Rowland Penny
2024-Jan-25 13:16 UTC
[Samba] Order of getpwnam call in Get_Pwnam_internals.
On Thu, 25 Jan 2024 20:54:07 +0800 hhyy ww via samba <samba at lists.samba.org> wrote:> Rowland Penny via samba <samba at lists.samba.org> ? 2024?1?25? ?? > ??6:42??? > > > On Thu, 25 Jan 2024 18:27:48 +0800 > > hhyy ww via samba <samba at lists.samba.org> wrote: > > > > > Hi list, > > > > > > My case : > > > Local UNIX user : ZTEST > > > domain : uuq.ork > > > domain user : UUQ\ztest > > > smb.conf for standalone samba : /home/hywu/smb.conf > > > > > > [/home/hywu] # cat /home/hywu/smb.conf > > > [global] > > > passdb backend = smbpasswd > > > workgroup = WORKGROUP > > > security=user > > > > Why is the smb.conf file in /home/hywu instead of somewhere like > > /etc/samba ? > > > > > > > > Smbpasswd fail to change local UNIX user password (ZTEST) when > > > samba role is DC. I want to change password of local UNIX user > > > "ZTEST" but get domain user "UUQ\ztest" from > > > > You shouldn't have local and domain users with the same name. > > > > > > > > > > > > root at uuu:/# getent passwd | tail > > > hywu:x:1000:1000 hywu,,,:/home/hywu:/bin/bash > > > sshd:X:128:65534::/run/sshd:/usr/sbin/nologin > > > jone:x:1001:1001:,,,:/home/jone:/bin/bash > > > ZTEST:X:1002:1002:,,,:/home/ZTEST: /bin/bash > > > UUQ\administrator:*:0:100::/home/UUQ/administrator:/bin/false > > > UUQ\guest:*:3000008:100::/home/UUQ/guest :/bin/false > > > UUQ\krbtgt:*:3000012:100::/home/UUQ/krbtgt:/bin/false > > > UUQ\ztest:*:3000013:100::/home/UUQ/ztest:/bin/false > > > > Go on, I give in, how did you get a domain user into /etc/passwd > > (where it doesn't belong). > > > > After samba role become DC ,I add winbind to passwd and group section > in /etc/nsswitch.confThat would not put anything into /etc/passwd, but thinking about it, do you have 'winbind enum users = yes' in your correct smb.conf ?> > > > > > root at uuu:/# > > > root at uuu:/#smbpasswd -c /home/hywu/smb.conf -U ZTEST -D 2 > > > rlimit max:increasing (1024) to minimum Windows limit (16384) > > > New SMB password: > > > Retype new SMB password: > > > Cannot update entry for user UUQ\ztest, as they don't exist in the > > > smbpasswd file! > > > smbpasswd_update_sam_account: mod_smbfilepud_entry failed! > > > Failed to modify entry for user ZTEST. > > > root at uuu:/# uname -a > > > Linux uuu 6.5.0-14-generic #14~22.04.1-Ubuntu SMP... > > > > > > > > > I checked samba code then I found the problem is order of gerpwnam > > > call in Get_Pwnam_internals(). Lowercase first order will get > > > domain user (UUQ/ztest) but local account(ZTEST). > > > > > > local_password_change() > > > pdb_getsampwnam() > > > smbpasswd_getsampwnam() > > > build_sam_account() > > > Get_Pwnam_alloc() > > > Get_Pwnam_internals() <-- turn "ZTEST" to "ztest" > > > getpwnam_alloc_cached() > > > getpwnam() > > > (nss_winbinadd) > > > winbindd_getpwnam_send() > > > parse_domain_user() <-- add "UUQ" to domain and > > > namespace. assume_domain() > > > > > > When samba role is DC , "winbind use default domain" does not > > > work in assume_domain(). Then getpwnam() get domain user. > > > > > > I have checked the following list and commit > > > > > https://lists.samba.org/archive/samba-technical/2008-March/058508.htmlhttps://git.samba.org/?p=samba.git;a=commitdiff;h=ea4a0d509ef70e91baedc5eebf4f4bcff10dac96 > > > > > > Why the order of getpwnam call in Get_Pwnam_internals() change > > > from original name first to lowercase first? > > > > > > HY Wu. > > > > I think you need to give us more details: > > What OS ? > > > ubuntu 22.04 > > > What version of Samba ? > > > samba-4.15 > > > Is there another smb.conf file somewhere ? > > > Before samba role become DC , samba use this smb.conf. > [/home/hywu] # cat /home/hywu/smb.conf [global] passdb backend > smbpasswd workgroup = WORKGROUP security=user > > After samba role become DC, samba use smb.conf generated by samba-tool > domain prvision. > > > > If there is, what is in it ? > > How did you provision the domain, what was the actual command ? > > > samba-tool domain provision --use-rfc2307 --realm=uuq.ork > --domain=UUQ --server-role=DC --adminpass=xxxxxx > I install samba following there links > https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Introduction > https://wiki.samba.org/index.php/Distribution-specific_Package_Installation#Debian/Ubuntu > > > Rowland > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > I need to sync account password in /etc/passwd and smbpasswd so when > I change local user password I run smbpasswd command to set the same > password. Before samba become DC, "smbpasswd -c /home/hywu/smb.conf > -U ZTEST" works well. > After samba become DC, this command fail to change password. > I check debug log and samba code, I find the order of getpwnam call in > Get_Pwnam_internals cause this problem. > > HY Wu.You only need local Unix users (the ones that are in /etc/passwd) on a Samba AD DC for local administration and as I said earlier, any local Unix users are unknown to AD. If I run getent on one of my DCs, I get thing like this: adminuser at rpidc1:~ $ getent passwd rowland SAMDOM\rowland:*:3000020:100:Rowland Penny:/home/SAMDOM/rowland:/bin/bash To all intents and purposes, 'rowland' is a local Unix user and can log into the DC, but 'rowland' isn't in /etc/passwd: adminuser at rpidc1:~ $ cat /etc/passwd | grep 'rowland' adminuser at rpidc1:~ $ adminuser at rpidc1:~ $ To change an AD users password, you can use samba-tool, see: samba-tool user password --help Or: samba-tool user setpassword --help I would remove any users from /etc/passwd that are also created in your AD DC I will now go and close your bug report, it is invalid. Rowland
My system is not only for CIFS/SMB/domain features , sometime I need to disable DC so I have to keep local user in /etc/passwd. I have download samba source code and build it. I modify the order of getpwnam call in source3/lib/username.c then solve the problem. I have checked the following list : https://lists.samba.org/archive/samba-technical/2008-March/058508.html I think this is same problem. According this commit, I don't know why this commit changed the order of getpwnam call. https://git.samba.org/?p=samba.git;a=commitdiff;h=ea4a0d509ef70e91baedc5eebf4f4bcff10dac96 Before this commit, the order is origin -> lowercase -> uppercase. I point is Why samba change the order to lowercase->origin->uppercase? HY Wu. Rowland Penny via samba <samba at lists.samba.org> ? 2024?1?25? ?? ??9:17???> On Thu, 25 Jan 2024 20:54:07 +0800 > hhyy ww via samba <samba at lists.samba.org> wrote: > > > Rowland Penny via samba <samba at lists.samba.org> ? 2024?1?25? ?? > > ??6:42??? > > > > > On Thu, 25 Jan 2024 18:27:48 +0800 > > > hhyy ww via samba <samba at lists.samba.org> wrote: > > > > > > > Hi list, > > > > > > > > My case : > > > > Local UNIX user : ZTEST > > > > domain : uuq.ork > > > > domain user : UUQ\ztest > > > > smb.conf for standalone samba : /home/hywu/smb.conf > > > > > > > > [/home/hywu] # cat /home/hywu/smb.conf > > > > [global] > > > > passdb backend = smbpasswd > > > > workgroup = WORKGROUP > > > > security=user > > > > > > Why is the smb.conf file in /home/hywu instead of somewhere like > > > /etc/samba ? > > > > > > > > > > > Smbpasswd fail to change local UNIX user password (ZTEST) when > > > > samba role is DC. I want to change password of local UNIX user > > > > "ZTEST" but get domain user "UUQ\ztest" from > > > > > > You shouldn't have local and domain users with the same name. > > > > > > > > > > > > > > > > > root at uuu:/# getent passwd | tail > > > > hywu:x:1000:1000 hywu,,,:/home/hywu:/bin/bash > > > > sshd:X:128:65534::/run/sshd:/usr/sbin/nologin > > > > jone:x:1001:1001:,,,:/home/jone:/bin/bash > > > > ZTEST:X:1002:1002:,,,:/home/ZTEST: /bin/bash > > > > UUQ\administrator:*:0:100::/home/UUQ/administrator:/bin/false > > > > UUQ\guest:*:3000008:100::/home/UUQ/guest :/bin/false > > > > UUQ\krbtgt:*:3000012:100::/home/UUQ/krbtgt:/bin/false > > > > UUQ\ztest:*:3000013:100::/home/UUQ/ztest:/bin/false > > > > > > Go on, I give in, how did you get a domain user into /etc/passwd > > > (where it doesn't belong). > > > > > > > After samba role become DC ,I add winbind to passwd and group section > > in /etc/nsswitch.conf > > That would not put anything into /etc/passwd, but thinking about it, do > you have 'winbind enum users = yes' in your correct smb.conf ? > > > > > > > > > > > root at uuu:/# > > > > root at uuu:/#smbpasswd -c /home/hywu/smb.conf -U ZTEST -D 2 > > > > rlimit max:increasing (1024) to minimum Windows limit (16384) > > > > New SMB password: > > > > Retype new SMB password: > > > > Cannot update entry for user UUQ\ztest, as they don't exist in the > > > > smbpasswd file! > > > > smbpasswd_update_sam_account: mod_smbfilepud_entry failed! > > > > Failed to modify entry for user ZTEST. > > > > root at uuu:/# uname -a > > > > Linux uuu 6.5.0-14-generic #14~22.04.1-Ubuntu SMP... > > > > > > > > > > > > I checked samba code then I found the problem is order of gerpwnam > > > > call in Get_Pwnam_internals(). Lowercase first order will get > > > > domain user (UUQ/ztest) but local account(ZTEST). > > > > > > > > local_password_change() > > > > pdb_getsampwnam() > > > > smbpasswd_getsampwnam() > > > > build_sam_account() > > > > Get_Pwnam_alloc() > > > > Get_Pwnam_internals() <-- turn "ZTEST" to "ztest" > > > > getpwnam_alloc_cached() > > > > getpwnam() > > > > (nss_winbinadd) > > > > winbindd_getpwnam_send() > > > > parse_domain_user() <-- add "UUQ" to domain and > > > > namespace. assume_domain() > > > > > > > > When samba role is DC , "winbind use default domain" does not > > > > work in assume_domain(). Then getpwnam() get domain user. > > > > > > > > I have checked the following list and commit > > > > > > > > https://lists.samba.org/archive/samba-technical/2008-March/058508.htmlhttps://git.samba.org/?p=samba.git;a=commitdiff;h=ea4a0d509ef70e91baedc5eebf4f4bcff10dac96 > > > > > > > > Why the order of getpwnam call in Get_Pwnam_internals() change > > > > from original name first to lowercase first? > > > > > > > > HY Wu. > > > > > > I think you need to give us more details: > > > What OS ? > > > > > ubuntu 22.04 > > > > > What version of Samba ? > > > > > samba-4.15 > > > > > Is there another smb.conf file somewhere ? > > > > > Before samba role become DC , samba use this smb.conf. > > [/home/hywu] # cat /home/hywu/smb.conf [global] passdb backend > > smbpasswd workgroup = WORKGROUP security=user > > > > After samba role become DC, samba use smb.conf generated by samba-tool > > domain prvision. > > > > > > > If there is, what is in it ? > > > How did you provision the domain, what was the actual command ? > > > > > samba-tool domain provision --use-rfc2307 --realm=uuq.ork > > --domain=UUQ --server-role=DC --adminpass=xxxxxx > > I install samba following there links > > > https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Introduction > > > https://wiki.samba.org/index.php/Distribution-specific_Package_Installation#Debian/Ubuntu > > > > > Rowland > > > > > > > > > -- > > > To unsubscribe from this list go to the following URL and read the > > > instructions: https://lists.samba.org/mailman/options/samba > > > > I need to sync account password in /etc/passwd and smbpasswd so when > > I change local user password I run smbpasswd command to set the same > > password. Before samba become DC, "smbpasswd -c /home/hywu/smb.conf > > -U ZTEST" works well. > > After samba become DC, this command fail to change password. > > I check debug log and samba code, I find the order of getpwnam call in > > Get_Pwnam_internals cause this problem. > > > > HY Wu. > > You only need local Unix users (the ones that are in /etc/passwd) on a > Samba AD DC for local administration and as I said earlier, any local > Unix users are unknown to AD. > > If I run getent on one of my DCs, I get thing like this: > > adminuser at rpidc1:~ $ getent passwd rowland > SAMDOM\rowland:*:3000020:100:Rowland Penny:/home/SAMDOM/rowland:/bin/bash > > To all intents and purposes, 'rowland' is a local Unix user and can log > into the DC, but 'rowland' isn't in /etc/passwd: > > adminuser at rpidc1:~ $ cat /etc/passwd | grep 'rowland' > adminuser at rpidc1:~ $ > adminuser at rpidc1:~ $ > > To change an AD users password, you can use samba-tool, see: > > samba-tool user password --help > > Or: > > samba-tool user setpassword --help > > I would remove any users from /etc/passwd that are also created in your > AD DC > > I will now go and close your bug report, it is invalid. > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >