Bug 2291 - bug in 3.0.11rc1 was not in 3.0.11pre2
Summary: bug in 3.0.11rc1 was not in 3.0.11pre2
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: Domain Control (show other bugs)
Version: 3.0.10
Hardware: All Linux
: P3 major
Target Milestone: none
Assignee: Gerald (Jerry) Carter
QA Contact: Samba QA Contact
Depends on:
Reported: 2005-01-31 04:26 UTC by Levente Farkas
Modified: 2005-02-07 07:36 UTC (History)
1 user (show)

See Also:

here is the debug (6.90 KB, patch)
2005-01-31 09:39 UTC, Levente Farkas
no flags Details
the conf file (3.54 KB, text/plain)
2005-01-31 09:41 UTC, Levente Farkas
no flags Details
a much better logrotate file (311 bytes, text/plain)
2005-01-31 09:41 UTC, Levente Farkas
no flags Details
base ldap entries (242 bytes, text/plain)
2005-02-02 03:07 UTC, Levente Farkas
no flags Details
these are not realy nessesary for you (1.05 KB, text/plain)
2005-02-02 03:08 UTC, Levente Farkas
no flags Details
my smbldap-tools config file used in the script (6.40 KB, text/plain)
2005-02-02 03:08 UTC, Levente Farkas
no flags Details
net rpc join PDC -U Administrator --debuglevel=10 on 11pre2 (43.93 KB, text/plain)
2005-02-02 03:57 UTC, Levente Farkas
no flags Details
net rpc join PDC -U Administrator --debuglevel=10 on 11rc1 (43.94 KB, text/plain)
2005-02-02 03:57 UTC, Levente Farkas
no flags Details
check for ACB_SVRTRUST mask as well (516 bytes, patch)
2005-02-02 10:50 UTC, Guenther Deschner
no flags Details
add additional checks for creating server and domain trust accounts (3.82 KB, patch)
2005-02-03 08:34 UTC, Gerald (Jerry) Carter
no flags Details
(draft #2) add additional checks for creating server and domain trust accounts (6.18 KB, patch)
2005-02-03 09:31 UTC, Gerald (Jerry) Carter
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Levente Farkas 2005-01-31 04:26:57 UTC
it seems there is a bug in 3.0.11rc1 which was not present in 3.0.11pre2. in rc1
only the second net join command is successful ie:
# net rpc join PDC -U Administrator; net rpc join PDC -U Administrator
Create of workstation account failed
User specified does not have administrator privileges
Unable to join domain KONYVKLUB.
Joined domain KONYVKLUB.
which is strange since nothing happend between the two command!
what's more this was good in 3.0.11pre2 (if i downgrade to 3.0.11pre2 the first
command is successful).
Comment 1 Gerald (Jerry) Carter 2005-01-31 08:45:50 UTC
please attach (not posted inline) your smb.conf and the output from 
'net rpc join PDC -U Administrator --debuglevel=10' for the failed join.
Comment 2 Levente Farkas 2005-01-31 09:39:12 UTC
here i attached, if you like i can send the same with pre2 too.
Comment 3 Levente Farkas 2005-01-31 09:39:57 UTC
Created attachment 929 [details]
here is the debug
Comment 4 Levente Farkas 2005-01-31 09:41:00 UTC
Created attachment 930 [details]
the conf file
Comment 5 Levente Farkas 2005-01-31 09:41:23 UTC
Created attachment 931 [details]
a much better logrotate file
Comment 6 Levente Farkas 2005-01-31 09:43:16 UTC
i just post my logrotate file here too, since your current default (the one in
the rpm) faild and not rotate all log files.
Comment 7 Gerald (Jerry) Carter 2005-01-31 09:45:58 UTC
i'm assuming that you are trying to join winbindd 
(running on the PDC) to the Samba domain, yes ?
Comment 8 Levente Farkas 2005-01-31 12:48:33 UTC
i don't use winbind. this is fresh clean new samba server act as a PDC and (as
described in you howtos) after 
- setup ldap (using smbldap-tools's smbldap-populate) 
- smbldap-passwd Administrator
- net rpc join PDC -U Administrator
  ie try to join the PDC itself to the domain (samba)
this works in pre2 but not in rc1. if you like i can send you the same debug
output from pre2 (i've got a small script to regenerare the whole ldap, samba,
smb-tools, gosa setup). our if you like i can send the whole ldap.ldif too.
anyway it tooks me many hours to found out that rc1 has a bug over pre2 since i
try to find the problem in my own setup:-(
Comment 9 Gerald (Jerry) Carter 2005-02-01 18:45:34 UTC
after looking at your log, i'm confused.  The error message 
should follow some samr calls but there are none.  I've
tried to reproduce the error with no success.  Everything
works correctly.

Please note that unless you are running winbindd on the 
Samba PDC, there is no need to run 'net rpc join'.  Also,
the syntax you give in the initial report is incorrect.
it should be 'net rpc join -S server -U user'. 

have you tried just pointing at the master LDAP server
and rerunning your test ?  just curious.
Comment 10 Levente Farkas 2005-02-02 03:04:08 UTC
hmm, i do my homework!:-0 and first read your docs:
see the step 12!
this is exactly what i do (or the syntax is bad here!):
root#  net rpc join -U Administrator%not24get
Joined domain MEGANET2.
i currently use only one ldap server (which is the master), so that cant be the
problem either.
there are two simple reason why there is a bug:
imho if the first net join failed, then the second also should have to fail.
there is no circumstances where between two successive can be any difference. is
it true? what's more it's working with all version prior 11rc1.
to be able to test it, here is my script which i use to setup a freash new pdc.
this scripts works with all version prior 11rc1:
LDAP_OPT="-x -ZZ -h ldap.int.mkk.hu -D cn=Manager,dc=mkk,dc=hu -w"
/etc/init.d/ldap stop
sleep 1
/usr/sbin/logrotate -f /etc/logrotate.d/ldap
rm -rf /var/lib/ldap/mkk.hu/*
/etc/init.d/ldap start
sleep 1
ldapadd $LDAP_OPT "$LDAP_PASS" -f base.ldif
ldapadd $LDAP_OPT "$LDAP_PASS" -f dsa.ldif
/etc/init.d/smb stop
/usr/sbin/logrotate -f /etc/logrotate.d/samba
for i in /var/cache/samba /var/lib/samba ; do
        find $i -type f -exec rm -f {} \;
/etc/init.d/smb start
smbpasswd -w "$SAMBA_PASS"
smbclient -L localhost -U%
SID="`net getlocalsid $DOMAIN|cut -d' ' -f6`"
cp /etc/smbldap-tools/smbldap.conf.ori /etc/smbldap-tools/smbldap.conf
sed -i "s/^SID=.*/SID=\"$SID\"/" /etc/smbldap-tools/smbldap.conf
smbldap-populate -u 5000 -g 5000 -a $ADMIN -b $GUEST -e populate.ldif
tail +7 populate.ldif|ldapadd $LDAP_OPT "$LDAP_PASS"
pdbedit -c '[DN]' $GUEST
echo "$PASSWORD"  >pw.txt
echo "$PASSWORD" >>pw.txt
smbldap-passwd $ADMIN <pw.txt
rm pw.txt
net rpc join PDC -U "$ADMIN%$PASSWORD"
i just attach the used ldif files. as you can see the last command is the net
join. just setup an ldap server with "access to * by * write" for testing only
and cn=Manager,dc=mkk,dc=hu and run the script with 11pre2 and 11rc1.
Comment 11 Levente Farkas 2005-02-02 03:07:42 UTC
Created attachment 932 [details]
base ldap entries
Comment 12 Levente Farkas 2005-02-02 03:08:13 UTC
Created attachment 933 [details]
these are not realy nessesary for you
Comment 13 Levente Farkas 2005-02-02 03:08:33 UTC
Created attachment 934 [details]
my smbldap-tools config file used in the script
Comment 14 Levente Farkas 2005-02-02 03:57:07 UTC
Created attachment 935 [details]
net rpc join PDC -U Administrator --debuglevel=10 on 11pre2
Comment 15 Levente Farkas 2005-02-02 03:57:23 UTC
Created attachment 936 [details]
net rpc join PDC -U Administrator --debuglevel=10 on 11rc1
Comment 16 Levente Farkas 2005-02-02 05:05:12 UTC
I now run exactly the same on pre2 and rc1 and attached the debuglevel 10 output
(after running the 
sed -i "s/^\[2005.*\]//g" out.*
command which remove the time from the log and easier to compare them. imho the
bug is somewhere the new privilege model. i recommend gtkdiff (or meld if you
like it better). the only differences what i recognize are:
smb_vwv[ 7]=48128 (0xBC00)  <-->  smb_vwv[ 7]= 8192 (0x2000)
smb_vwv[12]= 8052 (0x1F74)  <-->  smb_vwv[12]= 5827 (0x16C3)
smb_vwv[13]= 5488 (0x1570)  <-->  smb_vwv[13]= 5463 (0x1557)
got smb length of 106       <-->  got smb length of 104
smb_bcc=65                  <-->  smb_bcc=63
and the final
Joined domain KONYVKLUB. 
      0008 frag_len  : 002c
Create of workstation account failed
User specified does not have administrator privileges
Comment 17 Levente Farkas 2005-02-02 05:33:46 UTC
i assume I find the bug!!!
after rerun my script dump the ldap server and while pre2 put the computer
account under 
dn: uid=kek$,ou=Computers,dc=mkk,dc=hu
at the same time rc1 put under people:
dn: uid=kek$,ou=People,dc=mkk,dc=hu
so it seems rc1 assume it's a user! what's more put kek$ also into 
dn: cn=Domain Users,ou=Groups,dc=mkk,dc=hu
memberUid: kek$
pre2 don't do that!
the strange thing smb.conf contains:
add machine script = /usr/sbin/smbldap-useradd -w '%u'
and /etc/smbldap-tools/smbldap.conf contins
which is right. and if i run /usr/sbin/smbldap-useradd -w xxx it create a good
ldap entry for computer (even under rc1). so for me it seems samba first create
a user account in stead of computer!
Comment 18 Gerald (Jerry) Carter 2005-02-02 08:00:54 UTC
This change was outlined in the release notes...

LDAP Changes

If "ldap user suffix" or "ldap machine suffix" are defined in
smb.conf, all user-accounts must reside below the user suffix,
and all machine and inter-domain trust-accounts must be located
below the machine suffix.  Previous Samba releases would fall
back to searching the 'ldap suffix' in some cases.


So the behavior is by design.  If you have a bug with the smbldap-tool,
please contact the idelx developers.
Comment 19 Levente Farkas 2005-02-02 08:15:31 UTC
as you can see in the attachment in my smb.conf:
ldap suffix = dc=mkk,dc=hu
ldap machine suffix = ou=Computers
ldap user suffix = ou=People
add machine script = /usr/sbin/smbldap-useradd -w '%u'
which seems to conform to the release notes! what's more if i call 
/usr/sbin/smbldap-useradd -w kek
than it put it under 
dn: uid=kek$,ou=Computers,dc=mkk,dc=hu
which also conform. isn't it?
but it seems when i try to join samba call the "add user script" param od the
smb.conf rather then the "add machine script" which imho is NOT conform to the
release notes. or did i read it wrong???
what's more please see the versions! the "LDAP Changes" you refere are changed
in pre2 (according to your release notes) while pre2 working right, but rc1 is not!
Comment 20 Gerald (Jerry) Carter 2005-02-02 08:32:16 UTC
Geunther, please take a look at this and see what you come up with?
Much appreciated.
Comment 21 Guenther Deschner 2005-02-02 10:50:20 UTC
If this is "net rpc join" called on a PDC then I think I found the problem: 

The Samba Server-Code does not check for an ACB_SVRTRUST-mask (which got set in
net_rpc_join.c by the default secchannel-type for that server_role) and thus
defaults to the add user script (instead of an add machine script). Levente,
could you please try the attached patch, rebuild and restart smbd and try again?
Comment 22 Guenther Deschner 2005-02-02 10:50:55 UTC
Created attachment 938 [details]
check for ACB_SVRTRUST mask as well

Jerry, does this require any further privs-checks?
Comment 23 Levente Farkas 2005-02-02 12:56:10 UTC
yes, the join is on the pdc itself and try to and the pdc machine to the domain.
but does this changed between 11pre2 and 11rc1? otherwise how this can be happend?
anyway thank you for read my bugreport carefully:-)
it takes a long to download the src.rpm, very slow:-((( than modify your patch
to the corret path (add source). wouldn't be possible to upload the
Binary_Packages not just us2, but all samba mirror to? Jerry?
anyway the patch is working:-) at least the net rpc join PDC is working and put
it under computers:-)
Jerry would you replace your packaging/RedHat/samba.log with my previously
attached logrotate file? and also packaging/Fedora/samba.log too or should i
create another bugzilla entry (it also rotate log.smbd and log.nmbd and works if
samba is not running).
Comment 24 Guenther Deschner 2005-02-02 13:17:39 UTC
Levente, thanks for your bugreport. 

It's fixed in subversion now (in a slightly different way: all kinds of trust
accounts need to be created with the "add machine script"). You will get this
change along with Samba 3.0.11.

Yes, could you please create a new bugreport for the logrotate-issues you have?

Jerry, are there further privs-checks required now?
Comment 25 Gerald (Jerry) Carter 2005-02-02 21:24:37 UTC
Thanks for the help on this one Guenther.  Nice fix.
Comment 26 Gerald (Jerry) Carter 2005-02-03 08:34:01 UTC
Created attachment 942 [details]
add additional checks for creating server and domain trust accounts

please test this patch against 3.0.11rc1 and make sure I 
didn't introduce any regressions by tightening the access 
checks.  Thanks.
Comment 27 Gerald (Jerry) Carter 2005-02-03 09:31:52 UTC
Created attachment 943 [details]
(draft #2) add additional checks for creating server and domain trust accounts 

My previous patch was wrong.  here's the correct one (according to my tests).
Comment 28 Levente Farkas 2005-02-03 09:41:16 UTC
my rebuild script is working with this patch too, so for me currently it's also
Comment 29 Levente Farkas 2005-02-03 09:59:17 UTC
the second patch also seems to good.
Comment 30 Gerald (Jerry) Carter 2005-02-03 10:04:07 UTC
excellent!  Thanks again for all your help in testing.
Comment 31 Gerald (Jerry) Carter 2005-02-07 07:36:49 UTC
originally reported against 3.0.11pre1.  Moving back to version to 3.0.10 
to remove preX and rcX versions.