Bug 9629 - Since version 3.0.33-3.29.el5_5.1 the binary /usr/bin/profiles does not work.
Summary: Since version 3.0.33-3.29.el5_5.1 the binary /usr/bin/profiles does not work.
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.6
Classification: Unclassified
Component: User & Group Accounts (show other bugs)
Version: 3.6.6
Hardware: x86 Linux
: P5 normal
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks: 10077
  Show dependency treegraph
 
Reported: 2013-02-04 00:47 UTC by Jobst Schmalenbach
Modified: 2014-12-20 15:49 UTC (History)
3 users (show)

See Also:


Attachments
TODO: samba-tool replace-binary-sid (8.82 KB, patch)
2014-09-01 07:06 UTC, Stefan Metzmacher
no flags Details
proposed patch (3.48 KB, patch)
2014-11-04 22:57 UTC, Christian Ambach
metze: review+
Details
Cherry-picked fixes from master for 4.1 and 4.2 (3.95 KB, patch)
2014-12-05 22:49 UTC, Christian Ambach
metze: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jobst Schmalenbach 2013-02-04 00:47:04 UTC

    
Comment 1 Jobst Schmalenbach 2013-02-04 01:11:36 UTC
Using the older /usr/bin/profile (version number 3.0.33-3.29.el5_5.1) I can execute the following command line and I get he desired effect of changing the SID for the user within the registry file (I renamed the original version)

/usr/bin/profiles_old -c S-1-5-21-HIDDEN-HIDDEN-581009308-5424 -n S-1-5-21-HIDDEN-HIDDEN-581009308-5452 NTUSER.DAT

Using the current /usr/bin/profile (version number 3.6.6-0.129.el5) I cannot change the SID within the SAME file, as I get lots of errors:

ndr_pull_security_descriptor failed: Buffer Size Error
prs_grow: Buffer overflow - unable to expand buffer by 36 bytes.
ndr_pull_security_descriptor failed: Buffer Size Error
prs_grow: Buffer overflow - unable to expand buffer by 36 bytes.
ndr_pull_security_descriptor failed: Buffer Size Error
prs_grow: Buffer overflow - unable to expand buffer by 36 bytes.
....
....
....
regfio_rootkey: corrupt registry file ?  No root key record located
Could not get rootkey


I have searched the net and have asked many times to get an answer.
I have not been able to do this for quite some time.
I rely on this for new user configuration.

thanks
Jobst
Comment 2 Matthias Dieter Wallnöfer 2013-02-04 15:44:34 UTC
Is the title misleading? With 3.0.x it worked, but with 3.6.6 it fails? Do you have checked with other releases as well (just for curiosity)?
Comment 3 Jobst Schmalenbach 2013-02-05 05:49:24 UTC
(In reply to comment #2)
> Is the title misleading? With 3.0.x it worked, but with 3.6.6 it fails? Do you
> have checked with other releases as well (just for curiosity)?

Title is not misleading, it works with a 3.0.33-3.29 "profile" binary but it does not work with a 3.6.6-0.129 "profile" binary.

I know that in 12 November 2011 I updated to the

  samba-common-3.0.33-3.29.el5_5.1.x86_64

series as per YUM log, but then I changed across to the samba3x branch on the 25.11.2011, and my problems started with the profile binary. I have just checked my YUM logs, I can see them as far back as:

  - 3.5.4-0.83.el5_7.2.x86_64
  - 3.5.10-0.109.el5_8.x86_6
  - 3.5.10-0.110.el5_8.x86_64
  - 3.6.6-0.129.el5.x86_64

I know it did not work with any of those samba3x, but I always kept the older version of the "profile" binary.

I know it was a clear choice I did at the time, because of reading various messages on CentOS and Samba based mailing lists, especially because of growing numbers of Windows 7 workstations in my company, so I am really happy using the samba3x branch.

The only thing that bothers me a bit is the problem I am having is with the profile binary. 

I checked out the source code and around line 260 (from memory) there is 

 	if ((nk = regfio_rootkey( infile )) == NULL) {
 		fprintf(stderr, "Could not get rootkey\n");
 		exit(3);
 	}

but, sorry, I don't know what regfio_rootkey is doing, have not had the time to understand that part (I have a comp sci degree with post grad).

So in short, it seems to work with the samba- branch but not with the samba3x- branch. 

It may just be that the registry file that is expected is of different format?
Does it expect a Win7 registry file but it is getting a WinXP file?
But that is not good as it has to work with a WinXP registry format too?

thanks
Jobst
Comment 4 Karolin Seeger 2013-12-10 15:48:13 UTC
Any news on this one?
Comment 5 Christian Ambach 2014-08-31 21:20:59 UTC
Seems to me as if this was broken a long time ago with commit 8000479d.

Will have a deeper look
Comment 6 Stefan Metzmacher 2014-09-01 07:06:24 UTC
Created attachment 10241 [details]
TODO: samba-tool replace-binary-sid

I found that 'profiles' is completely broken and corrupts the NTUSER.dat
as it doesn't copy everything.

The aim of just fixing up the sid of the user can be done by just
replacing the binary sid buffers.

Christian can you have a look?

Also notice the following discussion:
https://lists.samba.org/archive/samba-technical/2013-April/thread.html#91650
Comment 7 Karel 2014-09-08 06:49:43 UTC
Hello guys,
i can confirm this problem still exist in 
samba.x86_64     3.6.9-169.el6_5   

btw. i also tried it in 
samba4.x86_64    4.0.0-63.el6_5.rc4

and it is still broken there too.

Thanks to Jobst suggestion, i downloaded the older Samba and get it going with the old binary i extracted from it.

what i did:

- download samba-common-3.0.33-3.29.el5_5.1.i386.rpm
- extract /usr/bin/profiles file
- put the file to e.g. /opt
- ./profiles -v -c old-SID -n new-SID NTUSER.DAT

- installed due deps:

yum -y install 1:compat-openldap-2.3.43-2.el6.i686
yum -y install popt-1.13-7.el6.i686
Comment 8 Christian Ambach 2014-11-04 22:57:08 UTC
Created attachment 10405 [details]
proposed patch


The attached patches make profiles work again for me and the resulting files can be loaded without error message in the Windows Registry Editor. Comparing the input and output visually in regedit revealed no missing or corrupted entries, but I have to admit I only look at a few places, not all the keys that were stored in my test files.

I can run checks with regdiff but I couldn't figure out how to make regdiff work against two local registry files.
Metze, can you tell me how to do that?
Comment 9 Stefan Metzmacher 2014-11-22 03:12:13 UTC
Comment on attachment 10405 [details]
proposed patch

I'm not sure if this fixes all problems, but the patches look like a very good improvement, please push them to master with my review.

I don't remember how I tested with regdiff.

At least I checked the resulting file size and the diff of hexdump -C.
The new file was much smaller and missed a lot of information.
Comment 10 Christian Ambach 2014-12-05 22:49:50 UTC
Created attachment 10494 [details]
Cherry-picked fixes from master for 4.1 and 4.2

The patches have landed in master, so let's get them into 4.1 and 4.2 as well.
Comment 11 Stefan Metzmacher 2014-12-07 15:01:39 UTC
Comment on attachment 10494 [details]
Cherry-picked fixes from master for 4.1 and 4.2

Looks, good for 4.1 and 4.2. Should we also backport to 4.0?
Comment 12 Christian Ambach 2014-12-14 22:18:16 UTC
The patches apply cleanly to v4-0 as well.
So Karolin, please pick for 4.0, 4.1 and 4.2.

Thanks
Comment 13 Karolin Seeger 2014-12-15 19:43:06 UTC
Pushed to autobuild-v4-[0|1|2]-test.
Comment 14 Stefan Metzmacher 2014-12-17 11:43:56 UTC
(In reply to Karolin Seeger from comment #13)

Pushed to v4-2-test.
Comment 15 Karolin Seeger 2014-12-20 15:49:24 UTC
(In reply to Stefan (metze) Metzmacher from comment #14)
Pushed to v4-0-test and v4-1-test also.
Closing out bug report.

Thanks!