Bug 3091 - netgroups broken with LDAP SUN ONE directory server
netgroups broken with LDAP SUN ONE directory server
Product: Samba 3.0
Classification: Unclassified
Component: File Services
Sparc Solaris
: P3 normal
: none
Assigned To: Samba Bugzilla Account
Samba QA Contact
Depends on:
  Show dependency treegraph
Reported: 2005-09-13 08:19 UTC by Tom Crummey
Modified: 2009-05-26 05:34 UTC (History)
0 users

See Also:

Test program to show the bug (528 bytes, text/plain)
2005-09-13 08:23 UTC, Tom Crummey
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Tom Crummey 2005-09-13 08:19:25 UTC
netgroups cannot be used for host access control. This means 
hosts allow = @group
will not work under the following circumstances:

samba-3.0.20 compiled against OpenLDAP 2.2.17
Sun Solaris 9 using SUN ONE DS 5.2 LDAP server
Using SUN's nss_ldap.so for host OS LDAP queries.

An error message is output to /var/adm/messages: 

Aug 19 14:44:42 spock smbd[1006]: [ID 293258 user.error] libsldap:Status: 7 
Mesg: LDAP ERROR (-7): Bad search filter.

and the LDAP query never occurs and host access is always denied.

On digging into the code, samba uses the innetgr() library function to test if a
host is in a netgroup. This function is provided by libc.so on Solaris. The
stack then continues through the nss_* code depending on the directory service
used by the host. In the case of LDAP, nss_ldap.so is used which generates an
LDAP query using functions in libsldap.so. It is here that the error message is

To try and debug this I've built a test program which uses innetgr. When linked
without OpenLDAP libraries, it works as expected. Link the same program with the
OpenLDAP libraries and it fails and the error message is generated.

My thinking is that a function (possibly ldap_search) in the OpenLDAP library
does not like the search filter argument passed to it via nss_ldap.so and
libsldap.so and returns an error to libsldap.so which logs it so syslog.

Possible fixes would include being able to compile samba using the Solaris
client LDAP libraries instead of OpenLDAP, rewrite the netgroup match function
to use ldap calls directly instead of going through the host's nss_* subsystem
or (as in samba 4) implement just the minimum required LDAP client functionality
Comment 1 Tom Crummey 2005-09-13 08:23:01 UTC
Created attachment 1442 [details]
Test program to show the bug

compile using cc -o netgroup_test netgroup_test.c to show netgroups working
fine against a SUN ONE directory server.

comple using cc -o netgroup_test netgroup_test.c -L/usr/local/lib -lldap -llber

to show the error condition. Error message will go to syslog and on a default
setup, appear in /var/adm/messages.
Comment 2 Björn Jacke 2009-05-26 05:34:20 UTC
netgroups - what a strange invention :-). Thanks for pointing this out!

As you say: this looks like an OpenLDAP limitation. Samba can be compiled against the Netscape LDAP libs on Solaris since a while now. For the remaining limitiations of the Netscape LDAP support there are one or two other bug reports open.