5722 – net rpc vampire fails to import machine accounts correctly

Bug 5722 - net rpc vampire fails to import machine accounts correctly

Summary: net rpc vampire fails to import machine accounts correctly

Status:	NEEDINFO

Alias:	None

Product:	Samba 3.3
Classification:	Unclassified
Component:	Client tools (show other bugs)
Version:	3.3.3
Hardware:	x64 Linux

Importance:	P3 normal
Target Milestone:	---
Assignee:	Guenther Deschner
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2008-08-27 09:44 UTC by marcaurel
Modified:	2020-12-22 00:46 UTC (History)
CC List:	6 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description marcaurel 2008-08-27 09:44:32 UTC

when i start sucking a pdc in my ldapserver the following
errors come up with every machineaccount on the pdc:
 
 
1.)
Creating account: SP1$
/usr/sbin/smbldap-usermod: user SP1_ doesn't exist
[2008/08/27 14:09:45,  0] groupdb/mapping.c:smb_set_primary_group(312)
  smb_set_primary_group: Running the command `/usr/sbin/smbldap-usermod -g 'Domain Users' 'SP1_'' gave 1
 
2.)
User SP1_ does not exist: create it first !
 
 
what instantly strikes is that there is an _ instead
of the $ in the pcname which cannot work.
I guess the second error comes up when the script tries to set
the correct password!? Afterwards nevertheless there are
machineaccount-passwords in the ldap-database but they seem
wrong because machineconnects fail.
everything else is flawlessly imported (users, groups, groupmemberships).
i didn't change anything in the configuration which worked
perfectly with vampire in 3.0.x
 
 
ExampleLDAPentry of the above mentioned machine after import:
-------------------------------------------------------------
 
dn: uid=SP1$,ou=Computers,dc=test,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: sambaSamAccount
cn: SP1$
uid: SP1$
uidNumber: 1071
gidNumber: 515
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
gecos: Computer
structuralObjectClass: account
entryUUID: be6e3366-087c-102d-9d48-4b401f1e60f4
creatorsName: cn=manager,dc=test,dc=com
createTimestamp: 20080827120929Z
sambaSID: S-1-5-21-378104194-1064922793-1509252994-1090
sambaPrimaryGroupSID: S-1-5-21-378104194-1064922793-1509252994-513
sambaNTPassword: 5C49A9927C59942A46F193C41446FFD5
sambaPwdLastSet: 1162907539
sambaAcctFlags: [W          ]
entryCSN: 20080827120929.102086Z#000000#000#000000
modifiersName: cn=manager,dc=test,dc=com
modifyTimestamp: 20080827120929Z
 
 
smb.conf (suck-configuration)
-----------------------------
 
[global]
    workgroup = PRESSFK
    netbios name = DEBIANPDC
    wins server = 192.168.200.3
 
    ## Domäne
    #########
    domain master = No
    domain logons = Yes
    passdb backend = ldapsam:ldap://127.0.0.1
 
    ## Benutzerverwaltung ldapsam
    #############################
    add user script = /usr/sbin/smbldap-useradd -m '%u'
    delete user script = /usr/sbin/smbldap-userdel '%u'
    add machine script = /usr/sbin/smbldap-useradd -w '%u'
    add group script = /usr/sbin/smbldap-groupadd -p '%g'
    delete group script = /usr/sbin/smbldap-groupdel '%g'
    add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
    delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
    set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
 
    ## LDAP
    #######
    ldap suffix = dc=test,dc=com
    ldap admin dn = cn=manager,dc=test,dc=com
    ldap machine suffix = ou=Computers
    ldap user suffix = ou=People
    ldap group suffix = ou=Groups
    ldap idmap suffix = ou=Idmap
    ldap passwd sync = Yes
    ldap delete dn = Yes
     ldap ssl = No

Comment 1 Jeremy Allison 2008-08-29 19:23:00 UTC

Yes, that's going to happen as we're trying not to get any meta-characters into our account database (machine accounts are normally created by net join activity). I'll take a look at this to see what can be done to fix it.
Jeremy.

Comment 2 Sébastien Prud'homme 2008-10-03 16:47:35 UTC

The problem is the same if you create a machine account with srvmgr.exe.

I don't understand why Samba 3.2 is trying to set the primary group sid of a machine account. Is this a normal behaviour? Isn't the POSIX stuff enought?

By default the idealx scripts creates a machine account with a primary gid that corresponds to a "Domain Computers" posix group/samba group mapping. Then Samba 3.2 seems to check whether the machine account is in "Domain Users" group and try to correct this if its not the case (first the POSIX stuff with smb_set_primary_group then sambaPrimaryGroupSID in LDAP)

Unfortunately smb_set_primary_group doesn't like trailing dollars. I'm not sure but perhaps it's because of the use of talloc_string_sub instead of talloc_string_sub2 with the right parameters:

add_script = talloc_string_sub(ctx,
	add_script, "%u", unix_user)

But as i said before, i really don't understand why Samba 3.2 is trying to set the primary group sid of a machine account.

Comment 3 Greg Bis 2009-04-28 04:21:57 UTC

I'm using Samba 3.3.3 with the same results. Whenever I try to create a machine account with srvmgr.exe, the error occures. As I've done some further investigations on the internet, the same situation occured with Samba 3.0.7.
http://www.mail-archive.com/samba@lists.samba.org/msg47210.html

Comment 4 Guenther Deschner 2011-02-09 09:17:23 UTC

Metze, isnt that exactly the issue you resolved very recently ?

Comment 5 Stefan Metzmacher 2011-10-26 13:23:11 UTC

Does this still happens with 3.6.x?