Bug 3064 - Samba PDC with LDAP cannot add machines
Summary: Samba PDC with LDAP cannot add machines
Status: RESOLVED INVALID
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: Domain Control (show other bugs)
Version: 3.0.14a
Hardware: x86 Linux
: P3 normal
Target Milestone: none
Assignee: Samba Bugzilla Account
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-09-06 04:45 UTC by Jan Evert van Grootheest
Modified: 2005-09-21 16:16 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jan Evert van Grootheest 2005-09-06 04:45:19 UTC
I am setting up a Samba PDC which uses LDAP for account information.
It is a debian installation with samba 3.0.14a and slapd 2.2.23 (I'm also using
ldap-account-manager, but I don't think that has anything to do with this).

The problem is that when I attempt to join a w2k machine (the first one,
actually) to the domain it reports 'Logon failure: unknown user name or password'.
Samba, at the same time, reports in the logfile for that machine:

[2005/09/06 13:12:58, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
  pop_sec_ctx (1000, 1000) - sec_ctx_stack_ndx = 0
[2005/09/06 13:12:58, 5] rpc_server/srv_samr_nt.c:_samr_set_userinfo(3077)
  _samr_set_userinfo:  does not possess sufficient rights
[2005/09/06 13:12:58, 5] rpc_server/srv_samr_nt.c:set_user_info_pw(2961)
  Attempting administrator password change for user krauq$
[2005/09/06 13:12:58, 10] lib/account_pol.c:account_policy_get(210)
  account_policy_get: maximum password age:-1
[2005/09/06 13:12:58, 10] lib/account_pol.c:account_policy_get(210)
  account_policy_get: minimum password age:0
[2005/09/06 13:12:58, 5] rpc_server/srv_samr_nt.c:set_user_info_pw(2981)
  Changing trust account or non-unix-user password, not updating /etc/passwd
[2005/09/06 13:12:58, 5] rpc_server/srv_samr_nt.c:set_user_info_pw(2999)
  set_user_info_pw: pdb_update_pwd()
[2005/09/06 13:12:58, 5] lib/smbldap.c:smbldap_search(1038)
  smbldap_search: base => [dc=XXX,dc=XXX,dc=org], filter =>
[(&(uid=krauq$)(objectclass=sambaSamAccount))], scope => [2]
[2005/09/06 13:12:58, 0] lib/smbldap.c:smbldap_open(882)
  smbldap_open: cannot access LDAP when not root..
[2005/09/06 13:12:58, 1] lib/smbldap.c:another_ldap_try(1011)
  Connection to LDAP server failed for the 1 try!

It does this 15 times and then gives up.

[2005/09/06 13:13:13, 0] lib/smbldap.c:smbldap_open(882)
  smbldap_open: cannot access LDAP when not root..
[2005/09/06 13:13:13, 0] lib/smbldap.c:smbldap_search_suffix(1176)
  smbldap_search_suffix: Problem during the LDAP search:  (Timed out)
[2005/09/06 13:13:13, 5] rpc_parse/parse_prs.c:prs_debug(82)
  000000 samr_io_r_set_userinfo
[2005/09/06 13:13:13, 5] rpc_parse/parse_prs.c:prs_ntstatus(672)
      0000 status: NT_STATUS_ACCESS_DENIED
[2005/09/06 13:13:13, 5] rpc_server/srv_pipe.c:api_rpcTNP(1578)
  api_rpcTNP: called samr successfully
[2005/09/06 13:13:13, 10] rpc_server/srv_pipe.c:api_rpcTNP(1587)
  api_rpcTNP: rpc input buffer underflow (parse error?)
[2005/09/06 13:13:13, 5] rpc_parse/parse_prs.c:prs_uint8s(729)
  021c : 00

I don't understand this as smbd and nmbd are running as root, so why is it
complaining about not being root?

I am sure that there is no problem with the LDAP connection or database. It is
already used for unix authentication (using pam_ldap/nss_ldap) and also on this
w2k machine I can browse (windows explorer) the shares on the PDC using the same
username/password used to join the machine to the domain. So I guess that samba
is getting information from LDAP just fine (the logfile also shows this in other
places).
Comment 1 Jan Evert van Grootheest 2005-09-21 13:17:51 UTC
In the end I found out that I needed an administrator account that had uidNUmber
0 in the LDAP. This made an smbd process with uid 0.
So it is not really a bug. Or perhaps it is.

Why is it necessary to have a samba adminstrator also be unix root when using LDAP?
Comment 2 Gerald (Jerry) Carter (dead mail address) 2005-09-21 16:16:17 UTC
See the "user rights" chapter in the Samba HOWTO.
The behavior you describe is by design.