Bug 13808 - Samba 4.9.4 fails to start with ldapsam pdb backend in readonly LDAP environment
Samba 4.9.4 fails to start with ldapsam pdb backend in readonly LDAP environment
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services
4.9.4
All All
: P5 normal
: ---
Assigned To: Samba QA Contact
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-02-27 13:43 UTC by Andrew Walker
Modified: 2019-02-27 15:18 UTC (History)
0 users

See Also:


Attachments
patch for v4-9 (619 bytes, patch)
2019-02-27 13:43 UTC, Andrew Walker
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Walker 2019-02-27 13:43:36 UTC
Created attachment 14873 [details]
patch for v4-9

This was observed when users upgraded from Samba 4.7 to 4.9. LDAP bind account lacks write privileges, and an alias for S-1-5-32-546 does not exist. Since the account cannot be created, samba fails to start.

[2019/02/25 12:25:47.767435,  2] ../source3/passdb/pdb_ldap_util.c:281(smbldap_search_domain_info)
  smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=<redacted>))]
[2019/02/25 12:25:47.817732,  3] ../source3/lib/smbldap.c:632(smbldap_start_tls)
  StartTLS issued: using a TLS connection
[2019/02/25 12:25:47.817788,  2] ../source3/lib/smbldap.c:847(smbldap_open_connection)
  smbldap_open_connection: connection opened
[2019/02/25 12:25:47.827892,  3] ../source3/lib/smbldap.c:1069(smbldap_connect_system)
  ldap_connect_system: successful connection to the LDAP server
[2019/02/25 12:25:47.979475,  3] ../source3/lib/util_procid.c:54(pid_to_procid)
  pid_to_procid: messaging_dgm_get_unique failed: No such file or directory
[2019/02/25 12:25:47.982172,  2] ../source3/passdb/pdb_ldap_util.c:281(smbldap_search_domain_info)
  smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=<redacted>))]
[2019/02/25 12:25:47.990562,  3] ../source3/lib/smbldap.c:632(smbldap_start_tls)
  StartTLS issued: using a TLS connection
[2019/02/25 12:25:47.990626,  2] ../source3/lib/smbldap.c:847(smbldap_open_connection)
  smbldap_open_connection: connection opened
[2019/02/25 12:25:47.996891,  2] ../source3/passdb/pdb_ldap_util.c:281(smbldap_search_domain_info)
  smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=<redacted>))]
[2019/02/25 12:25:48.005126,  3] ../source3/lib/smbldap.c:632(smbldap_start_tls)
  StartTLS issued: using a TLS connection
[2019/02/25 12:25:48.005218,  2] ../source3/lib/smbldap.c:847(smbldap_open_connection)
  smbldap_open_connection: connection opened
[2019/02/25 12:25:48.005653,  3] ../source3/lib/smbldap.c:1069(smbldap_connect_system)
  ldap_connect_system: successful connection to the LDAP server
[2019/02/25 12:25:48.021043,  3] ../source3/lib/smbldap.c:1069(smbldap_connect_system)
  ldap_connect_system: successful connection to the LDAP server
[2019/02/25 12:25:48.036973,  3] ../source3/lib/smbldap.c:632(smbldap_start_tls)
  StartTLS issued: using a TLS connection
[2019/02/25 12:25:48.037043,  2] ../source3/lib/smbldap.c:847(smbldap_open_connection)
  smbldap_open_connection: connection opened
[2019/02/25 12:25:48.051993,  3] ../source3/lib/smbldap.c:1069(smbldap_connect_system)
  ldap_connect_system: successful connection to the LDAP server
[2019/02/25 12:25:48.052787,  2] ../source3/passdb/pdb_ldap.c:2386(init_group_from_ldap)
  init_group_from_ldap: Entry found for group: 90000005
[2019/02/25 12:25:48.053792,  2] ../source3/passdb/pdb_ldap.c:2386(init_group_from_ldap)
  init_group_from_ldap: Entry found for group: 90000006
[2019/02/25 12:25:48.107401,  3] ../source3/passdb/pdb_ldap.c:5210(ldapsam_gid_to_sid)
  ERROR: Got 0 entries for gid 90000016, expected one
[2019/02/25 12:25:48.108434,  0] ../source3/groupdb/mapping.c:863(pdb_create_builtin_alias)
  pdb_create_builtin_alias: Could not add group mapping entry for alias 546 (NT_STATUS_ACCESS_DENIED)
[2019/02/25 12:25:48.108496,  2] ../source3/auth/token_util.c:774(finalize_local_nt_token)
  Failed to create BUILTIN\Guests group NT_STATUS_ACCESS_DENIED!  Can Winbind allocate gids?
[2019/02/25 12:25:48.108529,  3] ../source3/auth/token_util.c:412(create_local_nt_token_from_info3)
  Failed to finalize nt token
[2019/02/25 12:25:48.108557,  0] ../source3/auth/auth_util.c:1382(make_new_session_info_guest)
  create_local_token failed: NT_STATUS_ACCESS_DENIED
[2019/02/25 12:25:48.108590,  0] ../source3/smbd/server.c:2000(main)
  ERROR: failed to setup guest info.

I believe behavior change was introduced here: https://github.com/samba-team/samba/commit/0b261dc4e3f2d04131e1ff76a017aaee6e38e7b1

Minimal patch to fix behavior in my test environment is attached.
Comment 1 Louis 2019-02-27 15:18:09 UTC
Hai, yes, this looks like an older bug. 
but we need some extra info first, like: 

Did you upgrade to 4.8 before you upgraded to 4.9? 

- OS ? 
- Old samba version = 4.7.? 
- New Samba Version = 4.9.4 
OS packages of samba or from sources compiled? 

And last, can you show the smb.conf. 
You can anonimize where needed.