[Freeipa-users] Patch for ipa-sam: ipa-server-trust-ad samba server valid users =@groupname
Jason Woods
devel at jasonwoods.me.uk
Thu Mar 6 21:25:44 UTC 2014
Hi all,
I am quite aware that installing ipa-server-trust-ad and using the samba as a file server is as unsupported as one can get... but I really needed a Samba server integrated with IPA (damn Mac OS and Windows). I don't actually have a Windows environment but this seemed to bootstrap enough of the requirements to get it working
Bit of a story for those who have time to read and maybe battling similiar, or just skip to after the log for the fix+patch :)
* ipaNTSecurityIdentifier ended up missing because I didn't use --setsid and NT hash missing because I did not do a ipa passwd reset
* As a result, experienced user not found or invalid password, and after debug level 5 I had about 500M of core dumps (sorry don't have them anymore)
* Ran ipa-adtrust-install again with --setsid and reset some passwords and things started looking better, could connect, all good, NT hash was there and ipaNTSecurityIdentifier there (ldapsearch <3)
* Then next problem was when I added "valid users = @groupname" to share config. No longer could connect even if member of the group!
* Turned out ipNTGroupAttr was missing from some groups - thus had to register the ldif for the ipa-setsid task
Still had problems even after ipa-setsid, and ldapsearch showed all correct.
Here is a snippet from the logs at debug level 10.
> [2014/03/06 15:32:55.658567, 4, pid=28139, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:316(set_sec_ctx)
> setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2014/03/06 15:32:55.658601, 5, pid=28139, effective(0, 0), real(0, 0)] ../libcli/security/security_token.c:53(security_token_debug)
> Security token: (NULL)
> [2014/03/06 15:32:55.658634, 5, pid=28139, effective(0, 0), real(0, 0)] ../source3/auth/token_util.c:528(debug_unix_user_token)
> UNIX token of user 0
> Primary group is 0 and contains 0 supplementary groups
> [2014/03/06 15:32:55.658691, 5, pid=28139, effective(0, 0), real(0, 0)] ../source3/lib/smbldap.c:1249(smbldap_search_ext)
> smbldap_search_ext: base => [dc=local,dc=othermedia,dc=com], filter => [(&(ipaNTSecurityIdentifier=S-1-5-21-2563482189-1697247676-1628377611-1005)(|(objectClass=ipaNTGroupAttrs)(objectClass=ipaNTUserAttrs)))], scope => [2]
> [2014/03/06 15:32:55.659599, 10, pid=28139, effective(0, 0), real(0, 0)] ipa_sam.c:309(get_single_attribute)
> Attribute [uidNumber] not found.
> [2014/03/06 15:32:55.659667, 1, pid=28139, effective(0, 0), real(0, 0)] ipa_sam.c:717(ldapsam_sid_to_id)
> Could not find uidNumber in cn=filestore_archive,cn=groups,cn=accounts,dc=local,dc=othermedia,dc=com
> [2014/03/06 15:32:55.659716, 4, pid=28139, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:424(pop_sec_ctx)
> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2014/03/06 15:32:55.659758, 10, pid=28139, effective(0, 0), real(0, 0)] ../source3/passdb/lookup_sid.c:1121(legacy_sid_to_unixid)
> LEGACY: mapping failed for sid S-1-5-21-2563482189-1697247676-1628377611-1005
> [2014/03/06 15:32:55.659796, 4, pid=28139, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:216(push_sec_ctx)
> push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
I noticed the "Could not find uidNumber" - turns out ipa-sam was being asked to turn SID into ID and was successfully finding it but needed to work out whether it was a group or a user. To do this, it searches the objectClass for "ipNTGroupAttr" - if it finds it, it looks for gidNumber, otherwise it looks for uidNumber. However, the objectClass added by ipa-setsid is "ipntgroupattr" and ipa-sam was using "strncmp".
I've fixed this with a patch to use strncasecmp. Might not be the best fix... maybe ipa-sam should be modified to have the attributes lower case for comparison? But this was simplest patch. Comments/feedback welcome and maybe I'll have time to do alternative fix if felt better?
Versions:
RHEL 6.4 3.0.0-37
Code in master branch appears to show the same issue
References:
freeipa/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h
around line 54-55: lowercase objectClass addition
freeipa/daemons/ipa-sam/ipa_sam.c
around line 688: case sensitive comparison to ipaNTGroupAttrs
Patch for master branch:
diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
index 1ca504d..c5e8b39 100644
--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
@@ -750,7 +750,7 @@ static bool ldapsam_sid_to_id(struct pdb_methods *methods,
}
for (c = 0; values[c] != NULL; c++) {
- if (strncmp(LDAP_OBJ_GROUPMAP, values[c]->bv_val,
+ if (strncasecmp(LDAP_OBJ_GROUPMAP, values[c]->bv_val,
values[c]->bv_len) == 0) {
break;
}
Patch for RHEL 6.5 3.0.0-37:
--- a/daemons/ipa-sam/ipa_sam.c 2014-03-06 19:30:15.994792879 +0000
+++ b/daemons/ipa-sam/ipa_sam.c 2014-03-06 19:35:34.966791637 +0000
@@ -685,7 +685,7 @@
}
for (c = 0; values[c] != NULL; c++) {
- if (strncmp(LDAP_OBJ_GROUPMAP, values[c]->bv_val,
+ if (strncasecmp(LDAP_OBJ_GROUPMAP, values[c]->bv_val,
values[c]->bv_len) == 0) {
break;
}
Regards,
Jason
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140306/6150fc58/attachment.htm>
More information about the Freeipa-users
mailing list