Samba 4 alpha and OpenLDAP

Hello,

I'm playing withe Samba 4 alpha and OpenLDAP, but the setup/provision
script fails.

I work on a blank dedicated test machine (running Ubuntu 8.04.1).

I build and install OpenLDAP (2.4.10) on the machine,
then download the latest Samba sources
(smbd -V says "Version 4.0.0alpha6-GIT-f567e17").
I build Samba (configure, make, make install) then run the provision
scripts:


$ ./setup/provision-backend --realm=test.mycorp.com \
              --ldap-admin-pass=secret \
              --ldap-backend-type=openldap \
              --server-role='domain controller' \
              --domain=TEST

=> this script run fine



$ /usr/local/openldap/libexec/slapd -d0 -f
/usr/local/samba/private/ldap/slapd.conf -h
ldapi://%2Fusr%2Flocal%2Fsamba%2Fprivate%2Fldap%2Fldapi

=> slapd seems to be started



$ ./setup/provision --realm=TEST.MYCORP.COM \
          --domain=TEST \
          --server-role='domain controller' \
          --ldap-backend=ldapi \
          --username=samba-admin \
          --password=secret

=> This last script fails, with the following output:

Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up templates db
Setting up idmap db
schema_fsmo_init: no schema dn present: (skip schema loading)
naming_fsmo_init: no partitions dn present: (skip loading of naming
contexts det                                                         ails)
pdc_fsmo_init: no domain dn present: (skip loading of domain details)
Setting up sam.ldb attributes
Setting up sam.ldb rootDSE
Erasing data from partitions
schema_fsmo_init: no schema head present: (skip schema loading)
naming_fsmo_init: no partitions dn present: (skip loading of naming
contexts det                                                         ails)
pdc_fsmo_init: no domain object present: (skip loading of domain details)
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=test,DC=mycorp,DC=com (permitted to fail)
Traceback (most recent call last):
   File "./setup/provision", line 158, in <module>
     ldap_backend_type=opts.ldap_backend_type)
   File "bin/python/samba/provision.py", line 1028, in provision
     ldap_backend_type=ldap_backend_type)
   File "bin/python/samba/provision.py", line 773, in setup_samdb
     "DOMAIN_OC": domain_oc
   File "bin/python/samba/provision.py", line 171, in setup_add_ldif
     ldb.add_ldif(data)
   File "bin/python/samba/__init__.py", line 188, in add_ldif
     self.add(msg)
_ldb.LdbError: (1, 'Unable to find backend operation for sequence_number')





Is there something I've missed, or I should check to continue?

Thanks,

chris

On Wed, 2008-07-16 at 14:03 +0200, Christophe Thibault wrote: These steps look correct so far.
Can you check this is all running from the same build, and that you
don't have some weird mix of two builds?  Ensure you do not have a
system ldb or similar somehow mixed in there.

I'm actively looking into LDAP backend issues, and I'll try to chase
this down a bit more tomorrow.

Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.

Hi Andrew,

Thanks for your feedback.

I reinstall from scratch the test machine this morning, before building
Samba so I'm quite sure that I only have one build .

Here the way I download and update my Samba sources (since I'm not
familiar with git, this can be the issue):

$ cd ~/build/
$ git clone git://git.samba.org/samba.git samba4
$ cd samba4
$ git checkout -b v4-0-test origin/v4-0-test
$ rm .git/objects/info/alternates
$ rm .git/refs/tags/*
$ rm -r .git/refs/remotes/
$ git config remote.origin.url git://git.samba.org/samba.git
$ git config --add remote.origin.fetch +refs/tags/*:refs/tags/*
$ git fetch
$ git pull
$ cd source
$ ./autogen.sh
$ ./configure
$ make
$ make install
...


Thanks,

Chris


Andrew Bartlett a écrit :

[christophe_thibault.vcf]

---

begin:vcard
fn:Christophe Thibault
n:Thibault;Christophe
org:Planisware
adr:;;102 Rue Etiene Dolet;Malakoff;;92240;France
email;internet:christophe.thibault@...
title:Software Engineer
tel;work:+33 1 41 48 48 66
tel;fax:+33 1 41 48 48 50
x-mozilla-html:FALSE
url:http://www.planisware.com
version:2.1
end:vcard

---

On Wed, 2008-07-16 at 14:47 +0200, Christophe Thibault wrote:
> Hi Andrew,
>
> Thanks for your feedback.
>
> I reinstall from scratch the test machine this morning, before building
> Samba so I'm quite sure that I only have one build .

Can you run ldd on the resulting smbd?

Do you have a libldb installed via apt-get?

Other than that, I'm a bit stumped, but I'll chase this up later today.

Andrew Bartlett

--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.

Hi Andrew,

$ ldd /usr/local/samba/sbin/smbd
        linux-gate.so.1 =>  (0xb7f85000)
        libpthread.so.0 => /lib/tls/i686/cmov/libpthread.so.0 (0xb7f67000)
        libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0xb7f63000)
        libutil.so.1 => /lib/tls/i686/cmov/libutil.so.1 (0xb7f5e000)
        libm.so.6 => /lib/tls/i686/cmov/libm.so.6 (0xb7f39000)
        libpython2.5.so.1.0 => /usr/lib/libpython2.5.so.1.0 (0xb7e04000)
        libcrypt.so.1 => /lib/tls/i686/cmov/libcrypt.so.1 (0xb7dd2000)
        libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7dbb000)
        libresolv.so.2 => /lib/tls/i686/cmov/libresolv.so.2 (0xb7da7000)
        libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7c58000)
        /lib/ld-linux.so.2 (0xb7f86000)


I've checked for libldb, but it seems to be uninstalled (it doesn't
appear in the "dpkg -l" output).

Thanks,

chris




Andrew Bartlett a écrit :
--
Christophe THIBAULT - Planisware
102 Rue Etienne Dolet
92247 Malakoff Cedex
France
http://www.planisware.com


[christophe_thibault.vcf]

---

begin:vcard
fn:Christophe Thibault
n:Thibault;Christophe
org:Planisware
adr:;;102 Rue Etiene Dolet;Malakoff;;92240;France
email;internet:christophe.thibault@...
title:Software Engineer
tel;work:+33 1 41 48 48 66
tel;fax:+33 1 41 48 48 50
x-mozilla-html:FALSE
url:http://www.planisware.com
version:2.1
end:vcard

---

On Thu, 2008-07-17 at 09:55 +0200, Christophe Thibault wrote: No worries.  I'll try and get my Ubuntu test machine working, and see if
I can reproduce.  

I'm also trying to work on some other issues with LDAP in the current
GIT tree - I restricted the ACLs and broke some stuff :-(.

Andrew Bartlett

--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.

Andrew Bartlett wrote: Would you like me to check out this same revision and compile it on the
Slackware-12 VM that I successfully got samba4 working on a week or two
ago?  I have the VM under subversion (FSVS, For The Win!); I should be
able to revert the VM to right before my last build, build this version,
and give you a diff.  Would this help isolate the problem at all?

On Wed, 2008-07-16 at 14:03 +0200, Christophe Thibault wrote: Thinking about how to isolate this a bit further, I think it would be
useful for you to (attempt to) run the LDAP backend testsuite.

Can you run:

OPENLDAP_ROOT=/usr/local/openldap TEST_LDAP=yes make test

Thanks,

Andrew Bartlett

--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.

On Thu, 2008-07-17 at 04:38 -0400, Scott Lovenberg wrote:
> Andrew Bartlett wrote:

> Would you like me to check out this same revision and compile it on the
> Slackware-12 VM that I successfully got samba4 working on a week or two
> ago?  I have the VM under subversion (FSVS, For The Win!); I should be
> able to revert the VM to right before my last build, build this version,
> and give you a diff.  Would this help isolate the problem at all?

More testing, particularly on the LDAP backend is always welcome.  

That said, I've been building and working on the LDAP backend all week,
and not encountered this particular error yet (been finding and fixing
numerous others).

Andrew Bartlett

--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.

On Wed, 2008-07-16 at 14:03 +0200, Christophe Thibault wrote: You have to also specify
        --ldap-backend-type=openldap \

In the provision arguments.  It must match what was set in
provision-backend.

I'll add an error message to make this more clear in future.  

Thanks,

Andrew Bartlett

--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.

Hi Andrew,

I'll rebuild this morning, and send you the result today.
I'll also try to run the LDAP backend test suite, as you mentioned in
your previous mail.


Thanks,
chris

Andrew Bartlett a écrit :
--
Christophe THIBAULT - Planisware
102 Rue Etienne Dolet
92247 Malakoff Cedex
France
http://www.planisware.com


[christophe_thibault.vcf]

---

begin:vcard
fn:Christophe Thibault
n:Thibault;Christophe
org:Planisware
adr:;;102 Rue Etiene Dolet;Malakoff;;92240;France
email;internet:christophe.thibault@...
title:Software Engineer
tel;work:+33 1 41 48 48 66
tel;fax:+33 1 41 48 48 50
x-mozilla-html:FALSE
url:http://www.planisware.com
version:2.1
end:vcard

---

Hi Andrew,

with the "--ldap-backend-type=openldap" option, the last script works fine.

I can now continue in my testing.

Thanks,

chris



Andrew Bartlett a écrit :
--
Christophe THIBAULT - Planisware
102 Rue Etienne Dolet
92247 Malakoff Cedex
France
http://www.planisware.com


[christophe_thibault.vcf]

---

begin:vcard
fn:Christophe Thibault
n:Thibault;Christophe
org:Planisware
adr:;;102 Rue Etiene Dolet;Malakoff;;92240;France
email;internet:christophe.thibault@...
title:Software Engineer
tel;work:+33 1 41 48 48 66
tel;fax:+33 1 41 48 48 50
x-mozilla-html:FALSE
url:http://www.planisware.com
version:2.1
end:vcard

---

Hi,

The OpenLDAP server starts fine, Samba also starts fine, but after
running the scripts, the database seems to be quite empty.

It only contains the following objects (dumped with the "openldap
slapcat command):


## start -----
dn: cn=Samba
objectClass: top
objectClass: container
cn: Samba

dn: cn=samba-admin,cn=Samba
objectClass: top
objectClass: person
cn: samba-admin
userPassword:: c2VjcmV0
## end -------


I expected more objects, containers for groups, users, etc.

Do I miss something?


Thanks,

chris


Christophe Thibault a écrit :

On Tue, 2008-07-22 at 10:38 +0200, Christophe Thibault wrote: This is the Samba 'management partitition' (for want of a better
description).  It contains just enough so that we can do a SASL bind to
OpenLDAP, and create the rest with the actual provision script, against
a 'live' openldap instance.

The rest will be under dc=example,dc=com (or whatever you selected).

Andrew Bartlett

--
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com

oops,

I saw what I missed ;)

I have to specify to the slapcat command the database number to dump it,
since there are multiple databases ;)

Thanks for the info, I continue to play !

chris

Andrew Bartlett a écrit :
--
Christophe THIBAULT - Planisware
102 Rue Etienne Dolet
92247 Malakoff Cedex
France
http://www.planisware.com


[christophe_thibault.vcf]

---

begin:vcard
fn:Christophe Thibault
n:Thibault;Christophe
org:Planisware
adr:;;102 Rue Etiene Dolet;Malakoff;;92240;France
email;internet:christophe.thibault@...
title:Software Engineer
tel;work:+33 1 41 48 48 66
tel;fax:+33 1 41 48 48 50
x-mozilla-html:FALSE
url:http://www.planisware.com
version:2.1
end:vcard

---

Hi,

I tried to join a XP SP2 workstation to my test domain, but get the
following error messages:

* on the workstation, while getting the domain:

"The following error occurred attempting to join the domain 'XXXXXX':
Unable to update the password. The value provided as the current
password is incorrect."


* On the samba logs:

There are "netlogon request to XXXX<1c> from 172.16.15.11:138"
(172.16.15.11 is my XP workstation IP).

There is also these traces:

Kerberos: AS-REQ Administrator@XXXXX from 172.16.15.11 for
krbtgt/XXXXX@XXXXX
Kerberos: Client sent patypes: encrypted-timestamp, 128
Kerberos: Looking for PKINIT pa-data -- Administrator@XXXXX
Kerberos: Looking for ENC-TS pa-data -- Administrator@XXXXX
Kerberos: ENC-TS Pre-authentication succeeded -- Administrator@XXXXX
using arcfour-hmac-md5
Kerberos: Client supported enctypes: arcfour-hmac-md5, -133, -128,
des-cbc-md5, des-cbc-crc, 24, -135
Kerberos: Using arcfour-hmac-md5/arcfour-hmac-md5
Kerberos: Requested flags: renewable_ok, canonicalize, renewable,
forwardable
Kerberos: AS-REQ authtime: 2008-07-24T15:10:26 starttime: unset endtime:
2037-09-13T04:48:05 renew till: 2037-09-13T04:48:05
Kerberos: AS-REQ Administrator@XXXXX from 172.16.15.11 for
krbtgt/XXXXX@XXXXX
Kerberos: Client sent patypes: encrypted-timestamp, 128
Kerberos: Looking for PKINIT pa-data -- Administrator@XXXXX
Kerberos: Looking for ENC-TS pa-data -- Administrator@XXXXX
Kerberos: ENC-TS Pre-authentication succeeded -- Administrator@XXXXX
using arcfour-hmac-md5
Kerberos: Client supported enctypes: arcfour-hmac-md5, -133, -128,
des-cbc-md5, des-cbc-crc, 24, -135
Kerberos: Using arcfour-hmac-md5/arcfour-hmac-md5
Kerberos: Requested flags: renewable_ok, canonicalize, renewable,
forwardable
Kerberos: AS-REQ authtime: 2008-07-24T15:10:27 starttime: unset endtime:
2037-09-13T04:48:05 renew till: 2037-09-13T04:48:05
single_terminate: reason[NT_STATUS_END_OF_FILE]
Kerberos: TGS-REQ Administrator@... from 172.16.15.11 for
cifs/CINDY@... [renewable, forwardable]
Kerberos: TGS-REQ authtime: 2008-07-24T15:10:27 starttime:
2008-07-24T15:10:27 endtime: 2037-09-13T04:48:05 renew till: unset
Kerberos: TGS-REQ Administrator@... from 172.16.15.11 for
krbtgt/XXXXX.MYCORP.COM@... [renewable_ok, canonicalize,
renewable, forwarded, forwardable]
Kerberos: TGS-REQ authtime: 2008-07-24T15:10:27 starttime:
2008-07-24T15:10:27 endtime: 2037-09-13T04:48:05 renew till: unset
Kerberos: TGS-REQ Administrator@... from 172.16.15.11 for
krbtgt/XXXXX.MYCORP.COM@... [renewable_ok, canonicalize,
renewable, forwarded, forwardable]
Kerberos: TGS-REQ authtime: 2008-07-24T15:10:27 starttime:
2008-07-24T15:10:27 endtime: 2037-09-13T04:48:05 renew till: unset
single_terminate: reason[NT_STATUS_END_OF_FILE]
...
using SPNEGO
Selected protocol [5][NT LM 0.12]
Kerberos: AS-REQ Administrator@XXXXX from 172.16.15.11 for
krbtgt/XXXXX@XXXXX
Kerberos: Client sent patypes: encrypted-timestamp, 128
Kerberos: Looking for PKINIT pa-data -- Administrator@XXXXX
Kerberos: Looking for ENC-TS pa-data -- Administrator@XXXXX
Kerberos: ENC-TS Pre-authentication succeeded -- Administrator@XXXXX
using arcfour-hmac-md5
Kerberos: Client supported enctypes: arcfour-hmac-md5, -133, -128,
des-cbc-md5, des-cbc-crc, 24, -135
Kerberos: Using arcfour-hmac-md5/arcfour-hmac-md5
Kerberos: Requested flags: renewable_ok, canonicalize, renewable,
forwardable
Kerberos: AS-REQ authtime: 2008-07-24T15:10:36 starttime: unset endtime:
2037-09-13T04:48:05 renew till: 2037-09-13T04:48:05
Kerberos: AS-REQ Administrator@XXXXX from 172.16.15.11 for
krbtgt/XXXXX@XXXXX
Kerberos: Client sent patypes: encrypted-timestamp, 128
Kerberos: Looking for PKINIT pa-data -- Administrator@XXXXX
Kerberos: Looking for ENC-TS pa-data -- Administrator@XXXXX
Kerberos: ENC-TS Pre-authentication succeeded -- Administrator@XXXXX
using arcfour-hmac-md5
Kerberos: Client supported enctypes: arcfour-hmac-md5, -133, -128,
des-cbc-md5, des-cbc-crc, 24, -135
Kerberos: Using arcfour-hmac-md5/arcfour-hmac-md5
Kerberos: Requested flags: renewable_ok, canonicalize, renewable,
forwardable
Kerberos: AS-REQ authtime: 2008-07-24T15:10:36 starttime: unset endtime:
2037-09-13T04:48:05 renew till: 2037-09-13T04:48:05
single_terminate: reason[NT_STA