Bug 1576 - joining domain as normal user fails with ldap backend
Summary: joining domain as normal user fails with ldap backend
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: Domain Control (show other bugs)
Version: 3.0.5
Hardware: All Linux
: P3 normal
Target Milestone: none
Assignee: Samba Bugzilla Account
QA Contact: Samba QA Contact
Depends on:
Reported: 2004-07-31 06:28 UTC by Marton Illes
Modified: 2005-08-24 10:17 UTC (History)
0 users

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Marton Illes 2004-07-31 06:28:40 UTC
I have a user member of the Administrator group and the Domain Admin group in 
the ldap. I use this user to join the domain from a win2k or samba client, but 
my attempt fails.

I found it in my logs:

[2004/07/30 20:15:24, 5] lib/smbldap.c:smbldap_search(932)
  smbldap_search: base => [o=Lauder,c=hu], filter => [(&(sambaSID=XXXXXX-103242)
(objectclass=sambaSamAccount))], scope => [2]
[2004/07/30 20:15:24, 0] lib/smbldap.c:smbldap_open(820)
  smbldap_open: cannot access LDAP when not root..
[2004/07/30 20:15:24, 1] lib/smbldap.c:smbldap_retry_open(909)
  Connection to LDAP Server failed for the 1 try!
[2004/07/30 20:15:24, 0] lib/smbldap.c:smbldap_search_suffix(1126)
  smbldap_search_suffix: Problem during the LDAP search:  (Insufficient access)
[2004/07/30 20:15:24, 5] rpc_parse/parse_prs.c:prs_debug(82)
  000000 samr_io_r_set_userinfo 
[2004/07/30 20:15:24, 5] rpc_parse/parse_prs.c:prs_ntstatus(665)
      0000 status: NT_STATUS_ACCESS_DENIED

I think it is caused by the following code:
static int smbldap_open(struct smbldap_state *ldap_state)
        int rc;
        if (geteuid() != 0) {
                DEBUG(0, ("smbldap_open: cannot access LDAP when not root..\n"))
                return  LDAP_INSUFFICIENT_ACCESS;

This is what changed since 2.2. We defenetly need some check here, but not sure 
about the right way of doing it.

On the other hand I can also see that at some point in the file 
rpc_server/srv_samr_nt.c some of the pdb_* calls are between a become_root()
/unbecome_root() calls.

I follwoed the code path and patched samba to be able to join my domain with 
normal user(non-root) so added some (un)become_root() calls in 
set_user_info_pw() function:
static BOOL set_user_info_pw(char *pass, DOM_SID *sid)
        SAM_ACCOUNT *pwd = NULL;
        uint32 len;
        pstring plaintext_buf;
        uint16 acct_ctrl;
        BOOL ret;

        ret = pdb_getsampwsid(pwd, sid);

and at the end of the function:
        /* update the SAMBA password */

        ret = pdb_update_sam_account(pwd);


        return ret;

Now it works, but I am not sure that the pdb_update_sam_account call should be 
done with this trick. I think a more general solution would be required on the 
smbldap_open call to check if the user is the member of the DomainAdmin group.

I can find the sambe LDAP insufficient access problem in the _samr_set_userinfo2 
code path as well. So adding become_root/unbecome_root to all of the pdb_* calls 
does not seam to be a nice solution for me.

I am not sure if can relay on the fact that samba runs as root or not. I think 
especialy for large installations using root as the only domainadmin does not 
make sense.
I hope my understandings are correct.
Comment 1 Gerald (Jerry) Carter (dead mail address) 2005-02-03 07:11:04 UTC
Fixed in 3.0.11 with the implementation privileges.
see http://samba.org/~jerry/Samba-Rights-HOWTO
Comment 2 Gerald (Jerry) Carter (dead mail address) 2005-08-24 10:17:23 UTC
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.