After fixing the bug #1957, where the minimum updates are implemented to the MySQL user tables it is impossible to correctly add a new user. It looks like using -a switch does not initialize all the fields, but only the minimum ones (passwords), as if one was simply changing the password.
Just to let you know that the issue is still present in 3.0.14a and 3.0.15pre2. When adding a new user with "smbpasswd -a" only the password and couple of other datestamp related fields are added to the MySQL table and the rest of the fields are NULL.
- Operating System: FreeBSD 5.2.1-RELEASE - x86 - Confirming in 3.0.14a - Confirming in 3.0.12 (FreeBSD Port CVS - April 12 - 1st downgrade attempt) - Not shown in 3.0.11 (FreeBSD Port CVS - Feb 7 - 2nd downgrade attempt) - smbpasswd returns "User account added" and adss record with NULL fields. - pdbedit returns "Username not found!" but still adds record with NULL fields.
This bug is not only in Mysql pdb - I use Postgres password backend with the same problem. When I execute "smbpasswd -a username" or "pdbedit -a -u username" I see in postgres log file: " LOG: statement: INSERT INTO samba_users (acct_ctrl,pass_can_change_time,pass_must_change_time,pass_last_set_time,lm_pw,nt_pw) VALUES (16,1116432097,2147483647,1116432097,'598DDCE2660D3193AAD3B435B51404EE','2D20D252A479F485CDF5E171D93985BF') LOG: statement: SELECT logon_time,logoff_time,kickoff_time,pass_last_set_time,pass_can_change_time,pass_must_change_time,username,domain,nt_username,nt_fullname,home_dir,dir_drive,logon_script,profile_path,acct_desc,workstations,unknown_str,munged_dial,user_sid,group_sid,lm_pw,nt_pw,NULL,acct_ctrl,logon_divs,hours_len,bad_password_count,logon_count,unknown_6 FROM samba_users WHERE username = 'username'"; Insert statement is bad so select statement returns 0 rows. Smbpasswd don't displays any errors, pdbedit displays "Username not found!"; Today I upgrading from source: samba 3.0.9 -> 3.0.14a, and postgres 7.4.6 -> 8.0.3 on Slackware 10.0 I add my user account to tdbsam backend and I create insert statement by hand on the basic of "pdbedit -L -v -u username". I'm looking in source of version 3.0.15pre and I thing this bug is still in this version.
A similar problem occurs when adding a new user via NT usrmgr.exe: The mySQL log file shows the valid, but useless SQL statement INSERT INTO `samba` (acct_ctrl) VALUES (17) , `samba` being my samba account table. At minimum, user name and user sid (but probably more) should be included at this point. Samba tries to access this newly created record via sid, which is not there, and fails. The very same happens when adding a machine from Win XP: INSERT INTO `samba` (acct_ctrl) VALUES (129) Affected are Samba 3.0.14a and 3.0.20pre1
The bug is still there in 3.0.20rc1. Sorry to escalate this, but there has been no developers feedback on the issue whatsoever. Can't this be given more priority? This has been broken since 3.0.13.
Jelmer is the maintainer of the sql backend code. If he is not maintaining it then we need someone else to voluenteer to take over this code, or I'll remove it from the tree. Jeremy.
jelmer, what are you plans with this?
Any news here?
We've got a bunch of fixes for the pdb_*sql backends in svn, that will most likely fix this issue. Please test current svn (either trunk or SAMBA_3_0) or wait for the 3.0.20 release that will include these fixes.
This still does NOT work in 3.0.20. In 3.0.14a it was possible to copy pdb_sql.c and pdb_mysql.c from 3.0.11 and it worked, but this workaround does not help anymore, as the files seem to be incompatible. Jelmer, could you please have a look at this one? I consider this being very important. I can help you debug and test this, but as I am not a programmer, I need your help to get it fixed.
> Jelmer, could you please have a look at this one? > I consider this being very important. > I can help you debug and test this, but as I am > not a programmer, I need your help to get it fixed. Same here.
look at these: https://bugzilla.samba.org/show_bug.cgi?id=3018 and https://bugzilla.samba.org/show_bug.cgi?id=3019
Created attachment 1399 [details] patch to passdb/pdb_sql.c, function sql_account_query_update (3.0.20) The function sql_account_query_update in passdb/pdb_sql.c is used to form both SQL INSERT and UPDATE statements, depending on the boolean parameter 'isupdate'. In the case of an UPDATE, it is certainly a good idea to include only changed columns, and so the orginal function does. For INSERT however, this appears to be a bad idea, so I modified the function in such a way that for an INSERT, the full range of columns is included.
Thanks for the patch. However, it doesn't seem to cure all problems. Try changing the users password with Windows (Start, Windows Security, Change Password via Remote Desktop; or Ctrl+Alt+Enf, Change Password via Console Logon) - database corruption again.
Please use the patch that I published above at https://bugzilla.samba.org/show_bug.cgi?id=2531#c13 together with my other patch at https://bugzilla.samba.org/show_bug.cgi?id=3018#c4 Different issues a addressed by these patches, but together they make the mysql passdb backend (and most likely the pgsql as well) work fine (as far as I can tell).
You'd think they'd release a 3.0.20a with these patchs in place. So we could just upgrade to fix the problem, instead of having to recompile from source. And as a side note : I don't see the full sql Statements can't be set inside the smb.conf (like how there are with libnss-mysql). This would allow for getter flexibility with DB structures.
For pgsql to work the patch for bug#3111 is needed as well.
*** Bug 3066 has been marked as a duplicate of this bug. ***
Had this been a issue with Ldap or flats files, where people couldn't add new users. I bet. No no, I Know we would have seen a new samba version out by now. I mean heck this is only been a issue since at least version 3.0.11 and up !
which is exactly why these these pdb modules were marked as experimental. You'll have to bug jelmer about. That's his code. No one else has the resources or testing environment setup to verify patches or reproduce bugs. Jelmer, please do something here even if you just want to find another maintainer.
Jelmer, could you commit the patches offered here and in comment #15? We want this thing fixed!
The experimental pdb modules (pdb_mysql, pdb_pgsql and pdb_xml) have been a bit neglected during the last few releases of Samba 3 as they haven't been actively maintained. I was the original author and maintainer, but I no longer work on Samba 3 and I no longer use any of the modules in production. I was hoping I could nonetheless keep the code working for those that still use it, but this turned out to be harder then I expected. I'll remove these modules unless somebody steps up as a maintainer. If there's anyone willing to take over maintainance of either one of these modules, please let me know. Otherwise, I'll put the modules up on my samba.org homepage as a separate tarball for those interested (including some of the patches that have been published).
We'll do pdb_mysql. With all considerable, and due respect, I don't think that the Samba team knows just how supremely useful the mysql module is. I'm very disapointed that it was not taken more seriously. Someone please tell me how to proceed. We've already started to look into the code. Thanks, Darrell McGuire Pegasys Computer Technologies, Inc. dmcguire@pegasys.cc (In reply to comment #22) > The experimental pdb modules (pdb_mysql, pdb_pgsql and pdb_xml) have > been a bit neglected during the last few releases of Samba 3 as they > haven't been actively maintained. I was the original author and > maintainer, but I no longer work on Samba 3 and I no longer use any of > the modules in production. I was hoping I could nonetheless keep the code > working for those that still use it, but this turned out to be harder then I > expected. > > I'll remove these modules unless somebody steps up as a maintainer. If > there's anyone willing to take over maintainance of either one of > these modules, please let me know. Otherwise, I'll put the modules up > on my samba.org homepage as a separate tarball for those interested > (including some of the patches that have been published).
Well I'm glad you're willing to step up to the task, but let's not start off the relationship with criticisms that we don't appreciate how important these modules are. We apprecitate very well that people have started using them even though marked as "experimental", and that's why we're making this plea to get a maintainer. Such code *must* be maintained. If it's not it becomes worse than useless in the tree as people assume it's working when it's not tested. We have done the most responsible thing possible, we have *required* this code to have a maintainer. I think we've taken this matter very seriously indeed. I appreciate very much you starting to look after this code, if you do a great job hopefully you'll start to work on other areas of Samba. Thanks a lot, Jeremy.
We run a pdb_mysql environment with Samba 3.0.20 and the patches by Peter Rindfuss, which I'm adding to CC, hoping that this is okay for him. The patches are in talloc.c and pdb_sql.c, and then pdb_mysql works fine (pdb_pgsql untested). Unfortunately, I am no programmer, but we actively use the pdb_mysql module, as we have set up a GUI that relies on this, and switching to tdbsam or LDAP is no intermediate option for us. I hope that we can find some people willing to help debugging on coding on these modules. Darrell, Peter, would you be willing to help? I would be helping, too!
Adding Darrell to Cc so he doesn't miss one of the associated Bugzilla entries - hope that is okay.
First of all thanks to Darrell for taking pdb_mysql! Since no one else here seems to be using pdb_pgsql or willing to maintain it I'd do it. It currently shares half of the code with pdb_mysql so I guess we'd have to cooperate there. Please tell me as well how to proceed.
Great, then we would be four, if everyone is willing to participate: - Peter Rindfuss for pdb_mysql - Darrell McGuire for pdb_mysql - Uli M for pdb_pgsql - me for testing and "debugging" pdb_mysql Jelmer, you seem to have most experience - shall we go on by creating a new Bugzilla task entry for the SQL modules? Or grouped by pdb_mysql and pdb_pgsql?
Just a trivial suggestion: You might want to carry this discussion to samba-technical@samba.org where there is probably a bigger audience. Just my 2 cents :-) Volker
Good idea. Peter, Darrell, Uli, do you want to take over this? You are the developers, not me, so the laurels should go to you. ;-)
It is great to see that finally there is an attention to the pdb backend. Being no C developer myself (PHP/SQL mostly) I am ready to test new modules on my Linux system here if needed. Thanks for all the input so far!! Andrei Nazarenko
Maybe this new bug is of interest for those on the Cc list: https://bugzilla.samba.org/show_bug.cgi?id=3351
I am not sure if I should open a new bug report for this, perhaps ít is related to the bug #3351 also. Here is the deal: I have a MySQL table `users` that is used by Samba (and not only by it) for user authorization. When a user enters wrong password and his 'nt_pw' field is empty or contains invalid hash, ALL user accounts in the table become locked! I traced the SQL queries and they go in pairs like this: SELECT logon_time,logoff_time,kickoff_time,pass_last_set_time,pass_can_change_time,pass_must_change_time, username,domain,nt_username,nt_fullname,home_dir,dir_drive,logon_script,profile_path,acct_desc,workstations, unknown_str,munged_dial,user_sid,group_sid,lm_pw,nt_pw,NULL,acct_ctrl,logon_divs,hours_len,bad_password_count, logon_count,unknown_6,logon_hours FROM users WHERE username = 'USERNAME' UPDATE users SET acct_ctrl = 17 At the same time, Samba log file shows this: [2006/01/25 17:15:51, 2] smbd/sesssetup.c:setup_new_vc_session(772) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2006/01/25 17:15:51, 2] smbd/sesssetup.c:setup_new_vc_session(772) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2006/01/25 17:15:51, 2] auth/auth.c:check_ntlm_password(317) check_ntlm_password: Authentication for user [USERNAME] -> [USERNAME] FAILED with error NT_STATUS_WRONG_PASSWORD [2006/01/25 17:15:51, 2] smbd/sesssetup.c:setup_new_vc_session(772) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2006/01/25 17:15:51, 2] smbd/sesssetup.c:setup_new_vc_session(772) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. I have two questions: 1) why is Samba trying to update the 'acct_ctrl' field, if the user is simply trying to authorize himself? 2) where is the 'WHERE' part in the UPDATE query? Also, if 'pass_last_set_time' and 'pass_can_change_time' are 0, then the 'nt_pw' and 'lm_pw' change to 'XXXXXXXXXXXXXXXXXXXX' for ALL users again in addition to ALL users being locked (acct_ctrl = 17). I though that was fixed?! I am using SuSE 10 RPM package version 3.0.21a-3.1.2 I would REALLY appreciate if somebody could have a look into this, as I am running in production now and have to do some very ugly stuff to overcome this issue.
See bug 3375. If someone wants to maintain these modules outside the Samba source tree, that is fine. But the source has been removed from the upcoming 3.0.22 release.