Bug 383 - smbpasswd: Failing to store a SAM_ACCOUNT for [root] without a primary group RID
Summary: smbpasswd: Failing to store a SAM_ACCOUNT for [root] without a primary group RID
Status: RESOLVED WONTFIX
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: User/Group Accounts (show other bugs)
Version: 3.0.0preX
Hardware: All Linux
: P1 normal
Target Milestone: 3.0.0rc3
Assignee: Gerald (Jerry) Carter (dead mail address)
QA Contact:
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2003-09-01 18:06 UTC by John H Terpstra (mail address dead(
Modified: 2005-02-07 09:06 UTC (History)
0 users

See Also:


Attachments
My smb.conf file - FYI (3.19 KB, text/plain)
2003-09-01 18:09 UTC, John H Terpstra (mail address dead(
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description John H Terpstra (mail address dead( 2003-09-01 18:06:11 UTC
Adding a user account via smbpasswd (with tdbsam backend) is broken:

frodo:/SL/RPMS # smbpasswd -a root
New SMB password:
Retype new SMB password:
tdb_update_sam: Failing to store a SAM_ACCOUNT for [root] without a primary
group RID
Failed to add entry for user root.
Failed to modify password entry for user root

No maintenance can be performed in the absence of the root account in tdbsam.
To add a primary group account for root, one needs to have a root account. Hmmm.
Comment 1 John H Terpstra (mail address dead( 2003-09-01 18:09:38 UTC
Created attachment 116 [details]
My smb.conf file - FYI

The following smb.conf file was used.
Comment 2 John H Terpstra (mail address dead( 2003-09-01 18:10:45 UTC
PS: Discovered this becuse in testing HOWTO documentation I deleted the root
account and now can not add it back.
Comment 3 Gerald (Jerry) Carter (dead mail address) 2003-09-02 07:05:24 UTC
John, please be more specific in the subject.  
"smbpasswd broken" means nothing.  It's too vague.
Comment 4 Gerald (Jerry) Carter (dead mail address) 2003-09-04 21:50:58 UTC
works fine here on the latest SAMBA_3_0 cvs

root# smbpasswd -a root
New SMB password:
Retype new SMB password:
pdb_getsampwnam: TDB passwd (/usr/local/samba/private/passdb.tdb) did not exist.
File successfully created.
Added user root.
Comment 5 John H Terpstra (mail address dead( 2003-09-05 00:34:50 UTC
Sorry! Bug still there!

I can now add normal users BUT NOT root!

Here is the output from CVS 09/05 01:00am MDT

First add a normal user:
------------------------
frodo:/etc/samba # smbpasswd -a vdr
New SMB password:
Retype new SMB password:
Added user vdr.

Now add 'root':
---------------

frodo:/etc/samba # smbpasswd -a root -D 10
Netbios name list:-
my_netbios_names[0]="FRODO"
New SMB password:
Retype new SMB password:
Trying to load: tdbsam
Attempting to register passdb backend ldapsam
Successfully added passdb backend 'ldapsam'
Attempting to register passdb backend ldapsam_compat
Successfully added passdb backend 'ldapsam_compat'
Attempting to register passdb backend smbpasswd
Successfully added passdb backend 'smbpasswd'
Attempting to register passdb backend tdbsam
Successfully added passdb backend 'tdbsam'
Attempting to register passdb backend guest
Successfully added passdb backend 'guest'
Attempting to find an passdb backend to match tdbsam (tdbsam)
Found pdb backend tdbsam
pdb backend tdbsam has a valid init
Trying to load: guest
Attempting to find an passdb backend to match guest (guest)
Found pdb backend guest
pdb backend guest has a valid init
pdb_getsampwnam (TDB): error fetching database.
 Error: Record does not exist
 Key: USER_root
Finding user root
Trying _Get_Pwnam(), username as lowercase is root
Get_Pwnam_internals did find user [root]!
pdb_set_username: setting username root, was
element 11 -> now SET
pdb_set_full_name: setting full name root, was
element 12 -> now SET
pdb_set_unix_homedir: setting home dir /root, was NULL
element 21 -> now SET
pdb_set_domain: setting domain MIDEARTH, was
pdb_set_user_sid: setting user sid S-1-5-21-1593769616-160655940-3590153233-1000
element 17 -> now SET
pdb_set_user_sid_from_rid:
        setting user sid S-1-5-21-1593769616-160655940-3590153233-1000 from rid 1000
pdb_set_group_sid: setting group sid S-1-5-32-544
element 18 -> now SET
pdb_set_profile_path: setting profile path \\frodo\Profiles\root, was
pdb_set_homedir: setting home dir \\frodo\root, was
pdb_set_dir_drive: setting dir drive H:, was NULL
pdb_set_logon_script: setting logon script scripts\logon.bat, was
pdb_init_sam_new: no RID specified.  Generating one via old algorithm
pdb_set_user_sid: setting user sid S-1-5-21-1593769616-160655940-3590153233-1000
element 17 -> now SET
pdb_set_user_sid_from_rid:
        setting user sid S-1-5-21-1593769616-160655940-3590153233-1000 from rid 1000
account_policy_get: maximum password age:-1
account_policy_get: minimum password age:0
tdb_update_sam: Failing to store a SAM_ACCOUNT for [root] without a primary
group RID
Failed to add entry for user root.
Failed to modify password entry for user root


Group Mappings Are:
-------------------
frodo:/etc/samba # net groupmap list
System Operators (S-1-5-32-549) -> sys
Replicators (S-1-5-32-552) -> daemon
Guests (S-1-5-32-546) -> nobody
Domain Users (S-1-5-21-1593769616-160655940-3590153233-513) -> users
Domain Admins (S-1-5-21-1593769616-160655940-3590153233-512) -> ntadmin
Domain Guests (S-1-5-21-1593769616-160655940-3590153233-514) -> nobody
Power Users (S-1-5-32-547) -> sys
Master (S-1-5-21-1593769616-160655940-3590153233-2345) -> master
Print Operators (S-1-5-32-550) -> lp
Administrators (S-1-5-32-544) -> root
Account Operators (S-1-5-32-548) -> root
Backup Operators (S-1-5-32-551) -> bin
Users (S-1-5-32-545) -> users


But I can not change any group mappings because I do not have a root account in
passdb.tdb!

So, how to resolve this?

I belive this is not a closed case by a long shot! :(
Comment 6 John H Terpstra (mail address dead( 2003-09-05 00:44:55 UTC
I did some further research. Here are my findings:

1. Moved group_mapping.tdb out of the way.
2. Added root using:

smbpasswd -a root
New SMB password:
Retype new SMB password:
Added user root.

3. Moved group_mapping.tdb back into place.
4. Ran:

net groupmap ntgroup="Domain Admins" unixgroup=root

5. Deleted user root:

smbpasswd -x root

6. Re-added user 'root'

Works fine!

So this means that "Domain Admins" Must be mapped either to gid = -1, or 0.
If "Domain Admins" is mapped to any other group it is no longer possible to add
the root account to passdb.tdb.

Bug _OR_ feature? Which is it?

If bug, it needs to be fixed.
If feature, it must be documented.

It sounds like a bug to me!
Comment 7 Gerald (Jerry) Carter (dead mail address) 2003-09-05 06:50:42 UTC
first, let's be clear.  'root' in a passdb backend is not a requirement
for manipulating group mappings.  You just have to be UNIX root
when executing the command.
Comment 8 Gerald (Jerry) Carter (dead mail address) 2003-09-05 08:19:57 UTC
I cannot reproduce this using either ldapsam or tdbsam

# net groupmap list
...
Domain Admins (S-1-5-21-1190581161-2471147213-1292359000-512) -> ntadmin

# getent group ntadmin
ntadmin:x:1007:jerry

# smbpasswd  -a root
New SMB password:
Retype new SMB password:
Added user root.
Comment 9 Gerald (Jerry) Carter (dead mail address) 2003-09-05 08:28:29 UTC
ahhh....here's your problem.  You are setting the primary group to 
be a builtin group.  I don't think this is valid in our code.

pdb_set_group_sid: setting group sid S-1-5-32-544
                                     ^^^^^^^^^^^^
Administrators (S-1-5-32-544) -> root

So while this is probably a bug, it's not going to 
get fixed soon because there is very little benefit.
I think the group mapping stuff needs for investigation
and work.

Bottom line.  Primary group is our code must match to 
either a domain or a local group.
Comment 10 Gerald (Jerry) Carter (dead mail address) 2005-02-07 09:06:20 UTC
originally reported against one of the 3.0.0rc[1-4] releases.
Cleaning up non-production versions.