it seems there is a bug in 3.0.11rc1 which was not present in 3.0.11pre2. in rc1 only the second net join command is successful ie: ------------------------------ # net rpc join PDC -U Administrator; net rpc join PDC -U Administrator Password: Create of workstation account failed User specified does not have administrator privileges Unable to join domain KONYVKLUB. Password: Joined domain KONYVKLUB. ------------------------------ which is strange since nothing happend between the two command! what's more this was good in 3.0.11pre2 (if i downgrade to 3.0.11pre2 the first command is successful).
please attach (not posted inline) your smb.conf and the output from 'net rpc join PDC -U Administrator --debuglevel=10' for the failed join.
here i attached, if you like i can send the same with pre2 too.
Created attachment 929 [details] here is the debug
Created attachment 930 [details] the conf file
Created attachment 931 [details] a much better logrotate file
i just post my logrotate file here too, since your current default (the one in the rpm) faild and not rotate all log files.
i'm assuming that you are trying to join winbindd (running on the PDC) to the Samba domain, yes ?
i don't use winbind. this is fresh clean new samba server act as a PDC and (as described in you howtos) after - setup ldap (using smbldap-tools's smbldap-populate) - smbldap-passwd Administrator - net rpc join PDC -U Administrator ie try to join the PDC itself to the domain (samba) this works in pre2 but not in rc1. if you like i can send you the same debug output from pre2 (i've got a small script to regenerare the whole ldap, samba, smb-tools, gosa setup). our if you like i can send the whole ldap.ldif too. anyway it tooks me many hours to found out that rc1 has a bug over pre2 since i try to find the problem in my own setup:-(
after looking at your log, i'm confused. The error message should follow some samr calls but there are none. I've tried to reproduce the error with no success. Everything works correctly. Please note that unless you are running winbindd on the Samba PDC, there is no need to run 'net rpc join'. Also, the syntax you give in the initial report is incorrect. it should be 'net rpc join -S server -U user'. have you tried just pointing at the master LDAP server and rerunning your test ? just curious.
hmm, i do my homework!:-0 and first read your docs: http://us2.samba.org/samba/docs/man/Samba-Guide/happy.html#id2557053 see the step 12! this is exactly what i do (or the syntax is bad here!): ------------------------------- root# net rpc join -U Administrator%not24get Joined domain MEGANET2. ------------------------------- i currently use only one ldap server (which is the master), so that cant be the problem either. there are two simple reason why there is a bug: imho if the first net join failed, then the second also should have to fail. there is no circumstances where between two successive can be any difference. is it true? what's more it's working with all version prior 11rc1. to be able to test it, here is my script which i use to setup a freash new pdc. this scripts works with all version prior 11rc1: ------------------------------- LDAP_PASS="password1" SAMBA_PASS="password2" LDAP_OPT="-x -ZZ -h ldap.int.mkk.hu -D cn=Manager,dc=mkk,dc=hu -w" DOMAIN="KONYVKLUB" ADMIN="Administrator" GUEST="Guest" PASSWORD="password3" /etc/init.d/ldap stop sleep 1 /usr/sbin/logrotate -f /etc/logrotate.d/ldap rm -rf /var/lib/ldap/mkk.hu/* /etc/init.d/ldap start sleep 1 ldapadd $LDAP_OPT "$LDAP_PASS" -f base.ldif ldapadd $LDAP_OPT "$LDAP_PASS" -f dsa.ldif /etc/init.d/smb stop /usr/sbin/logrotate -f /etc/logrotate.d/samba for i in /var/cache/samba /var/lib/samba ; do find $i -type f -exec rm -f {} \; done /etc/init.d/smb start smbpasswd -w "$SAMBA_PASS" smbclient -L localhost -U% SID="`net getlocalsid $DOMAIN|cut -d' ' -f6`" cp /etc/smbldap-tools/smbldap.conf.ori /etc/smbldap-tools/smbldap.conf sed -i "s/^SID=.*/SID=\"$SID\"/" /etc/smbldap-tools/smbldap.conf smbldap-populate -u 5000 -g 5000 -a $ADMIN -b $GUEST -e populate.ldif tail +7 populate.ldif|ldapadd $LDAP_OPT "$LDAP_PASS" pdbedit -c '[DN]' $GUEST echo "$PASSWORD" >pw.txt echo "$PASSWORD" >>pw.txt smbldap-passwd $ADMIN <pw.txt rm pw.txt net rpc join PDC -U "$ADMIN%$PASSWORD" ------------------------------- i just attach the used ldif files. as you can see the last command is the net join. just setup an ldap server with "access to * by * write" for testing only and cn=Manager,dc=mkk,dc=hu and run the script with 11pre2 and 11rc1.
Created attachment 932 [details] base ldap entries
Created attachment 933 [details] these are not realy nessesary for you
Created attachment 934 [details] my smbldap-tools config file used in the script
Created attachment 935 [details] net rpc join PDC -U Administrator --debuglevel=10 on 11pre2
Created attachment 936 [details] net rpc join PDC -U Administrator --debuglevel=10 on 11rc1
I now run exactly the same on pre2 and rc1 and attached the debuglevel 10 output (after running the sed -i "s/^\[2005.*\]//g" out.* command which remove the time from the log and easier to compare them. imho the bug is somewhere the new privilege model. i recommend gtkdiff (or meld if you like it better). the only differences what i recognize are: ------------------------------ smb_vwv[ 7]=48128 (0xBC00) <--> smb_vwv[ 7]= 8192 (0x2000) smb_vwv[12]= 8052 (0x1F74) <--> smb_vwv[12]= 5827 (0x16C3) smb_vwv[13]= 5488 (0x1570) <--> smb_vwv[13]= 5463 (0x1557) got smb length of 106 <--> got smb length of 104 smb_bcc=65 <--> smb_bcc=63 ------------------------------ and the final ------------------------------ Joined domain KONYVKLUB. ------------------------------ rpc_parse/parse_prs.c:prs_uint16(613) 0008 frag_len : 002c Create of workstation account failed User specified does not have administrator privileges ------------------------------
i assume I find the bug!!! after rerun my script dump the ldap server and while pre2 put the computer account under dn: uid=kek$,ou=Computers,dc=mkk,dc=hu at the same time rc1 put under people: dn: uid=kek$,ou=People,dc=mkk,dc=hu so it seems rc1 assume it's a user! what's more put kek$ also into ------------------------------ dn: cn=Domain Users,ou=Groups,dc=mkk,dc=hu memberUid: kek$ ------------------------------ pre2 don't do that! the strange thing smb.conf contains: add machine script = /usr/sbin/smbldap-useradd -w '%u' and /etc/smbldap-tools/smbldap.conf contins computersdn="ou=Computers,${suffix}" which is right. and if i run /usr/sbin/smbldap-useradd -w xxx it create a good ldap entry for computer (even under rc1). so for me it seems samba first create a user account in stead of computer!
This change was outlined in the release notes... ======================== LDAP Changes ------------ If "ldap user suffix" or "ldap machine suffix" are defined in smb.conf, all user-accounts must reside below the user suffix, and all machine and inter-domain trust-accounts must be located below the machine suffix. Previous Samba releases would fall back to searching the 'ldap suffix' in some cases. ======================== So the behavior is by design. If you have a bug with the smbldap-tool, please contact the idelx developers.
as you can see in the attachment in my smb.conf: --------------------- ldap suffix = dc=mkk,dc=hu ldap machine suffix = ou=Computers ldap user suffix = ou=People add machine script = /usr/sbin/smbldap-useradd -w '%u' --------------------- which seems to conform to the release notes! what's more if i call /usr/sbin/smbldap-useradd -w kek than it put it under dn: uid=kek$,ou=Computers,dc=mkk,dc=hu which also conform. isn't it? but it seems when i try to join samba call the "add user script" param od the smb.conf rather then the "add machine script" which imho is NOT conform to the release notes. or did i read it wrong??? what's more please see the versions! the "LDAP Changes" you refere are changed in pre2 (according to your release notes) while pre2 working right, but rc1 is not!
Geunther, please take a look at this and see what you come up with? Much appreciated.
If this is "net rpc join" called on a PDC then I think I found the problem: The Samba Server-Code does not check for an ACB_SVRTRUST-mask (which got set in net_rpc_join.c by the default secchannel-type for that server_role) and thus defaults to the add user script (instead of an add machine script). Levente, could you please try the attached patch, rebuild and restart smbd and try again?
Created attachment 938 [details] check for ACB_SVRTRUST mask as well Jerry, does this require any further privs-checks?
yes, the join is on the pdc itself and try to and the pdc machine to the domain. but does this changed between 11pre2 and 11rc1? otherwise how this can be happend? anyway thank you for read my bugreport carefully:-) it takes a long to download the src.rpm, very slow:-((( than modify your patch to the corret path (add source). wouldn't be possible to upload the Binary_Packages not just us2, but all samba mirror to? Jerry? anyway the patch is working:-) at least the net rpc join PDC is working and put it under computers:-) Jerry would you replace your packaging/RedHat/samba.log with my previously attached logrotate file? and also packaging/Fedora/samba.log too or should i create another bugzilla entry (it also rotate log.smbd and log.nmbd and works if samba is not running).
Levente, thanks for your bugreport. It's fixed in subversion now (in a slightly different way: all kinds of trust accounts need to be created with the "add machine script"). You will get this change along with Samba 3.0.11. Yes, could you please create a new bugreport for the logrotate-issues you have? Jerry, are there further privs-checks required now?
Thanks for the help on this one Guenther. Nice fix.
Created attachment 942 [details] add additional checks for creating server and domain trust accounts please test this patch against 3.0.11rc1 and make sure I didn't introduce any regressions by tightening the access checks. Thanks.
Created attachment 943 [details] (draft #2) add additional checks for creating server and domain trust accounts My previous patch was wrong. here's the correct one (according to my tests).
my rebuild script is working with this patch too, so for me currently it's also good.
the second patch also seems to good.
excellent! Thanks again for all your help in testing.
originally reported against 3.0.11pre1. Moving back to version to 3.0.10 to remove preX and rcX versions.