Bug 2867 - add machine script not being executed as root
Summary: add machine script not being executed as root
Status: RESOLVED INVALID
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: User/Group Accounts (show other bugs)
Version: 3.0.14a
Hardware: x86 Linux
: P3 normal
Target Milestone: none
Assignee: Samba Bugzilla Account
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-07-08 10:13 UTC by Brian Abreu
Modified: 2005-08-29 14:33 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Brian Abreu 2005-07-08 10:13:52 UTC
The add machine script is not being executed as root.  This is a problem because
when using the smbldap-tools scripts because they must be executed as root in
order to access the ldap server.

I am running trustix  with the 2.4.30 kernel on x86 hardware.  Samba is version
3.0.14a.

Here is the output from testparm:

Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[netlogon]"
Processing section "[backup]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions

# Global parameters
[global]
       workgroup = EE
       server string = Trustix Secure Linux Samba Server
       passdb backend = ldapsam:ldap://localhost/
       log file = /var/log/samba/log.%I
       max log size = 50
       socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
       add user script = /usr/local/sbin/smbldap-useradd -m "%u"
       delete user script = /usr/local/sbin/smbldap-userdel "%u"
       add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
       delete group script = /usr/local/sbin/smbldap-groupdel "%g"
       add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g"
       delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u" "%g"
       set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u"
       add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
       logon script = logon.bat
       logon path =
       logon drive = H:
       domain logons = Yes
       os level = 32
       preferred master = Yes
       domain master = Yes
       wins proxy = Yes
       wins support = Yes
       ldap admin dn = cn=admin,dc=experts-exchange,dc=com
       ldap delete dn = Yes
       ldap group suffix = ou=Groups
       ldap idmap suffix = ou=People
       ldap machine suffix = ou=Computers
       ldap passwd sync = Yes
       ldap suffix = dc=experts-exchange,dc=com
       ldap user suffix = ou=People

[homes]
       comment = Home Directories
       path = /home/users/%S
       valid users = %S
       read only = No
       create mask = 0600
       directory mask = 0700
       browseable = No

[netlogon]
       comment = Network Logon Service
       path = /home/samba/netlogon
       guest ok = Yes
       share modes = No

[backup]
       comment = Backups
       path = /backup
       browseable = No

When I run `net join EE -U root` I get the following error:

[2005/07/07 17:06:26, 0] utils/net_ads.c:ads_startup(191)
 ads_connect: No results returned
Creation of workstation account failed
Unable to join domain EE.

Here is a snippit of part of the log that is generated when i run that command.
 As you can see from the last lines, smbldap-useradd did not run properly
because it could not open the smbldap.conf file.  The permissions on this file
are 0600; it is owned by root.

[2005/07/07 16:59:56, 5] lib/smbldap.c:smbldap_search(1038)
 smbldap_search: base => [dc=experts-exchange,dc=com], filter => [(&(uid=filese
rver$)(objectclass=sambaSamAccount))], scope => [2]
[2005/07/07 16:59:56, 4] passdb/pdb_ldap.c:ldapsam_getsampwnam(1334)
 ldapsam_getsampwnam: Unable to locate user [fileserver$] count=0
[2005/07/07 16:59:56, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
 pop_sec_ctx (10000, 513) - sec_ctx_stack_ndx = 0
[2005/07/07 16:59:56, 5] lib/username.c:Get_Pwnam(293)
 Finding user fileserver$
[2005/07/07 16:59:56, 5] lib/username.c:Get_Pwnam_internals(223)
 Trying _Get_Pwnam(), username as lowercase is fileserver$
[2005/07/07 16:59:56, 5] lib/username.c:Get_Pwnam_internals(239)
 Trying _Get_Pwnam(), username as uppercase is FILESERVER$
[2005/07/07 16:59:56, 5] lib/username.c:Get_Pwnam_internals(247)
 Checking combinations of 0 uppercase letters in fileserver$
[2005/07/07 16:59:56, 5] lib/username.c:Get_Pwnam_internals(251)
 Get_Pwnam_internals didn't find user [fileserver$]!
[2005/07/07 16:59:56, 5] rpc_server/srv_samr_nt.c:_samr_create_user(2311)
 _samr_create_user:  can add this account : False
Unable to open /etc/opt/IDEALX/smbldap-tools/smbldap.conf for reading !
Compilation failed in require at /usr/local/sbin/smbldap-useradd line 33.
BEGIN failed--compilation aborted at /usr/local/sbin/smbldap-useradd line 33.
[2005/07/07 16:59:56, 0] rpc_server/srv_samr_nt.c:_samr_create_user(2324)
 _samr_create_user: Running the command `/usr/local/sbin/smbldap-useradd -w "fi
leserver$"' gave 2


This looks like it is related to 2282 and 1037.
Comment 1 Gerald (Jerry) Carter (dead mail address) 2005-08-29 14:33:00 UTC
Samba executes the add machine script under the context of the 
connected user unless you possess the SeMachineAccountPrivilege.

This appears to be your problem:

[2005/07/07 16:59:56, 5] rpc_server/srv_samr_nt.c:_samr_create_user(2311)
 _samr_create_user:  can add this account : False