Re: [Samba] samba + slave OpenLdap (read-only)
On Thu, 2008-07-03 at 16:04 -0400, Charlie wrote: On Thu, Jul 3, 2008 at 2:54 PM, Charlie [EMAIL PROTECTED] wrote: The most common problem I see with busted referrals is when someone sets up a program (such as samba) to use the local replica's rootdn/rootpw as defined in /etc/slapd.conf (which allows bypassing ACLs and whatnot) but does not define that dn and password to have appropriate access on the master server. If the admindn that samba is using does not have the ability to write the master slapd, it won't matter if it has unrestricted access to the slave. Whoops, replying to myself here. I have been privately warned that allowing multiple samba servers unlimited write access to one's LDAP database can cause creation of duplicate entries for single entities (such as machine trust accounts). Which leads to the dreaded multiple LDAP objects returned error in the logs if you have samba BDCs. If they do, then it is a bug in your configuration. I do not recommend that any daemon have totally unrestricted write access to one's LDAP directory. I do not recommend that any entity (other than a trusted human being) use the master slapd's rootdn/rootpw for anything. http://www.openldap.org/faq/index.cgi?_highlightWords=rootdnfile=761 In my systems, the samba rootdn has the ability to write all samba-only LDAP attributes but does not have the ability to create POSIX accounts or anything else unrelated to samba. Machine trust accounts have the ability to modify their own passwords, because I am not sure when they bind as the samba admindn and when they bind with their own credentials. They never bind with their own credentials. Clients in NT4-emulated domains do not know about LDAP, so all access is via Samba, and all access via Samba is with the Samba credentials. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba + slave OpenLdap (read-only)
I looked at samba code and I found this:
while (another_ldap_try(ldap_state, rc, attempts, endtime))
{
rc = ldap_modify_s(ldap_state-ldap_struct, utf8_dn, attrs);
if (rc != LDAP_SUCCESS)
{
char *ld_error = NULL;
int ld_errno;
ldap_get_option(ldap_state-ldap_struct,
LDAP_OPT_ERROR_NUMBER, ld_errno);
ldap_get_option(ldap_state-ldap_struct,
LDAP_OPT_ERROR_STRING, ld_error);
DEBUG(10, (Failed to modify dn: %s, error: %d (%s)
(%s)\n, dn, ld_errno,
ldap_err2string(rc),
ld_error ? ld_error : unknown));
SAFE_FREE(ld_error);
if (ld_errno == LDAP_SERVER_DOWN)
{
ldap_unbind(ldap_state-ldap_struct);
ldap_state-ldap_struct = NULL;
}
}
}
Samba does NOT follow the referral return by openldap server. At least in
this situation (join machines).
Samba only will try another server, if the first one is DOWN.
In my option, it should try another server if any error occur during any
ldap operation.
So many thanks.
João Alfredo
On Wed, Jul 2, 2008 at 6:35 PM, Volker Lendecke [EMAIL PROTECTED]
wrote:
On Wed, Jul 02, 2008 at 04:47:42PM -0300, jakjr wrote:
Hey,
Here another log:
Samba try to change some atributes, like sambaNTPassword (gree)
and ldap return an error (red) and a referral for the mastes ldap. But
samba
do not follow this referral.
Why samba try to change this atributes ??
Because the machine vmcelepar11201 tried to change its
password. A sniff of the LDAP traffic might help a bit
towards finding the failure to follow the referral. But
please beware that this traffic contains password
equivalents or even passwords.
Volker
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba + slave OpenLdap (read-only)
On Thu, Jul 03, 2008 at 10:05:07AM -0300, jakjr wrote: I looked at samba code and I found this: Can you send sample code how this should be done. AFAIK the LDAP libs should take care of this. That's the whole point of having the rebind_proc stuff around. Volker pgpyddTOIg0wG.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba + slave OpenLdap (read-only)
Yes! rebind_proc should be call if the error return by openldap was Referral. I'm not a developer and can't help much with this. Sorry. João Alfredo On Thu, Jul 3, 2008 at 10:12 AM, Volker Lendecke [EMAIL PROTECTED] wrote: On Thu, Jul 03, 2008 at 10:05:07AM -0300, jakjr wrote: I looked at samba code and I found this: Can you send sample code how this should be done. AFAIK the LDAP libs should take care of this. That's the whole point of having the rebind_proc stuff around. Volker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba + slave OpenLdap (read-only)
On Thu, Jul 03, 2008 at 10:18:58AM -0300, jakjr wrote: Yes! rebind_proc should be call if the error return by openldap was Referral. Then if you don't provide the sniff I have asked for the developers can not be of much help. Please also check your /etc/ldap.conf (or so) for the setting of REFERRAL. It must be set to yes which is the default. Volker pgpMJWxyzjdif.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba + slave OpenLdap (read-only)
On Thu, Jul 3, 2008 at 9:12 AM, Volker Lendecke [EMAIL PROTECTED] wrote: Can you send sample code how this should be done. AFAIK the LDAP libs should take care of this. That's the whole point of having the rebind_proc stuff around. I believe that the OpenLDAP libraries have been able to chase referrals and failovers and deal with heavily paged search results for many years now. In the case of searching, programmers must use the API correctly (in other words, don't ignore just it when the libs return a more results pending flag) but in the case of referrals LDAP_OPT_REFERRALS is by default set to LDAP_OPT_ON, so it should be reasonably transparent to the programmer. Authoritative information should be easily available from the OpenLDAP.org site, so don't take my word for it! The most common problem I see with busted referrals is when someone sets up a program (such as samba) to use the local replica's rootdn/rootpw as defined in /etc/slapd.conf (which allows bypassing ACLs and whatnot) but does not define that dn and password to have appropriate access on the master server. If the admindn that samba is using does not have the ability to write the master slapd, it won't matter if it has unrestricted access to the slave. --Charlie -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba + slave OpenLdap (read-only)
On Thu, Jul 3, 2008 at 2:54 PM, Charlie [EMAIL PROTECTED] wrote: The most common problem I see with busted referrals is when someone sets up a program (such as samba) to use the local replica's rootdn/rootpw as defined in /etc/slapd.conf (which allows bypassing ACLs and whatnot) but does not define that dn and password to have appropriate access on the master server. If the admindn that samba is using does not have the ability to write the master slapd, it won't matter if it has unrestricted access to the slave. Whoops, replying to myself here. I have been privately warned that allowing multiple samba servers unlimited write access to one's LDAP database can cause creation of duplicate entries for single entities (such as machine trust accounts). Which leads to the dreaded multiple LDAP objects returned error in the logs if you have samba BDCs. I do not recommend that any daemon have totally unrestricted write access to one's LDAP directory. I do not recommend that any entity (other than a trusted human being) use the master slapd's rootdn/rootpw for anything. http://www.openldap.org/faq/index.cgi?_highlightWords=rootdnfile=761 In my systems, the samba rootdn has the ability to write all samba-only LDAP attributes but does not have the ability to create POSIX accounts or anything else unrelated to samba. Machine trust accounts have the ability to modify their own passwords, because I am not sure when they bind as the samba admindn and when they bind with their own credentials. I use samba to integrate proprietary desktops into standards-based networks, and sometimes I forget that other people are doing the opposite. Our POSIX accounts, including machine trusts, are created and deleted by human beings in accordance with the US federal regulations that apply to my employer. I hope no-one misinterpreted my previous post. --Charlie -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba + slave OpenLdap (read-only)
On Wed, Jul 02, 2008 at 10:08:19AM -0300, jakjr wrote: Hello, I'm trying to config samba to use a openldap replica (slave) base. Every thing is working, except when I try to join a machine to a domain. Samba try to write some attributes in openldap, but this database (slave) is read-only, so this operation fails. Openldap can return a REFERRAL when a client (samba) try to do a modification on a slave database and this already is happening. But samba can't understand this referral return by the slave openldap. Hmmm. I've got this running in many customer installations. The fact that we do referrals is one reason why the ldap replication sleep parameter exist at all. What is the exact failure you're seeing? Volker pgplEvIcZLZ0U.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] samba + slave OpenLdap (read-only)
i suggest setting up ldap syncrepl if needed you can use it in multi master mode. ( im running also etch, with pdc and bdc + 1 ldap master and 4 slaves. ) Louis -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens jakjr Verzonden: woensdag 2 juli 2008 15:08 Aan: samba@lists.samba.org Onderwerp: [Samba] samba + slave OpenLdap (read-only) Hello, I'm trying to config samba to use a openldap replica (slave) base. Every thing is working, except when I try to join a machine to a domain. Samba try to write some attributes in openldap, but this database (slave) is read-only, so this operation fails. Openldap can return a REFERRAL when a client (samba) try to do a modification on a slave database and this already is happening. But samba can't understand this referral return by the slave openldap. I saw in the man that this is possible and samba should understand this by default. This is correct ? Or I should change something in smb.conf? I'm using samba 3.0.24 (Debian Etch). Regards, João Alfredo -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba + slave OpenLdap (read-only)
Hey, When I try to join a new machine on a domain, it's simple fail. I already set the ldap replication sleep to a higher value, but this do not work. I'm using synrepl on ldap (refreshAndPersist) and this is working. Including the referral return if the updateref config on slapd.conf. Thanks On Wed, Jul 2, 2008 at 10:32 AM, Volker Lendecke [EMAIL PROTECTED] wrote: On Wed, Jul 02, 2008 at 10:08:19AM -0300, jakjr wrote: Hello, I'm trying to config samba to use a openldap replica (slave) base. Every thing is working, except when I try to join a machine to a domain. Samba try to write some attributes in openldap, but this database (slave) is read-only, so this operation fails. Openldap can return a REFERRAL when a client (samba) try to do a modification on a slave database and this already is happening. But samba can't understand this referral return by the slave openldap. Hmmm. I've got this running in many customer installations. The fact that we do referrals is one reason why the ldap replication sleep parameter exist at all. What is the exact failure you're seeing? Volker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba + slave OpenLdap (read-only)
jakjr schrieb: Hey, When I try to join a new machine on a domain, it's simple fail. I already set the ldap replication sleep to a higher value, but this do not work. I'm using synrepl on ldap (refreshAndPersist) and this is working. Including the referral return if the updateref config on slapd.conf. What do you use to add new accounts? smbldap-tools can be configured to use different LDAP servers (master and slave). -- Tomasz Chmielewski http://wpkg.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba + slave OpenLdap (read-only)
I'm using a thitd-party software to create the accounts in the ldap. But the problem is when I try to include this machine (the entry of this machine already exist in ldap) in my samab domain using a ldap-replica (read-only). Samba try to modify some atributes in the slave (read-only), the slave return a referral and samba is not following the referral to the master ldap (when the samba has right to modify this atributes). Thanks. On Wed, Jul 2, 2008 at 11:29 AM, Tomasz Chmielewski [EMAIL PROTECTED] wrote: jakjr schrieb: Hey, When I try to join a new machine on a domain, it's simple fail. I already set the ldap replication sleep to a higher value, but this do not work. I'm using synrepl on ldap (refreshAndPersist) and this is working. Including the referral return if the updateref config on slapd.conf. What do you use to add new accounts? smbldap-tools can be configured to use different LDAP servers (master and slave). -- Tomasz Chmielewski http://wpkg.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba + slave OpenLdap (read-only)
jakjr schrieb: I'm using a thitd-party software to create the accounts in the ldap. But the problem is when I try to include this machine (the entry of this machine already exist in ldap) in my samab domain using a ldap-replica (read-only). Samba try to modify some atributes in the slave (read-only), the slave return a referral and samba is not following the referral to the master ldap (when the samba has right to modify this atributes). Is it Samba that really creates the accounts? Can you paste your smb.conf? -- Tomasz Chmielewski http://wpkg.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba + slave OpenLdap (read-only)
No. Samba does not create any account in ldap (users or machines). This accounts are created by another software, like (phpSambaAdmin). smb.conf: [global] workgroup = caresl netbios name = scaresmb03 ldap admin dn = uid=smb--admin,dc** ldap suffix = ou=test,dc=* ldap passwd sync = No passdb backend = ldapsam:ldap://10.1* dns proxy = No name resolve order = wins bcast server string = unix charset = iso8859-1 ldap timeout = 45 enable privileges = Yes admin users = @smb-administrators veto files = /.Trash-%U/ oplocks = No level 2 oplocks = No time server = Yes kernel oplocks = No preferred master = Yes local master = Yes domain master = Yes os level = 65 ldap replication sleep = 5000 domain logons = Yes wins support = Yes logon drive = u logon path = logon home = \\\%U$ logon script = %U.bat Debugging/Accounting log level = 10 Log from ldap when trying include a machine to domain: Jul 2 11:44:18 starget slapd[19617]: conn=10 op=30 ENTRY dn=uid=vmtest11201$,ou=test, Jul 2 11:44:18 starget slapd[19617]: conn=10 op=30 SEARCH RESULT tag=101 err=0 nentries=1 text= Jul 2 11:44:18 starget slapd[19617]: conn=10 op=31 MOD dn=uid=vmtest11201$,ou=* Jul 2 11:44:18 starget slapd[19617]: conn=10 op=31 MOD attr=sambaPwdCanChange sambaPwdCanChange sambaNTPassword sambaNTPassword sambaPwdLastSet sambaPwdLastSet Jul 2 11:44:18 starget slapd[19617]: conn=10 op=31 RESULT tag=103 err=10text= This error code from ldap means that ldap return a referral to samba. Samba should follow this referral until the master ldap. Some many thanks. João Alfredo On Wed, Jul 2, 2008 at 11:44 AM, Tomasz Chmielewski [EMAIL PROTECTED] wrote: jakjr schrieb: I'm using a thitd-party software to create the accounts in the ldap. But the problem is when I try to include this machine (the entry of this machine already exist in ldap) in my samab domain using a ldap-replica (read-only). Samba try to modify some atributes in the slave (read-only), the slave return a referral and samba is not following the referral to the master ldap (when the samba has right to modify this atributes). Is it Samba that really creates the accounts? Can you paste your smb.conf? -- Tomasz Chmielewski http://wpkg.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba + slave OpenLdap (read-only)
Hey, Here another log: Samba try to change some atributes, like sambaNTPassword (gree) and ldap return an error (red) and a referral for the mastes ldap. But samba do not follow this referral. Why samba try to change this atributes ?? Thanks. [2008/07/02 16:36:32, 10] lib/smbldap.c:smbldap_make_mod(520) smbldap_make_mod: deleting attribute |sambaNTPassword| values |4619D0EB563CB8FAE84FF83A11AB50A4| [2008/07/02 16:36:32, 10] lib/smbldap.c:smbldap_make_mod(529) smbldap_make_mod: adding attribute |sambaNTPassword| value |3F320F8E58CD749B1A6A9333A9E77E02| [2008/07/02 16:36:32, 11] passdb/pdb_get_set.c:pdb_get_init_flags(217) element 34: SET [2008/07/02 16:36:32, 11] passdb/pdb_get_set.c:pdb_get_init_flags(217) element 21: SET [2008/07/02 16:36:32, 11] passdb/pdb_get_set.c:pdb_get_init_flags(222) element 21: CHANGED [2008/07/02 16:36:32, 10] lib/smbldap.c:smbldap_make_mod(520) smbldap_make_mod: deleting attribute |sambaPwdLastSet| values |2147483647| [2008/07/02 16:36:32, 10] lib/smbldap.c:smbldap_make_mod(529) smbldap_make_mod: adding attribute |sambaPwdLastSet| value |1215027392| [2008/07/02 16:36:32, 11] passdb/pdb_get_set.c:pdb_get_init_flags(217) element 27: SET [2008/07/02 16:36:32, 11] passdb/pdb_get_set.c:pdb_get_init_flags(217) element 20: SET [2008/07/02 16:36:32, 11] passdb/pdb_get_set.c:pdb_get_init_flags(217) element 29: SET [2008/07/02 16:36:32, 5] lib/smbldap.c:smbldap_modify(1363) smbldap_modify: dn = [uid=vmcelepar11201$,ou=TEST,dc] [2008/07/02 16:36:32, 11] lib/smbldap.c:smbldap_open(1043) smbldap_open: already connected to the LDAP server [2008/07/02 16:36:32, 10] lib/smbldap.c:smbldap_modify(1377) Failed to modify dn: uid=vmcelepar11201$,ou=TEST,dc=**, error: Referral () [2008/07/02 16:36:32, 11] passdb/pdb_get_set.c:pdb_set_init_flags(425) element 35 - now CHANGED On Wed, Jul 2, 2008 at 11:51 AM, jakjr [EMAIL PROTECTED] wrote: No. Samba does not create any account in ldap (users or machines). This accounts are created by another software, like (phpSambaAdmin). smb.conf: [global] workgroup = caresl netbios name = scaresmb03 ldap admin dn = uid=smb--admin,dc** ldap suffix = ou=test,dc=* ldap passwd sync = No passdb backend = ldapsam:ldap://10.1* dns proxy = No name resolve order = wins bcast server string = unix charset = iso8859-1 ldap timeout = 45 enable privileges = Yes admin users = @smb-administrators veto files = /.Trash-%U/ oplocks = No level 2 oplocks = No time server = Yes kernel oplocks = No preferred master = Yes local master = Yes domain master = Yes os level = 65 ldap replication sleep = 5000 domain logons = Yes wins support = Yes logon drive = u logon path = logon home = \\\%U$ logon script = %U.bat Debugging/Accounting log level = 10 Log from ldap when trying include a machine to domain: Jul 2 11:44:18 starget slapd[19617]: conn=10 op=30 ENTRY dn=uid=vmtest11201$,ou=test, Jul 2 11:44:18 starget slapd[19617]: conn=10 op=30 SEARCH RESULT tag=101 err=0 nentries=1 text= Jul 2 11:44:18 starget slapd[19617]: conn=10 op=31 MOD dn=uid=vmtest11201$,ou=* Jul 2 11:44:18 starget slapd[19617]: conn=10 op=31 MOD attr=sambaPwdCanChange sambaPwdCanChange sambaNTPassword sambaNTPassword sambaPwdLastSet sambaPwdLastSet Jul 2 11:44:18 starget slapd[19617]: conn=10 op=31 RESULT tag=103 err=10text= This error code from ldap means that ldap return a referral to samba. Samba should follow this referral until the master ldap. Some many thanks. João Alfredo On Wed, Jul 2, 2008 at 11:44 AM, Tomasz Chmielewski [EMAIL PROTECTED] wrote: jakjr schrieb: I'm using a thitd-party software to create the accounts in the ldap. But the problem is when I try to include this machine (the entry of this machine already exist in ldap) in my samab domain using a ldap-replica (read-only). Samba try to modify some atributes in the slave (read-only), the slave return a referral and samba is not following the referral to the master ldap (when the samba has right to modify this atributes). Is it Samba that really creates the accounts? Can you paste your smb.conf? -- Tomasz Chmielewski http://wpkg.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba + slave OpenLdap (read-only)
On Wed, Jul 02, 2008 at 04:47:42PM -0300, jakjr wrote: Hey, Here another log: Samba try to change some atributes, like sambaNTPassword (gree) and ldap return an error (red) and a referral for the mastes ldap. But samba do not follow this referral. Why samba try to change this atributes ?? Because the machine vmcelepar11201 tried to change its password. A sniff of the LDAP traffic might help a bit towards finding the failure to follow the referral. But please beware that this traffic contains password equivalents or even passwords. Volker pgpeksfwuVQBw.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
