Bug 15560 - Smbpasswd fail to change local UNIX user passwd when samba role is DC.
Summary: Smbpasswd fail to change local UNIX user passwd when samba role is DC.
Status: RESOLVED INVALID
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.15.0
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-01-25 08:30 UTC by HY Wu
Modified: 2024-01-25 13:19 UTC (History)
0 users

See Also:


Attachments
Smbpasswd fail to change local UNIX user password (ZTEST) when samba role is DC (76.09 KB, image/png)
2024-01-25 08:30 UTC, HY Wu
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description HY Wu 2024-01-25 08:30:34 UTC
Created attachment 18237 [details]
Smbpasswd fail to change local UNIX user password (ZTEST) when samba role is DC

My case : 
Local UNIX user : ZTEST
domain user : UUQ\ztest
smb.conf for standalone samba : /home/hywu/smb.conf

[/home/hywu] # cat /home/hywu/smb.conf
[global]
passdb backend = smbpasswd
workgroup = WORKGROUP
security=user

Smbpasswd fail to change local UNIX user password (ZTEST) when samba role is DC as attached picture.




I checked samba code then I found the problem is order of gerpwnam call in Get_Pwnam_internals(). 
Lowercase first order will get domain user (UUQ/ztest) but local account(ZTEST). 
local_password_change()
 pdb_getsampwnam()
  smbpasswd_getsampwnam()
   build_sam_account()
    Get_Pwnam_alloc()
     Get_Pwnam_internals()
      getpwnam_alloc_cached()
       getpwnam()
        (nss_winbinadd)
          winbindd_getpwnam_send()
           parse_domain_user()
            assume_domain() 

When samba role is DC , "winbind use default domain" does not work in assume_domain(). Then getpwnam() get domain user. 


I have checked the following list and commit
https://lists.samba.org/archive/samba-technical/2008-March/058508.html
https://git.samba.org/?p=samba.git;a=commitdiff;h=ea4a0d509ef70e91baedc5eebf4f4bcff10dac96

Why the order of getpwnam call in Get_Pwnam_internals() change from original name first to lowercase first?
Comment 1 Rowland Penny 2024-01-25 10:21:56 UTC
(In reply to HY Wu from comment #0)

You appear to have a severely borked Samba AD DC, from your image (please do not post images of a terminal, cut & paste the data into a file instead) there is this:

UUQ\ztest:*:3000013:100::/home/UUQ/ztest:/bin/false

You only get IDs in the '3000000' range on a Samba AD DC and the users should not be in /etc/passwd.

On a DC, local Unix users are just that, local and as such, are unknown to Samba.

I think you need to come and discuss this on the samba mailing list.
If you are not registered for the list, then go here:

https://lists.samba.org/mailman/listinfo/samba

Register and then ask for advice there.
Comment 2 Rowland Penny 2024-01-25 13:19:43 UTC
Closing this, after a discussion on the samba mailing list, it appears the bug reporter has a misconfigured AD DC.