Bug 110 - query_usergroups fails due without root permissions
query_usergroups fails due without root permissions
Status: CLOSED FIXED
Product: Samba 3.0
Classification: Unclassified
Component: User/Group Accounts
3.0.0preX
Other other
: P2 normal
: none
Assigned To: Gerald (Jerry) Carter
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2003-05-22 14:01 UTC by Gerald (Jerry) Carter
Modified: 2005-08-24 10:16 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Gerald (Jerry) Carter 2003-05-22 14:01:48 UTC
Here's the log snippet:

get_domain_user_groups: searching domain groups [jerry] is a member of
ldapsam_open: cannot access LDAP when not root..
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Connection to LDAP Server failed for the 1 try!
LDAP search failed: Insufficient access
Query was: dc=plainjoe,dc=org, (objectclass=sambaGroupMapping)
Unable to open passdb
000000 samr_io_r_query_usergroups
    0000 ptr_0       : 00000000
    0004 status: NT_STATUS_NO_SUCH_GROUP

To reproduce, just try setting the wallpaper for the 
desktop on an XP client by browsing a samba file share.
Use the display control applet on the XP client to 
set the wall paper.
Comment 1 Gerald (Jerry) Carter 2003-05-22 14:11:33 UTC
may or may not be related (level 0 entries):

  ldapsam_open: cannot access LDAP when not root..
  LDAP search failed: Insufficient access
  Unable to open passdb
  failed to decode PDU
  process_request_pdu: failed to do schannel processing.
Comment 2 Ignacio Coupeau 2003-05-27 10:17:40 UTC
Also the logs reports a ldapsam_retry_open() failure:
...
[2003/05/27 15:57:14, 0] passdb/pdb_ldap.c:ldapsam_open(697)
  ldapsam_open: cannot access LDAP when not root..
[2003/05/27 15:57:14, 1] passdb/pdb_ldap.c:ldapsam_retry_open(782)
  Connection to LDAP Server failed for the 1 try!
[2003/05/27 15:57:14, 0] passdb/pdb_ldap.c:ldapsam_setsamgrent(3516)
  LDAP search failed: Insufficient access
...
a bad pointer in the ldap passwd?
Comment 3 Ignacio Coupeau 2003-05-27 11:37:10 UTC
 I think the ldapsam_setsamgrent() is called as the uidNumber of the user. In
this example the geteuid() from in the ldapsam_open() returns "20034" the
uidNumber for the user "555555-5" (I modified the DEBUG line).

[2003/05/27 20:28:37, 2] passdb/pdb_ldap.c:init_sam_from_ldap(1949)
  Entry found for user: 555555-5
...
  ldapsam_open: cannot access LDAP when not root... 20034
Comment 4 Tim Potter 2003-06-04 18:29:58 UTC
From a brief scan through the code, it looks like the ldapsam_setsamgrent() is
called only by the pdb_enum_group_mapping() function.  There are several
occurences of this throughout the RPC server code, only one of which is enclosed
by a become_root()/unbecome_root() pair.
Comment 5 Gerald (Jerry) Carter 2003-06-23 10:04:50 UTC
fixed by enclosing group enumerating in become/unbecome root.
Although I think this needs to be reworked so that the 
become/unbecome root is handled by the backend for certain 
operations.  This way we dond't have to become root for a 
tdbsam that is world readble.  
Comment 6 Gerald (Jerry) Carter 2005-02-07 07:57:11 UTC
originally reported against 3.0aph24.  Bugzilla spring cleaning.  
Removing old alpha versions.
Comment 7 Gerald (Jerry) Carter 2005-08-24 10:16:50 UTC
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.