 +0000
Rowland Penny via samba <samba at lists.samba.org> wrote:
> On Fri, 29 Mar 2019 09:28:37 +0100
> Franta Hanzlík <franta at hanzlici.cz> wrote:
> 
> > On Wed, 27 Mar 2019 13:11:08 +0000
> > Rowland Penny via samba <samba at lists.samba.org> wrote:
> >   
> > > On Wed, 27 Mar 2019 13:00:42 +0100
> > > Franta Hanzlík <franta at hanzlici.cz> wrote:
> > >     
>  [...]  
> > > 
> > > How did you compile Samba ?
> > > 
> > > You seem to have lost a lot of the options :-)
> > > 
> > > on Debian 4.9.5, you get this:
> > > 
> > > ldbsearch --usage
> > > Usage: [-?viraSNPeV] [-?|--help] [--usage] [-H|--url=URL]
> > > [-b|--basedn=DN] [-e|--editor=PROGRAM] [-s|--scope=SCOPE]
> > > [-v|--verbose] [--trace] [-i|--interactive] [-r|--recursive]
> > > [--modules-path=PATH] [--num-searches=INT] [--num-records=INT]
> > > [-a|--all] [--nosync] [-S|--sorted] [-o=OPTION]
[--controls=STRING]
> > > [--show-binary] [--paged] [--show-deleted] [--show-recycled]
> > >         [--show-deactivated-link] [--reveal] [--relax]
[--cross-ncs]
> > >         [--extended-dn] [-d|--debuglevel=DEBUGLEVEL]
> > > [--debug-stderr] [-s|--configfile=CONFIGFILE]
[--option=name=value]
> > >         [-l|--log-basename=LOGFILEBASE] [--leak-report]
> > > [--leak-report-full] [-U|--user=[DOMAIN/]USERNAME[%PASSWORD]]
> > > [-N|--no-pass] [--password=STRING]
[-A|--authentication-file=FILE]
> > >         [-P|--machine-pass] [--simple-bind-dn=STRING]
> > > [-k|--kerberos=STRING] [--krb5-ccache=STRING] [-S|--sign]
> > > [-e|--encrypt] [-R|--name-resolve=NAME-RESOLVE-ORDER]
> > >         [-O|--socket-options=SOCKETOPTIONS]
> > > [-n|--netbiosname=NETBIOSNAME] [-S|--signing=on|off|required]
> > > [-W|--workgroup=WORKGROUP] [--realm=REALM] [-i|--scope=SCOPE]
> > > [-m|--maxprotocol=MAXPROTOCOL] [-V|--version]
> > > 
> > > It looks like you have lost these:
> > > 
> > > Usage: [-NPeV]         
> > >         [--reveal] [--relax] [--cross-ncs]
> > >         [--extended-dn] [-d|--debuglevel=DEBUGLEVEL]
> > > [--debug-stderr] [-s|--configfile=CONFIGFILE]
[--option=name=value]
> > >         [-l|--log-basename=LOGFILEBASE] [--leak-report]
> > > [--leak-report-full] [-U|--user=[DOMAIN/]USERNAME[%PASSWORD]]
> > > [-N|--no-pass] [--password=STRING]
[-A|--authentication-file=FILE]
> > >         [-P|--machine-pass] [--simple-bind-dn=STRING]
> > > [-k|--kerberos=STRING] [--krb5-ccache=STRING] [-S|--sign]
> > > [-e|--encrypt] [-R|--name-resolve=NAME-RESOLVE-ORDER]
> > >         [-O|--socket-options=SOCKETOPTIONS]
> > > [-n|--netbiosname=NETBIOSNAME] [-S|--signing=on|off|required]
> > > [-W|--workgroup=WORKGROUP] [--realm=REALM] [-i|--scope=SCOPE]
> > > [-m|--maxprotocol=MAXPROTOCOL] [-V|--version]
> > > 
> > > Rowland    
> > 
> > Hi Rowland,
> > I was looking into Samba-4.9.5 sources (as they are on URL
> > https://download.samba.org/pub/samba/stable/samba-4.9.5.tar.gz
> > ) and (but I'm not programmer) it seems to me, as my ldbsearch
(and
> > other ldb-utils) behaves according them. So it may be that version in
> > Debian is somehow modified, extended by remote LDB file access, etc.  
> 
> This is possible, but it is more likely that they are throttled on
> red-hat distro's because they are not expected to be provisioned as a
> DC.
"they" is who? I build Samba-4.9.5 from official stable release,
 downloaded from URL above. 
 
> I did some checking and I have a couple of extra libs linked to
> ldbsearch:
> 
> libtdb.so.1 => /lib64/libtdb.so.1 (0x00007f9a7905e000)
> libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007f9a79022000)
Those two libs I have too. For your ldbsearch program, I would expect
that there would be additional libraries as libldap, libsasl2, libgssapi,
libkrb5 etc. - those, which are needed for network access.

But - are not ldb* tools rather like as tdb tools, i.e. tool for work
with some file types - thus they have not need for network access?
> Can you post the configure options used to compile your Samba packages.
Sorry, I forgot to include them. It is:

./configure
 --build=x86_64-redhat-linux-gnu
 --host=x86_64-redhat-linux-gnu
 --program-prefix --disable-dependency-tracking
 --prefix=/usr
 --exec-prefix=/usr
 --bindir=/usr/bin
 --sbindir=/usr/sbin
 --sysconfdir=/etc
 --datadir=/usr/share
 --includedir=/usr/include
 --libdir=/usr/lib64
 --libexecdir=/usr/libexec
 --localstatedir=/var
 --sharedstatedir=/var/lib
 --mandir=/usr/share/man
 --infodir=/usr/share/info
 --enable-fhs
 --with-piddir=/run
 --with-sockets-dir=/run/samba
 --with-modulesdir=/usr/lib64/samba
 --with-pammodulesdir=/usr/lib64/security
 --with-lockdir=/var/lib/samba/lock
 --with-statedir=/var/lib/samba
 --with-cachedir=/var/lib/samba
 --disable-rpath-install
 --with-shared-modules=idmap_ad,idmap_rid,idmap_ldap,idmap_hash,idmap_tdb2,pdb_tdbsam,pdb_ldap,pdb_smbpasswd,pdb_wbc_sam,pdb_samba4,auth_wbc,auth_unix,auth_server,auth_script,auth_samba4,vfs_dfs_samba4
 '--bundled-libraries=!zlib,!popt,!talloc,!pytalloc,!pytalloc-util,!tevent,!pytevent,!tdb,!pytdb,!ldb,!pyldb,!pyldb-util'
 --with-pam
 --with-pie
 --with-relro
 --without-fam
 --with-cluster-support
 --with-profiling-data
 --accel-aes=intelaesni
 --with-systemd
 --systemd-install-services
 --with-systemddir=/usr/lib/systemd/system
 --systemd-smb-extra=Environment=KRB5CCNAME=FILE:/run/samba/krb5cc_samba
 --systemd-nmb-extra=Environment=KRB5CCNAME=FILE:/run/samba/krb5cc_samba
 --systemd-winbind-extra=Environment=KRB5CCNAME=FILE:/run/samba/krb5cc_samba
 --systemd-samba-extra=Environment=KRB5CCNAME=FILE:/run/samba/krb5cc_samba
 --extra-python=/usr/bin/python3

But now (Errghrreahh), looking at [non]--bundled-libraries, I again look
from where my ldbsearch really is - and in Fedora it is separate package,
ldb-tools-1.4.6 (source https://www.samba.org/ftp/pub/ldb/ldb-1.4.6.tar.gz).

I tried rebuild it, but result was same as from original Fedora package
- I had only subset of your switches. Not sure, if it is right, but as
operations on LDB files seems be OK, I'm perhaps not going to solve it.
> Rowland
> 
-- 
Franta Hanzlík

On Sat, 30 Mar 2019 22:55:20 +0100
Franta Hanzlík <franta at hanzlici.cz> wrote:
> On Fri, 29 Mar 2019 09:00:08 +0000
> Rowland Penny via samba <samba at lists.samba.org> wrote:
> > 
> > This is possible, but it is more likely that they are throttled on
> > red-hat distro's because they are not expected to be provisioned
as
> > a DC.  
> 
> "they" is who? I build Samba-4.9.5 from official stable release,
>  downloaded from URL above. 
'they' are the ldb-tools (ldbsearch, ldbmodify etc)
>  
> > I did some checking and I have a couple of extra libs linked to
> > ldbsearch:
> > 
> > libtdb.so.1 => /lib64/libtdb.so.1 (0x00007f9a7905e000)
> > libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007f9a79022000)  
> 
> Those two libs I have too. For your ldbsearch program, I would expect
> that there would be additional libraries as libldap, libsasl2,
> libgssapi, libkrb5 etc. - those, which are needed for network access.
You may have them, but are they linked to ldbsearch, they are on Debian
> 
> But - are not ldb* tools rather like as tdb tools, i.e. tool for work
> with some file types - thus they have not need for network access?
The ldb* tools work pretty much like ldap* tools, they work on a DC
directly to sam.ldb or over the wire via ldap://<DC_NAME>
> 
> > Can you post the configure options used to compile your Samba
> > packages.  
> 
> Sorry, I forgot to include them. It is:
> 
> ./configure
>  --build=x86_64-redhat-linux-gnu
>  --host=x86_64-redhat-linux-gnu
>  --program-prefix>  --disable-dependency-tracking
>  --prefix=/usr
>  --exec-prefix=/usr
>  --bindir=/usr/bin
>  --sbindir=/usr/sbin
>  --sysconfdir=/etc
>  --datadir=/usr/share
>  --includedir=/usr/include
>  --libdir=/usr/lib64
>  --libexecdir=/usr/libexec
>  --localstatedir=/var
>  --sharedstatedir=/var/lib
>  --mandir=/usr/share/man
>  --infodir=/usr/share/info
>  --enable-fhs
>  --with-piddir=/run
>  --with-sockets-dir=/run/samba
>  --with-modulesdir=/usr/lib64/samba
>  --with-pammodulesdir=/usr/lib64/security
>  --with-lockdir=/var/lib/samba/lock
>  --with-statedir=/var/lib/samba
>  --with-cachedir=/var/lib/samba
>  --disable-rpath-install
> 
--with-shared-modules=idmap_ad,idmap_rid,idmap_ldap,idmap_hash,idmap_tdb2,pdb_tdbsam,pdb_ldap,pdb_smbpasswd,pdb_wbc_sam,pdb_samba4,auth_wbc,auth_unix,auth_server,auth_script,auth_samba4,vfs_dfs_samba4
> 
'--bundled-libraries=!zlib,!popt,!talloc,!pytalloc,!pytalloc-util,!tevent,!pytevent,!tdb,!pytdb,!ldb,!pyldb,!pyldb-util'
>  --with-pam
>  --with-pie
>  --with-relro
>  --without-fam
>  --with-cluster-support
>  --with-profiling-data
>  --accel-aes=intelaesni
>  --with-systemd
>  --systemd-install-services
>  --with-systemddir=/usr/lib/systemd/system
>  --systemd-smb-extra=Environment=KRB5CCNAME=FILE:/run/samba/krb5cc_samba
>  --systemd-nmb-extra=Environment=KRB5CCNAME=FILE:/run/samba/krb5cc_samba
> 
--systemd-winbind-extra=Environment=KRB5CCNAME=FILE:/run/samba/krb5cc_samba
>  --systemd-samba-extra=Environment=KRB5CCNAME=FILE:/run/samba/krb5cc_samba
>  --extra-python=/usr/bin/python3
> 
> But now (Errghrreahh), looking at [non]--bundled-libraries, I again
> look from where my ldbsearch really is - and in Fedora it is separate
> package, ldb-tools-1.4.6 (source
> https://www.samba.org/ftp/pub/ldb/ldb-1.4.6.tar.gz).
Yes, it is the same on Debian.
> 
> I tried rebuild it, but result was same as from original Fedora
> package
> - I had only subset of your switches. 
If Fedora has done something to the package because it doesn't expect
to ever have to deal with sam.ldb, then, just rebuilding it will get
the same package.
 
>Not sure, if it is right, but
> as operations on LDB files seems be OK, I'm perhaps not going to solve
> it.
If it works for you, then OK, but I feel you are going to have problems
down the line.

Rowland