Hi, I installed a samba 4 (samba version 4.0.0alpha12-GIT-4567bf9) provisioned against openLdap 2.4.21 on Ubuntu 9.10. When starting samba via samba -i -M single I always get those error messages: samba -i -M single samba version 4.0.0alpha12-GIT-4567bf9 started. Copyright Andrew Tridgell and the Samba Team 1992-2010 samba: using 'single' process model FIXME: Using new system session for hdb /usr/local/samba/sbin/samba_dnsupdate: Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS - <SASL(-13): user not found: no secret in database> <> /usr/local/samba/sbin/samba_dnsupdate: Failed to connect to 'ldapi://%2Fusr%2Flocal%2Fsamba%2Fprivate%2Fldap%2Fldapi' /usr/local/samba/sbin/samba_dnsupdate: module partition initialization failed /usr/local/samba/sbin/samba_dnsupdate: module show_deleted initialization failed /usr/local/samba/sbin/samba_dnsupdate: module extended_dn_out_openldap initialization failed /usr/local/samba/sbin/samba_dnsupdate: module schema_load initialization failed /usr/local/samba/sbin/samba_dnsupdate: module kludge_acl initialization failed /usr/local/samba/sbin/samba_dnsupdate: module operational initialization failed /usr/local/samba/sbin/samba_dnsupdate: module acl initialization failed /usr/local/samba/sbin/samba_dnsupdate: module descriptor initialization failed /usr/local/samba/sbin/samba_dnsupdate: module objectclass initialization failed /usr/local/samba/sbin/samba_dnsupdate: module asq initialization failed /usr/local/samba/sbin/samba_dnsupdate: module server_sort initialization failed /usr/local/samba/sbin/samba_dnsupdate: module paged_results initialization failed /usr/local/samba/sbin/samba_dnsupdate: module lazy_commit initialization failed /usr/local/samba/sbin/samba_dnsupdate: module rootdse initialization failed /usr/local/samba/sbin/samba_dnsupdate: module samba_dsdb initialization failed /usr/local/samba/sbin/samba_dnsupdate: Unable to load modules for /usr/local/samba/private/sam.ldb: (null) /usr/local/samba/sbin/samba_dnsupdate: Traceback (most recent call last): /usr/local/samba/sbin/samba_dnsupdate: File "/usr/local/samba/sbin/samba_dnsupdate", line 252, in <module> /usr/local/samba/sbin/samba_dnsupdate: sub_vars = get_subst_vars() /usr/local/samba/sbin/samba_dnsupdate: File "/usr/local/samba/sbin/samba_dnsupdate", line 198, in get_subst_vars /usr/local/samba/sbin/samba_dnsupdate: lp=lp) /usr/local/samba/sbin/samba_dnsupdate: File "/usr/local/samba/lib/python2.6/site-packages/samba/samdb.py", line 47, in __init__ /usr/local/samba/sbin/samba_dnsupdate: options=options) /usr/local/samba/sbin/samba_dnsupdate: File "/usr/local/samba/lib/python2.6/site-packages/samba/__init__.py", line 111, in __init__ /usr/local/samba/sbin/samba_dnsupdate: self.connect(url, flags, options) /usr/local/samba/sbin/samba_dnsupdate: File "/usr/local/samba/lib/python2.6/site-packages/samba/samdb.py", line 54, in connect /usr/local/samba/sbin/samba_dnsupdate: options=options) /usr/local/samba/sbin/samba_dnsupdate: _ldb.LdbError: (80, None) dsdb/dns/dns_update.c:234: Failed DNS update - NT_STATUS_ACCESS_DENIED Testing kcctpl_create_intersite_connections
Endi are you able to help us here?
Created attachment 5649 [details] 0001-s4-dns-Use-SAMDB-Credentials-to-connect-to-LDAP-back.patch The samba_dnsupdate has been modified to use the SAMDB credentials from the secrets database when LDAP backend is used. The patch has been tested with the default, OpenLDAP, and FDS backends; the error message no longer appear.
abartlet, tridge, what do you say?
While I agree the fix will work, I don't want a solution that works for this script only, but leaves any other script just as broken. I'm thinking along the lines of attaching to the LDB (not the credentials) a hook to describe the SASL mechanism that must be used for this connection. That way, we can force this to DIGEST-MD5 and avoid this pain for all sam.ldb connections (and remove another similar nasty hack in the KDC).
I'm happy for this script to be used until I find time to do something better.
Does the "samba_dnsupdate" problem still persist?
Don't know and don't care as with denying the fix for Bug 7042, Samba with OpenLDap backend renders unusable for me so I moved away from that.
I close this since the s4 OpenLDAP/FedoraDS backends have been deprecated - and are unsupported from now on. I'm sorry to say this but we really lack the resources to maintain them.