Bug 2531 - MySQL/Postgres pdb: cannot add new users
MySQL/Postgres pdb: cannot add new users
Status: RESOLVED WONTFIX
Product: Samba 3.0
Classification: Unclassified
Component: pdb_sql
3.0.21a
x86 Linux
: P3 regression
: none
Assigned To: pdb_sql maintainers mail alias
Samba QA Contact
:
: 3066 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2005-03-22 16:30 UTC by Andrei Nazarenko
Modified: 2006-02-10 08:42 UTC (History)
6 users (show)

See Also:


Attachments
patch to passdb/pdb_sql.c, function sql_account_query_update (3.0.20) (6.60 KB, patch)
2005-08-24 10:38 UTC, Peter Rindfuss
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Andrei Nazarenko 2005-03-22 16:30:32 UTC
After fixing the bug #1957, where the minimum updates are implemented to the
MySQL user tables it is impossible to correctly add a new user.

It looks like using -a switch does not initialize all the fields, but only the
minimum ones (passwords), as if one was simply changing the password.
Comment 1 Andrei Nazarenko 2005-04-22 07:30:38 UTC
Just to let you know that the issue is still present in 3.0.14a and 3.0.15pre2.
When adding a new user with "smbpasswd -a" only the password and couple of other
datestamp related fields are added to the MySQL table and the rest of the fields
are NULL.
Comment 2 Koobs 2005-05-12 12:26:26 UTC
- Operating System: FreeBSD 5.2.1-RELEASE - x86
- Confirming in 3.0.14a
- Confirming in 3.0.12 (FreeBSD Port CVS - April 12 - 1st downgrade attempt)
- Not shown in 3.0.11 (FreeBSD Port CVS - Feb 7 - 2nd downgrade attempt)
- smbpasswd returns "User account added" and adss record with NULL fields.
- pdbedit returns "Username not found!" but still adds record with NULL fields.

Comment 3 Witold Olszewski 2005-05-18 10:57:09 UTC
This bug is not only in Mysql pdb - I use Postgres password  backend with the
same problem. When I execute "smbpasswd -a username" or "pdbedit -a -u username"
I see 
in postgres log file:
" LOG:  statement: INSERT INTO samba_users
(acct_ctrl,pass_can_change_time,pass_must_change_time,pass_last_set_time,lm_pw,nt_pw)
VALUES
(16,1116432097,2147483647,1116432097,'598DDCE2660D3193AAD3B435B51404EE','2D20D252A479F485CDF5E171D93985BF')
LOG:  statement: SELECT
logon_time,logoff_time,kickoff_time,pass_last_set_time,pass_can_change_time,pass_must_change_time,username,domain,nt_username,nt_fullname,home_dir,dir_drive,logon_script,profile_path,acct_desc,workstations,unknown_str,munged_dial,user_sid,group_sid,lm_pw,nt_pw,NULL,acct_ctrl,logon_divs,hours_len,bad_password_count,logon_count,unknown_6
FROM samba_users WHERE username = 'username'";
Insert statement is bad so select statement returns 0 rows.

Smbpasswd don't displays any errors, pdbedit displays "Username not found!";
Today I upgrading from source: samba 3.0.9 -> 3.0.14a, and postgres 7.4.6 ->
8.0.3 on Slackware 10.0

I add my user account to tdbsam backend and I create insert statement by hand on
the basic of "pdbedit -L -v -u username".
I'm looking in source of version 3.0.15pre and I thing this bug is still in this
version.
Comment 4 Peter Rindfuss 2005-06-29 03:48:45 UTC
A similar problem occurs when adding a new user via NT usrmgr.exe:
The mySQL log file shows the valid, but useless SQL statement

INSERT INTO `samba` (acct_ctrl) VALUES (17)

, `samba` being my samba account table. At minimum, user name and user sid (but
probably more) should be included at this point. Samba tries to access this
newly created record via sid, which is not there, and fails.

The very same happens when adding a machine from Win XP:

INSERT INTO `samba` (acct_ctrl) VALUES (129)


Affected are Samba 3.0.14a and 3.0.20pre1
Comment 5 Andrei Nazarenko 2005-07-30 13:39:32 UTC
The bug is still there in 3.0.20rc1.
Sorry to escalate this, but there has been no developers feedback on the issue
whatsoever. Can't this be given more priority? This has been broken since 3.0.13.
Comment 6 Jeremy Allison 2005-07-30 16:40:22 UTC
Jelmer is the maintainer of the sql backend code. If he is not maintaining it
then we need someone else to voluenteer to take over this code, or I'll remove
it from the tree.
Jeremy.
Comment 7 Gerald (Jerry) Carter 2005-07-30 20:32:41 UTC
jelmer, what are you plans with this?
Comment 8 Andrei Nazarenko 2005-08-09 02:35:53 UTC
Any news here?
Comment 9 Jelmer Vernooij 2005-08-19 17:57:54 UTC
We've got a bunch of fixes for the pdb_*sql backends in svn, that will  most likely fix this issue. Please test current svn (either trunk or SAMBA_3_0) or wait for the 3.0.20 release that will include these fixes. 
Comment 10 Florian Effenberger 2005-08-21 05:29:57 UTC
This still does NOT work in 3.0.20.

In 3.0.14a it was possible to copy pdb_sql.c and pdb_mysql.c from 3.0.11 and it
worked, but this workaround does not help anymore, as the files seem to be
incompatible.

Jelmer, could you please have a look at this one? I consider this being very
important. I can help you debug and test this, but as I am not a programmer, I
need your help to get it fixed.
Comment 11 Andrei Nazarenko 2005-08-22 01:42:32 UTC
> Jelmer, could you please have a look at this one?
> I consider this being very important.
> I can help you debug and test this, but as I am
> not a programmer, I need your help to get it fixed.

Same here.
Comment 13 Peter Rindfuss 2005-08-24 10:38:35 UTC
Created attachment 1399 [details]
patch to passdb/pdb_sql.c, function sql_account_query_update (3.0.20)

The function sql_account_query_update in passdb/pdb_sql.c is used to form both
SQL INSERT and UPDATE statements, depending on the boolean parameter
'isupdate'. In the case of an UPDATE, it is certainly a good idea to include
only changed columns, and so the orginal function does. For INSERT however,
this appears to be a bad idea, so I modified the function in such a way that
for an INSERT, the full range of columns is included.
Comment 14 Florian Effenberger 2005-08-25 01:40:43 UTC
Thanks for the patch. However, it doesn't seem to cure all problems. Try
changing the users password with Windows (Start, Windows Security, Change
Password via Remote Desktop; or Ctrl+Alt+Enf, Change Password via Console Logon)
- database corruption again.
Comment 15 Peter Rindfuss 2005-08-31 09:07:04 UTC
Please use the patch that I published above at
https://bugzilla.samba.org/show_bug.cgi?id=2531#c13
together with my other patch at
https://bugzilla.samba.org/show_bug.cgi?id=3018#c4

Different issues a addressed by these patches, but together they make the mysql
passdb backend (and most likely the pgsql as well) work fine (as far as I can tell).
Comment 16 Chris L. Franklin 2005-09-13 17:37:32 UTC
You'd think they'd release a 3.0.20a with these patchs in place. So we could
just upgrade to fix the problem, instead of having to recompile from source.

And as a side note : I don't see the full sql Statements can't be set inside the
smb.conf (like how there are with libnss-mysql). This would allow for getter
flexibility with DB structures.
Comment 17 Uli M 2005-09-18 15:26:32 UTC
For pgsql to work the patch for bug#3111 is needed as well.
Comment 18 Uli M 2005-09-19 05:59:53 UTC
*** Bug 3066 has been marked as a duplicate of this bug. ***
Comment 19 Chris L. Franklin 2005-09-22 06:20:45 UTC
Had this been a issue with Ldap or flats files, where people couldn't add new
users. I bet. No no, I Know we would have seen a new samba version out by now. I
mean heck this is only been a issue since at least version 3.0.11 and up !
Comment 20 Gerald (Jerry) Carter 2005-09-22 06:50:45 UTC
which is exactly why these these pdb modules were marked 
as experimental.  You'll have to bug jelmer about.  That's 
his code.  No one else has the resources or testing environment
setup to verify patches or reproduce bugs.

Jelmer, please do something here even if you just want to 
find another maintainer.
Comment 21 Andrei Nazarenko 2005-09-22 08:42:03 UTC
Jelmer, could you commit the patches offered here and in comment #15?
We want this thing fixed!
Comment 22 Jelmer Vernooij 2005-09-23 11:18:09 UTC
The experimental pdb modules (pdb_mysql, pdb_pgsql and pdb_xml) have 
been a bit neglected during the last few releases of Samba 3 as they 
haven't been actively maintained. I was the original author and 
maintainer, but I no longer work on Samba 3 and I no longer use any of 
the modules in production. I was hoping I could nonetheless keep the code 
working for those that still use it, but this turned out to be harder then I 
expected. 
 
I'll remove these modules unless somebody steps up as a maintainer. If 
there's anyone willing to take over maintainance of either one of 
these modules, please let me know. Otherwise, I'll put the modules up 
on my samba.org homepage as a separate tarball for those interested 
(including some of the patches that have been published). 
Comment 23 Darrell McGuire 2005-09-23 20:02:52 UTC
We'll do pdb_mysql.  With all considerable, and due respect, I don't think that
the Samba team knows just how supremely useful the mysql module is.  I'm very
disapointed that it was not taken more seriously.  

Someone please tell me how to proceed.  We've already started to look into the code.

Thanks,

Darrell McGuire
Pegasys Computer Technologies, Inc.
dmcguire@pegasys.cc


(In reply to comment #22)
> The experimental pdb modules (pdb_mysql, pdb_pgsql and pdb_xml) have 
> been a bit neglected during the last few releases of Samba 3 as they 
> haven't been actively maintained. I was the original author and 
> maintainer, but I no longer work on Samba 3 and I no longer use any of 
> the modules in production. I was hoping I could nonetheless keep the code 
> working for those that still use it, but this turned out to be harder then I 
> expected. 
>  
> I'll remove these modules unless somebody steps up as a maintainer. If 
> there's anyone willing to take over maintainance of either one of 
> these modules, please let me know. Otherwise, I'll put the modules up 
> on my samba.org homepage as a separate tarball for those interested 
> (including some of the patches that have been published). 

Comment 24 Jeremy Allison 2005-09-23 20:32:39 UTC
Well I'm glad you're willing to step up to the task, but let's not start off the
relationship with criticisms that we don't appreciate how important these
modules are.

We apprecitate very well that people have started using them even though marked
as "experimental", and that's why we're making this plea to get a maintainer.
Such code *must* be maintained. If it's not it becomes worse than useless in the
tree as people assume it's working when it's not tested.

We have done the most responsible thing possible, we have *required* this code
to have a maintainer. I think we've taken this matter very seriously indeed.

I appreciate very much you starting to look after this code, if you do a great
job hopefully you'll start to work on other areas of Samba.

Thanks a lot,

Jeremy.
Comment 25 Florian Effenberger 2005-09-24 01:22:13 UTC
We run a pdb_mysql environment with Samba 3.0.20 and the patches by Peter
Rindfuss, which I'm adding to CC, hoping that this is okay for him.

The patches are in talloc.c and pdb_sql.c, and then pdb_mysql works fine
(pdb_pgsql untested).

Unfortunately, I am no programmer, but we actively use the pdb_mysql module, as
we have set up a GUI that relies on this, and switching to tdbsam or LDAP is no
intermediate option for us.

I hope that we can find some people willing to help debugging on coding on these
modules.

Darrell, Peter, would you be willing to help? I would be helping, too!
Comment 26 Florian Effenberger 2005-09-24 01:22:50 UTC
Adding Darrell to Cc so he doesn't miss one of the associated Bugzilla entries -
hope that is okay.
Comment 27 Uli M 2005-09-24 02:43:06 UTC
First of all thanks to Darrell for taking pdb_mysql!

Since no one else here seems to be using pdb_pgsql or willing to maintain it I'd
do it.
It currently shares half of the code with pdb_mysql so I guess we'd have to
cooperate there.
Please tell me as well how to proceed.
Comment 28 Florian Effenberger 2005-09-24 03:44:40 UTC
Great, then we would be four, if everyone is willing to participate:

- Peter Rindfuss for pdb_mysql
- Darrell McGuire for pdb_mysql
- Uli M for pdb_pgsql
- me for testing and "debugging" pdb_mysql

Jelmer, you seem to have most experience - shall we go on by creating a new
Bugzilla task entry for the SQL modules? Or grouped by pdb_mysql and pdb_pgsql?
Comment 29 Volker Lendecke 2005-09-24 04:08:38 UTC
Just a trivial suggestion: You might want to carry this discussion to
samba-technical@samba.org where there is probably a bigger audience.

Just my 2 cents :-)

Volker
Comment 30 Florian Effenberger 2005-09-24 04:48:17 UTC
Good idea. Peter, Darrell, Uli, do you want to take over this? You are the
developers, not me, so the laurels should go to you. ;-)
Comment 31 Andrei Nazarenko 2005-09-26 05:28:07 UTC
It is great to see that finally there is an attention to the pdb backend. Being
no C developer myself (PHP/SQL mostly) I am ready to test new modules on my
Linux system here if needed. Thanks for all the input so far!!
Andrei Nazarenko
Comment 32 Florian Effenberger 2005-12-23 06:41:52 UTC
Maybe this new bug is of interest for those on the Cc list:

https://bugzilla.samba.org/show_bug.cgi?id=3351
Comment 33 Andrei Nazarenko 2006-01-25 11:07:39 UTC
I am not sure if I should open a new bug report for this, perhaps ít is related to the bug #3351 also. Here is the deal:

I have a MySQL table `users` that is used by Samba (and not only by it) for user authorization.
When a user enters wrong password and his 'nt_pw' field is empty or contains invalid hash, ALL user accounts
in the table become locked!

I traced the SQL queries and they go in pairs like this:

SELECT logon_time,logoff_time,kickoff_time,pass_last_set_time,pass_can_change_time,pass_must_change_time,
username,domain,nt_username,nt_fullname,home_dir,dir_drive,logon_script,profile_path,acct_desc,workstations,
unknown_str,munged_dial,user_sid,group_sid,lm_pw,nt_pw,NULL,acct_ctrl,logon_divs,hours_len,bad_password_count,
logon_count,unknown_6,logon_hours FROM users WHERE username = 'USERNAME'

UPDATE users SET acct_ctrl = 17

At the same time, Samba log file shows this:

[2006/01/25 17:15:51, 2] smbd/sesssetup.c:setup_new_vc_session(772)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2006/01/25 17:15:51, 2] smbd/sesssetup.c:setup_new_vc_session(772)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2006/01/25 17:15:51, 2] auth/auth.c:check_ntlm_password(317)
  check_ntlm_password:  Authentication for user [USERNAME] -> [USERNAME] FAILED with error NT_STATUS_WRONG_PASSWORD
[2006/01/25 17:15:51, 2] smbd/sesssetup.c:setup_new_vc_session(772)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.
[2006/01/25 17:15:51, 2] smbd/sesssetup.c:setup_new_vc_session(772)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.

I have two questions:

1) why is Samba trying to update the 'acct_ctrl' field, if the user is simply trying to authorize himself?
2) where is the 'WHERE' part in the UPDATE query?

Also, if  'pass_last_set_time' and 'pass_can_change_time' are 0, then the 'nt_pw' and 'lm_pw' change to 'XXXXXXXXXXXXXXXXXXXX' for ALL users again in addition to ALL users being locked (acct_ctrl = 17).

I though that was fixed?! I am using SuSE 10 RPM package version 3.0.21a-3.1.2

I would REALLY appreciate if somebody could have a look into this,
as I am running in production now and have to do some very ugly stuff to overcome this issue.

Comment 34 Gerald (Jerry) Carter 2006-02-10 08:42:03 UTC
See bug 3375.  If someone wants to maintain these modules outside
the Samba source tree, that is fine.  But the source has been removed
from the upcoming 3.0.22 release.