Project

General

Profile

Bug #76269

Fix guest account intialization in read-only LDAP environments

Added by Kevin Meijer almost 3 years ago. Updated over 2 years ago.

Status:
Done
Priority:
No priority
Assignee:
Andrew Walker
Category:
Services
Target version:
Seen in:
Severity:
New
Reason for Closing:
Reason for Blocked:
Needs QA:
No
Needs Doc:
No
Needs Merging:
No
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:
ChangeLog Required:
No
Tags:

Description

We currently have a simple setup with a single samba mount with authentication against an OpenLDAP server, the FreeNAS server has read-only access. But since I upgraded to 11.2-U2 from 11.2-U1 SMB refuses to start while LDAP is enabled.

It exits with the following logs:

[2019/02/21 07:59:28.125844,  2] ../source3/param/loadparm.c:2807(lp_do_section)
  Processing section "[timemachine]" 
[2019/02/21 07:59:28.126235,  2] ../source3/lib/interface.c:345(add_interface)
  added interface lo0 ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
[2019/02/21 07:59:28.126262,  2] ../source3/lib/interface.c:345(add_interface)
  added interface vlan350 ip=172.19.10.150 bcast=172.19.255.255 netmask=255.255.0.0
[2019/02/21 07:59:28.126324,  1] ../source3/profile/profile_dummy.c:30(set_profile_level)
  INFO: Profiling support unavailable in this build.
[2019/02/21 07:59:28.127535,  2] ../source3/passdb/pdb_ldap_util.c:281(smbldap_search_domain_info)
  smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=REDACTED))]
[2019/02/21 07:59:28.159375,  2] ../source3/lib/smbldap.c:847(smbldap_open_connection)
  smbldap_open_connection: connection opened
[2019/02/21 07:59:28.264139,  2] ../source3/passdb/pdb_ldap_util.c:281(smbldap_search_domain_info)
  smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=REDACTED))]
[2019/02/21 07:59:28.271122,  2] ../source3/passdb/pdb_ldap_util.c:281(smbldap_search_domain_info)
  smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=REDACTED))]
[2019/02/21 07:59:28.273699,  2] ../source3/lib/smbldap.c:847(smbldap_open_connection)
  smbldap_open_connection: connection opened
[2019/02/21 07:59:28.284080,  2] ../source3/lib/smbldap.c:847(smbldap_open_connection)
  smbldap_open_connection: connection opened
[2019/02/21 07:59:28.343186,  2] ../source3/lib/smbldap.c:847(smbldap_open_connection)
  smbldap_open_connection: connection opened
[2019/02/21 07:59:28.418702,  0] ../source3/groupdb/mapping.c:863(pdb_create_builtin_alias)
  pdb_create_builtin_alias: Could not add group mapping entry for alias 544 (NT_STATUS_ACCESS_DENIED)
[2019/02/21 07:59:28.418824,  2] ../source3/auth/token_util.c:713(finalize_local_nt_token)
  WARNING: Failed to create BUILTIN\Administrators group!  Can Winbind allocate gids?
[2019/02/21 07:59:28.461250,  0] ../source3/groupdb/mapping.c:863(pdb_create_builtin_alias)
  pdb_create_builtin_alias: Could not add group mapping entry for alias 545 (NT_STATUS_ACCESS_DENIED)
[2019/02/21 07:59:28.461287,  2] ../source3/auth/token_util.c:732(finalize_local_nt_token)
  WARNING: Failed to create BUILTIN\Users group! Can Winbind allocate gids?
[2019/02/21 07:59:28.502320,  0] ../source3/groupdb/mapping.c:863(pdb_create_builtin_alias)
  pdb_create_builtin_alias: Could not add group mapping entry for alias 546 (NT_STATUS_ACCESS_DENIED)
[2019/02/21 07:59:28.502426,  2] ../source3/auth/token_util.c:774(finalize_local_nt_token)
  Failed to create BUILTIN\Guests group NT_STATUS_ACCESS_DENIED!  Can Winbind allocate gids?
[2019/02/21 07:59:28.502477,  0] ../source3/auth/auth_util.c:1382(make_new_session_info_guest)
  create_local_token failed: NT_STATUS_ACCESS_DENIED
[2019/02/21 07:59:28.502530,  0] ../source3/smbd/server.c:2000(main)
  ERROR: failed to setup guest info.

The issue can be "fixed" by using a write-allowed user for the LDAP bind, this is only required once but this is quite unclear. This should be at least a caveat in the upgrade notes, or a different solution (Like a downloadable LDIF) should be provided.


Related issues

Copied to FreeNAS - Bug #77629: SMB Refuses to start with LDAP enabledDone

History

#1 Updated by Kevin Meijer almost 3 years ago

  • Description updated (diff)

#3 Updated by Andrew Walker almost 3 years ago

  • Status changed from Unscreened to Screened
  • Assignee changed from Release Council to Andrew Walker

#4 Updated by Kevin Meijer almost 3 years ago

  • Description updated (diff)

#5 Updated by Andrew Walker almost 3 years ago

Hi Kevin, I was unable to reproduce this internally in my ldap environment. Can you upload a debug file?

Ultimately, this is probably related to the change from Samba 4.7 to 4.9. During server startup it tries to make and fill user_info struct for a guest login. This must succeed for smbd to start.

#6 Updated by Kevin Meijer almost 3 years ago

Andrew Walker wrote:

Hi Kevin, I was unable to reproduce this internally in my ldap environment. Can you upload a debug file?

Ultimately, this is probably related to the change from Samba 4.7 to 4.9. During server startup it tries to make and fill user_info struct for a guest login. This must succeed for smbd to start.

Hi Andrew, I've already fixed this issue by binding using an admin user which allowed SMB to create the entries. Is it still useful to upload the debug file?

#7 Updated by Andrew Walker almost 3 years ago

Yes, it would still be useful since I need to reproduce your issue in able to see if there's a better way to fix it on our end. Feel free to redact any sensitive information before uploading. I will delete the debug once I'm done reviewing it.

#8 Updated by Kevin Meijer almost 3 years ago

  • File debug-backup-20190221175658.tgz added

Andrew Walker wrote:

Yes, it would still be useful since I need to reproduce your issue in able to see if there's a better way to fix it on our end. Feel free to redact any sensitive information before uploading. I will delete the debug once I'm done reviewing it.

Very well, here you go.

#9 Updated by Dru Lavigne almost 3 years ago

  • Private changed from No to Yes

#10 Updated by Kevin Meijer almost 3 years ago

Kevin Meijer wrote:

Andrew Walker wrote:

Yes, it would still be useful since I need to reproduce your issue in able to see if there's a better way to fix it on our end. Feel free to redact any sensitive information before uploading. I will delete the debug once I'm done reviewing it.

Very well, here you go.

I don't know if this information might also be useful, but just in case:

  • The LDAP server has a mirrored OpenLDAP 2.4 installation
  • The LDAP server has the SMB schema which included in the Debian stretch package (4.5)

#11 Updated by Andrew Walker almost 3 years ago

Okay. I was able to reproduce the problem. Now investigating possible fixes.

[2019/02/25 13:21:07.391456,  0] ../source3/groupdb/mapping.c:863(pdb_create_builtin_alias)
  pdb_create_builtin_alias: Could not add group mapping entry for alias 544 (NT_STATUS_ACCESS_DENIED)
[2019/02/25 13:21:07.398597,  0] ../source3/groupdb/mapping.c:863(pdb_create_builtin_alias)
  pdb_create_builtin_alias: Could not add group mapping entry for alias 545 (NT_STATUS_ACCESS_DENIED)
[2019/02/25 13:21:07.405681,  0] ../source3/groupdb/mapping.c:863(pdb_create_builtin_alias)
  pdb_create_builtin_alias: Could not add group mapping entry for alias 546 (NT_STATUS_ACCESS_DENIED)

#13 Updated by Bug Clerk almost 3 years ago

  • Status changed from Screened to In Progress

#14 Updated by Bug Clerk almost 3 years ago

  • Status changed from In Progress to Ready for Testing

#15 Updated by Bug Clerk almost 3 years ago

  • Target version changed from Backlog to 11.2-U3

#16 Updated by Bug Clerk almost 3 years ago

  • Copied to Bug #77629: SMB Refuses to start with LDAP enabled added

#17 Updated by Dru Lavigne almost 3 years ago

  • File deleted (debug-backup-20190221175658.tgz)

#18 Updated by Dru Lavigne almost 3 years ago

  • Subject changed from SMB Refuses to start with LDAP enabled to Fix guest account intialization in read-only LDAP environments
  • Private changed from Yes to No
  • Needs Doc changed from Yes to No
  • Needs Merging changed from Yes to No

#24 Updated by Dru Lavigne over 2 years ago

  • Status changed from Passed Testing to Done
  • Needs QA changed from Yes to No

Also available in: Atom PDF