13808 – Samba 4.9.4 fails to start with ldapsam pdb backend in readonly LDAP environment

Bug 13808 - Samba 4.9.4 fails to start with ldapsam pdb backend in readonly LDAP environment

Summary: Samba 4.9.4 fails to start with ldapsam pdb backend in readonly LDAP environment

Status:	NEW

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	File services (show other bugs)
Version:	4.9.4
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Samba QA Contact
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2019-02-27 13:43 UTC by Andrew Walker
Modified:	2019-02-27 15:18 UTC (History)
CC List:	0 users

See Also:

Attachments
patch for v4-9 (619 bytes, patch) 2019-02-27 13:43 UTC, Andrew Walker	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andrew Walker 2019-02-27 13:43:36 UTC

Created attachment 14873 [details]
patch for v4-9

This was observed when users upgraded from Samba 4.7 to 4.9. LDAP bind account lacks write privileges, and an alias for S-1-5-32-546 does not exist. Since the account cannot be created, samba fails to start.

[2019/02/25 12:25:47.767435,  2] ../source3/passdb/pdb_ldap_util.c:281(smbldap_search_domain_info)
  smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=<redacted>))]
[2019/02/25 12:25:47.817732,  3] ../source3/lib/smbldap.c:632(smbldap_start_tls)
  StartTLS issued: using a TLS connection
[2019/02/25 12:25:47.817788,  2] ../source3/lib/smbldap.c:847(smbldap_open_connection)
  smbldap_open_connection: connection opened
[2019/02/25 12:25:47.827892,  3] ../source3/lib/smbldap.c:1069(smbldap_connect_system)
  ldap_connect_system: successful connection to the LDAP server
[2019/02/25 12:25:47.979475,  3] ../source3/lib/util_procid.c:54(pid_to_procid)
  pid_to_procid: messaging_dgm_get_unique failed: No such file or directory
[2019/02/25 12:25:47.982172,  2] ../source3/passdb/pdb_ldap_util.c:281(smbldap_search_domain_info)
  smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=<redacted>))]
[2019/02/25 12:25:47.990562,  3] ../source3/lib/smbldap.c:632(smbldap_start_tls)
  StartTLS issued: using a TLS connection
[2019/02/25 12:25:47.990626,  2] ../source3/lib/smbldap.c:847(smbldap_open_connection)
  smbldap_open_connection: connection opened
[2019/02/25 12:25:47.996891,  2] ../source3/passdb/pdb_ldap_util.c:281(smbldap_search_domain_info)
  smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=<redacted>))]
[2019/02/25 12:25:48.005126,  3] ../source3/lib/smbldap.c:632(smbldap_start_tls)
  StartTLS issued: using a TLS connection
[2019/02/25 12:25:48.005218,  2] ../source3/lib/smbldap.c:847(smbldap_open_connection)
  smbldap_open_connection: connection opened
[2019/02/25 12:25:48.005653,  3] ../source3/lib/smbldap.c:1069(smbldap_connect_system)
  ldap_connect_system: successful connection to the LDAP server
[2019/02/25 12:25:48.021043,  3] ../source3/lib/smbldap.c:1069(smbldap_connect_system)
  ldap_connect_system: successful connection to the LDAP server
[2019/02/25 12:25:48.036973,  3] ../source3/lib/smbldap.c:632(smbldap_start_tls)
  StartTLS issued: using a TLS connection
[2019/02/25 12:25:48.037043,  2] ../source3/lib/smbldap.c:847(smbldap_open_connection)
  smbldap_open_connection: connection opened
[2019/02/25 12:25:48.051993,  3] ../source3/lib/smbldap.c:1069(smbldap_connect_system)
  ldap_connect_system: successful connection to the LDAP server
[2019/02/25 12:25:48.052787,  2] ../source3/passdb/pdb_ldap.c:2386(init_group_from_ldap)
  init_group_from_ldap: Entry found for group: 90000005
[2019/02/25 12:25:48.053792,  2] ../source3/passdb/pdb_ldap.c:2386(init_group_from_ldap)
  init_group_from_ldap: Entry found for group: 90000006
[2019/02/25 12:25:48.107401,  3] ../source3/passdb/pdb_ldap.c:5210(ldapsam_gid_to_sid)
  ERROR: Got 0 entries for gid 90000016, expected one
[2019/02/25 12:25:48.108434,  0] ../source3/groupdb/mapping.c:863(pdb_create_builtin_alias)
  pdb_create_builtin_alias: Could not add group mapping entry for alias 546 (NT_STATUS_ACCESS_DENIED)
[2019/02/25 12:25:48.108496,  2] ../source3/auth/token_util.c:774(finalize_local_nt_token)
  Failed to create BUILTIN\Guests group NT_STATUS_ACCESS_DENIED!  Can Winbind allocate gids?
[2019/02/25 12:25:48.108529,  3] ../source3/auth/token_util.c:412(create_local_nt_token_from_info3)
  Failed to finalize nt token
[2019/02/25 12:25:48.108557,  0] ../source3/auth/auth_util.c:1382(make_new_session_info_guest)
  create_local_token failed: NT_STATUS_ACCESS_DENIED
[2019/02/25 12:25:48.108590,  0] ../source3/smbd/server.c:2000(main)
  ERROR: failed to setup guest info.

I believe behavior change was introduced here: https://github.com/samba-team/samba/commit/0b261dc4e3f2d04131e1ff76a017aaee6e38e7b1

Minimal patch to fix behavior in my test environment is attached.

Comment 1 Louis 2019-02-27 15:18:09 UTC

Hai, yes, this looks like an older bug. 
but we need some extra info first, like: 

Did you upgrade to 4.8 before you upgraded to 4.9? 

- OS ? 
- Old samba version = 4.7.? 
- New Samba Version = 4.9.4 
OS packages of samba or from sources compiled? 

And last, can you show the smb.conf. 
You can anonimize where needed.