Adding a user account via smbpasswd (with tdbsam backend) is broken: frodo:/SL/RPMS # smbpasswd -a root New SMB password: Retype new SMB password: tdb_update_sam: Failing to store a SAM_ACCOUNT for [root] without a primary group RID Failed to add entry for user root. Failed to modify password entry for user root No maintenance can be performed in the absence of the root account in tdbsam. To add a primary group account for root, one needs to have a root account. Hmmm.
Created attachment 116 [details] My smb.conf file - FYI The following smb.conf file was used.
PS: Discovered this becuse in testing HOWTO documentation I deleted the root account and now can not add it back.
John, please be more specific in the subject. "smbpasswd broken" means nothing. It's too vague.
works fine here on the latest SAMBA_3_0 cvs root# smbpasswd -a root New SMB password: Retype new SMB password: pdb_getsampwnam: TDB passwd (/usr/local/samba/private/passdb.tdb) did not exist. File successfully created. Added user root.
Sorry! Bug still there! I can now add normal users BUT NOT root! Here is the output from CVS 09/05 01:00am MDT First add a normal user: ------------------------ frodo:/etc/samba # smbpasswd -a vdr New SMB password: Retype new SMB password: Added user vdr. Now add 'root': --------------- frodo:/etc/samba # smbpasswd -a root -D 10 Netbios name list:- my_netbios_names[0]="FRODO" New SMB password: Retype new SMB password: Trying to load: tdbsam Attempting to register passdb backend ldapsam Successfully added passdb backend 'ldapsam' Attempting to register passdb backend ldapsam_compat Successfully added passdb backend 'ldapsam_compat' Attempting to register passdb backend smbpasswd Successfully added passdb backend 'smbpasswd' Attempting to register passdb backend tdbsam Successfully added passdb backend 'tdbsam' Attempting to register passdb backend guest Successfully added passdb backend 'guest' Attempting to find an passdb backend to match tdbsam (tdbsam) Found pdb backend tdbsam pdb backend tdbsam has a valid init Trying to load: guest Attempting to find an passdb backend to match guest (guest) Found pdb backend guest pdb backend guest has a valid init pdb_getsampwnam (TDB): error fetching database. Error: Record does not exist Key: USER_root Finding user root Trying _Get_Pwnam(), username as lowercase is root Get_Pwnam_internals did find user [root]! pdb_set_username: setting username root, was element 11 -> now SET pdb_set_full_name: setting full name root, was element 12 -> now SET pdb_set_unix_homedir: setting home dir /root, was NULL element 21 -> now SET pdb_set_domain: setting domain MIDEARTH, was pdb_set_user_sid: setting user sid S-1-5-21-1593769616-160655940-3590153233-1000 element 17 -> now SET pdb_set_user_sid_from_rid: setting user sid S-1-5-21-1593769616-160655940-3590153233-1000 from rid 1000 pdb_set_group_sid: setting group sid S-1-5-32-544 element 18 -> now SET pdb_set_profile_path: setting profile path \\frodo\Profiles\root, was pdb_set_homedir: setting home dir \\frodo\root, was pdb_set_dir_drive: setting dir drive H:, was NULL pdb_set_logon_script: setting logon script scripts\logon.bat, was pdb_init_sam_new: no RID specified. Generating one via old algorithm pdb_set_user_sid: setting user sid S-1-5-21-1593769616-160655940-3590153233-1000 element 17 -> now SET pdb_set_user_sid_from_rid: setting user sid S-1-5-21-1593769616-160655940-3590153233-1000 from rid 1000 account_policy_get: maximum password age:-1 account_policy_get: minimum password age:0 tdb_update_sam: Failing to store a SAM_ACCOUNT for [root] without a primary group RID Failed to add entry for user root. Failed to modify password entry for user root Group Mappings Are: ------------------- frodo:/etc/samba # net groupmap list System Operators (S-1-5-32-549) -> sys Replicators (S-1-5-32-552) -> daemon Guests (S-1-5-32-546) -> nobody Domain Users (S-1-5-21-1593769616-160655940-3590153233-513) -> users Domain Admins (S-1-5-21-1593769616-160655940-3590153233-512) -> ntadmin Domain Guests (S-1-5-21-1593769616-160655940-3590153233-514) -> nobody Power Users (S-1-5-32-547) -> sys Master (S-1-5-21-1593769616-160655940-3590153233-2345) -> master Print Operators (S-1-5-32-550) -> lp Administrators (S-1-5-32-544) -> root Account Operators (S-1-5-32-548) -> root Backup Operators (S-1-5-32-551) -> bin Users (S-1-5-32-545) -> users But I can not change any group mappings because I do not have a root account in passdb.tdb! So, how to resolve this? I belive this is not a closed case by a long shot! :(
I did some further research. Here are my findings: 1. Moved group_mapping.tdb out of the way. 2. Added root using: smbpasswd -a root New SMB password: Retype new SMB password: Added user root. 3. Moved group_mapping.tdb back into place. 4. Ran: net groupmap ntgroup="Domain Admins" unixgroup=root 5. Deleted user root: smbpasswd -x root 6. Re-added user 'root' Works fine! So this means that "Domain Admins" Must be mapped either to gid = -1, or 0. If "Domain Admins" is mapped to any other group it is no longer possible to add the root account to passdb.tdb. Bug _OR_ feature? Which is it? If bug, it needs to be fixed. If feature, it must be documented. It sounds like a bug to me!
first, let's be clear. 'root' in a passdb backend is not a requirement for manipulating group mappings. You just have to be UNIX root when executing the command.
I cannot reproduce this using either ldapsam or tdbsam # net groupmap list ... Domain Admins (S-1-5-21-1190581161-2471147213-1292359000-512) -> ntadmin # getent group ntadmin ntadmin:x:1007:jerry # smbpasswd -a root New SMB password: Retype new SMB password: Added user root.
ahhh....here's your problem. You are setting the primary group to be a builtin group. I don't think this is valid in our code. pdb_set_group_sid: setting group sid S-1-5-32-544 ^^^^^^^^^^^^ Administrators (S-1-5-32-544) -> root So while this is probably a bug, it's not going to get fixed soon because there is very little benefit. I think the group mapping stuff needs for investigation and work. Bottom line. Primary group is our code must match to either a domain or a local group.
originally reported against one of the 3.0.0rc[1-4] releases. Cleaning up non-production versions.