[Samba] samba + slave OpenLdap (read-only)

I looked at samba code and I found this:


while (another_ldap_try(ldap_state, &rc, &attempts, endtime))
{
rc = ldap_modify_s(ldap_state->ldap_struct, utf8_dn, attrs);
if (rc != LDAP_SUCCESS)
{
char *ld_error = NULL;
int ld_errno;

ldap_get_option(ldap_state->ldap_struct,
LDAP_OPT_ERROR_NUMBER, &ld_errno);

ldap_get_option(ldap_state->ldap_struct,
LDAP_OPT_ERROR_STRING, &ld_error);

DEBUG(10, ("Failed to modify dn: %s, error: %d (%s)
"
"(%s)\n", dn, ld_errno,
ldap_err2string(rc),
ld_error ? ld_error : "unknown"));
SAFE_FREE(ld_error);

if (ld_errno == LDAP_SERVER_DOWN)
{
ldap_unbind(ldap_state->ldap_struct);
ldap_state->ldap_struct = NULL;
}
}
}

Samba does NOT follow the referral return by openldap server. At least in
this situation (join machines).

Samba only will try another server, if the first one is DOWN.

In my option, it should try another server if any error occur during any
ldap operation.

So many thanks.

João Alfredo

On Wed, Jul 2, 2008 at 6:35 PM, Volker Lendecke <Volker.Lendecke@sernet.de>
wrote:

> On Wed, Jul 02, 2008 at 04:47:42PM -0300, jakjr wrote:
> > Hey,
> >
> > Here another log:
> >
> > Samba try to change some atributes, like sambaNTPassword (gree)
> > and ldap return an error (red) and a referral for the mastes ldap. But
> samba
> > do not follow this referral.
> >
> > Why samba try to change this atributes ??
>
> Because the machine vmcelepar11201 tried to change its
> password. A sniff of the LDAP traffic might help a bit
> towards finding the failure to follow the referral. But
> please beware that this traffic contains password
> equivalents or even passwords.
>
> Volker
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

On Thu, Jul 03, 2008 at 10:05:07AM -0300, jakjr wrote:
> I looked at samba code and I found this:

Can you send sample code how this should be done. AFAIK the
LDAP libs should take care of this. That's the whole point
of having the rebind_proc stuff around.

Volker

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFIbNAyUzqjrWwMRl0RAslpAJ9sbJAi+La6suWzztLjza vd3PV0agCfYUp8
jh2LgWtnrr8tggl81rgfsw4=
=PPBF
-----END PGP SIGNATURE-----

Yes! rebind_proc should be call if the error return by openldap was
"Referral".

I'm not a developer and can't help much with this. Sorry.

João Alfredo

On Thu, Jul 3, 2008 at 10:12 AM, Volker Lendecke <Volker.Lendecke@sernet.de>
wrote:

> On Thu, Jul 03, 2008 at 10:05:07AM -0300, jakjr wrote:
> > I looked at samba code and I found this:
>
> Can you send sample code how this should be done. AFAIK the
> LDAP libs should take care of this. That's the whole point
> of having the rebind_proc stuff around.
>
> Volker
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

On Thu, Jul 03, 2008 at 10:18:58AM -0300, jakjr wrote:
> Yes! rebind_proc should be call if the error return by openldap was
> "Referral".

Then if you don't provide the sniff I have asked for the
developers can not be of much help.

Please also check your /etc/ldap.conf (or so) for the
setting of REFERRAL. It must be set to yes which is the
default.

Volker

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFIbNOOUzqjrWwMRl0RAk77AKCRJ7yGfGiXtdMxd2QjUn kjHXyH0wCggg1Y
9UYZnc1lTuBjBgrz4Clm/g0=
=eN4F
-----END PGP SIGNATURE-----

On Thu, Jul 3, 2008 at 9:12 AM, Volker Lendecke
<Volker.Lendecke@sernet.de> wrote:
>
> Can you send sample code how this should be done. AFAIK the
> LDAP libs should take care of this. That's the whole point
> of having the rebind_proc stuff around.

I believe that the OpenLDAP libraries have been able to chase
referrals and failovers and deal with heavily paged search results for
many years now. In the case of searching, programmers must use the
API correctly (in other words, don't ignore just it when the libs
return a "more results pending" flag) but in the case of referrals
LDAP_OPT_REFERRALS is by default set to LDAP_OPT_ON, so it should be
reasonably transparent to the programmer. Authoritative information
should be easily available from the OpenLDAP.org site, so don't take
my word for it!

The most common problem I see with busted referrals is when someone
sets up a program (such as samba) to use the local replica's
rootdn/rootpw as defined in /etc/slapd.conf (which allows bypassing
ACLs and whatnot) but does not define that dn and password to have
appropriate access on the master server. If the admindn that samba is
using does not have the ability to write the master slapd, it won't
matter if it has unrestricted access to the slave.

--Charlie
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

On Thu, Jul 3, 2008 at 2:54 PM, Charlie <medievalist@gmail.com> wrote:
>
> The most common problem I see with busted referrals is when someone
> sets up a program (such as samba) to use the local replica's
> rootdn/rootpw as defined in /etc/slapd.conf (which allows bypassing
> ACLs and whatnot) but does not define that dn and password to have
> appropriate access on the master server. If the admindn that samba is
> using does not have the ability to write the master slapd, it won't
> matter if it has unrestricted access to the slave.

Whoops, replying to myself here. I have been privately warned that
allowing multiple samba servers unlimited write access to one's LDAP
database can cause creation of duplicate entries for single entities
(such as machine trust accounts). Which leads to the dreaded
"multiple LDAP objects returned" error in the logs if you have samba
BDCs.

I do not recommend that any daemon have totally unrestricted write
access to one's LDAP directory. I do not recommend that any entity
(other than a trusted human being) use the master slapd's
rootdn/rootpw for anything.

http://www.openldap.org/faq/index.cg...ootdn&file=761

In my systems, the samba rootdn has the ability to write all
samba-only LDAP attributes but does not have the ability to create
POSIX accounts or anything else unrelated to samba. Machine trust
accounts have the ability to modify their own passwords, because I am
not sure when they bind as the samba admindn and when they bind with
their own credentials.

I use samba to integrate proprietary desktops into standards-based
networks, and sometimes I forget that other people are doing the
opposite. Our POSIX accounts, including machine trusts, are created
and deleted by human beings in accordance with the US federal
regulations that apply to my employer. I hope no-one misinterpreted
my previous post.

--Charlie
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

On Thu, 2008-07-03 at 16:04 -0400, Charlie wrote:
> On Thu, Jul 3, 2008 at 2:54 PM, Charlie <medievalist@gmail.com> wrote:
> >
> > The most common problem I see with busted referrals is when someone
> > sets up a program (such as samba) to use the local replica's
> > rootdn/rootpw as defined in /etc/slapd.conf (which allows bypassing
> > ACLs and whatnot) but does not define that dn and password to have
> > appropriate access on the master server. If the admindn that samba is
> > using does not have the ability to write the master slapd, it won't
> > matter if it has unrestricted access to the slave.
>
> Whoops, replying to myself here. I have been privately warned that
> allowing multiple samba servers unlimited write access to one's LDAP
> database can cause creation of duplicate entries for single entities
> (such as machine trust accounts). Which leads to the dreaded
> "multiple LDAP objects returned" error in the logs if you have samba
> BDCs.

If they do, then it is a bug in your configuration.

> I do not recommend that any daemon have totally unrestricted write
> access to one's LDAP directory. I do not recommend that any entity
> (other than a trusted human being) use the master slapd's
> rootdn/rootpw for anything.
>
> http://www.openldap.org/faq/index.cg...ootdn&file=761
>
> In my systems, the samba rootdn has the ability to write all
> samba-only LDAP attributes but does not have the ability to create
> POSIX accounts or anything else unrelated to samba. Machine trust
> accounts have the ability to modify their own passwords, because I am
> not sure when they bind as the samba admindn and when they bind with
> their own credentials.

They never bind with their own credentials. Clients in NT4-emulated
domains do not know about LDAP, so all access is via Samba, and all
access via Samba is with the Samba credentials.

Andrew Bartlett

--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQBIgAGZz4A8Wyi0NrsRAvXoAJ40MDq5hxchHs3034SLBz lDbceS3QCfeDMB
llOno9quDfbm/7m6hFhGArc=
=meP2
-----END PGP SIGNATURE-----