[Freeipa-users] Patch for ipa-sam: ipa-server-trust-ad samba server valid users =@groupname

Jason Woods devel at jasonwoods.me.uk
Thu Mar 6 21:25:44 UTC 2014 

Hi all,

I am quite aware that installing ipa-server-trust-ad and using the samba as a file server is as unsupported as one can get... but I really needed a Samba server integrated with IPA (damn Mac OS and Windows). I don't actually have a Windows environment but this seemed to bootstrap enough of the requirements to get it working

Bit of a story for those who have time to read and maybe battling similiar, or just skip to after the log for the fix+patch :)
* ipaNTSecurityIdentifier ended up missing because I didn't use --setsid and NT hash missing because I did not do a ipa passwd reset
* As a result, experienced user not found or invalid password, and after debug level 5 I had about 500M of core dumps (sorry don't have them anymore)
* Ran ipa-adtrust-install again with --setsid and reset some passwords and things started looking better, could connect, all good, NT hash was there and ipaNTSecurityIdentifier there (ldapsearch <3)
* Then next problem was when I added "valid users = @groupname" to share config. No longer could connect even if member of the group!
* Turned out ipNTGroupAttr was missing from some groups - thus had to register the ldif for the ipa-setsid task

Still had problems even after ipa-setsid, and ldapsearch showed all correct.
Here is a snippet from the logs at debug level 10.

> [2014/03/06 15:32:55.658567,  4, pid=28139, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:316(set_sec_ctx)
>   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2014/03/06 15:32:55.658601,  5, pid=28139, effective(0, 0), real(0, 0)] ../libcli/security/security_token.c:53(security_token_debug)
>   Security token: (NULL)
> [2014/03/06 15:32:55.658634,  5, pid=28139, effective(0, 0), real(0, 0)] ../source3/auth/token_util.c:528(debug_unix_user_token)
>   UNIX token of user 0
>   Primary group is 0 and contains 0 supplementary groups
> [2014/03/06 15:32:55.658691,  5, pid=28139, effective(0, 0), real(0, 0)] ../source3/lib/smbldap.c:1249(smbldap_search_ext)
>   smbldap_search_ext: base => [dc=local,dc=othermedia,dc=com], filter => [(&(ipaNTSecurityIdentifier=S-1-5-21-2563482189-1697247676-1628377611-1005)(|(objectClass=ipaNTGroupAttrs)(objectClass=ipaNTUserAttrs)))], scope => [2]
> [2014/03/06 15:32:55.659599, 10, pid=28139, effective(0, 0), real(0, 0)] ipa_sam.c:309(get_single_attribute)
>   Attribute [uidNumber] not found.
> [2014/03/06 15:32:55.659667,  1, pid=28139, effective(0, 0), real(0, 0)] ipa_sam.c:717(ldapsam_sid_to_id)
>   Could not find uidNumber in cn=filestore_archive,cn=groups,cn=accounts,dc=local,dc=othermedia,dc=com
> [2014/03/06 15:32:55.659716,  4, pid=28139, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:424(pop_sec_ctx)
>   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2014/03/06 15:32:55.659758, 10, pid=28139, effective(0, 0), real(0, 0)] ../source3/passdb/lookup_sid.c:1121(legacy_sid_to_unixid)
>   LEGACY: mapping failed for sid S-1-5-21-2563482189-1697247676-1628377611-1005
> [2014/03/06 15:32:55.659796,  4, pid=28139, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:216(push_sec_ctx)
>   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1


I noticed the "Could not find uidNumber" - turns out ipa-sam was being asked to turn SID into ID and was successfully finding it but needed to work out whether it was a group or a user. To do this, it searches the objectClass for "ipNTGroupAttr" - if it finds it, it looks for gidNumber, otherwise it looks for uidNumber. However, the objectClass added by ipa-setsid is "ipntgroupattr" and ipa-sam was using "strncmp".

I've fixed this with a patch to use strncasecmp. Might not be the best fix... maybe ipa-sam should be modified to have the attributes lower case for comparison? But this was simplest patch. Comments/feedback welcome and maybe I'll have time to do alternative fix if felt better?

Versions:
RHEL 6.4 3.0.0-37
Code in master branch appears to show the same issue

References:
freeipa/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h
around line 54-55: lowercase objectClass addition
freeipa/daemons/ipa-sam/ipa_sam.c
around line 688: case sensitive comparison to ipaNTGroupAttrs

Patch for master branch:
diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
index 1ca504d..c5e8b39 100644
--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
@@ -750,7 +750,7 @@ static bool ldapsam_sid_to_id(struct pdb_methods *methods,
 	}
 
 	for (c = 0; values[c] != NULL; c++) {
-		if (strncmp(LDAP_OBJ_GROUPMAP, values[c]->bv_val,
+		if (strncasecmp(LDAP_OBJ_GROUPMAP, values[c]->bv_val,
 			                       values[c]->bv_len) == 0) {
 			break;
 		}

Patch for RHEL 6.5 3.0.0-37:
--- a/daemons/ipa-sam/ipa_sam.c	2014-03-06 19:30:15.994792879 +0000
+++ b/daemons/ipa-sam/ipa_sam.c	2014-03-06 19:35:34.966791637 +0000
@@ -685,7 +685,7 @@
 	}

 	for (c = 0; values[c] != NULL; c++) {
-		if (strncmp(LDAP_OBJ_GROUPMAP, values[c]->bv_val,
+		if (strncasecmp(LDAP_OBJ_GROUPMAP, values[c]->bv_val,
 			                       values[c]->bv_len) == 0) {
 			break;
 		}

Regards,

Jason
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140306/6150fc58/attachment.htm>

More information about the Freeipa-users mailing list