Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 624036 - net-nds/openldap or net-fs/samba: gentoo distro provided rfc2307bis.schema causes samba breakage
Summary: net-nds/openldap or net-fs/samba: gentoo distro provided rfc2307bis.schema ca...
Status: UNCONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo's SAMBA Team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-07-06 17:21 UTC by Luke McKee
Modified: 2017-07-11 14:11 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Luke McKee 2017-07-06 17:21:38 UTC
Also See bug 302310.

objectclass posixGroup has to be structural like nis.schema & the rfc says right?
I think everyone agrees the final RFC got it right and the gentoo schema file is wrong even though it follows:   
https://tools.ietf.org/html/draft-howard-rfc2307bis-02

Why is this old one included? I chose it because I wanted automount support.

Here's how it breaks samba.

https://wiki.samba.org/index.php/Ldapsam_Editposix wont work when you get up to 
net sam provision

When you turn up debugging from net you get

Failed to add dn: cn=domusers,ou=group,dc=victimsofgaybullying,dc=com, error: 65 (Object class violation) (no structural object class provided)

See the source:
https://github.com/samba-team/samba/blob/master/source3/utils/net_sam.c

The rfc2307bis is a gentoo distributed file that is dated 2014??
https://gitweb.gentoo.org/repo/gentoo.git/tree/net-nds/openldap/openldap-2.4.45.ebuild?id=d8579d0f043e8eefe774b8aec6a21316e0a6c527

Here's how I fixed it with ldapmodify.

dn: cn={6}rfc2307bis,cn=schema,cn=config
changetype: modify
delete: olcObjectClasses
olcObjectClasses: {2}  ( 1.3.6.1.1.1.2.2 NAME 'posixGroup' SUP top AUXILIARY
         DESC 'Abstraction of a group of accounts'
         MUST gidNumber
         MAY ( userPassword $ memberUid $
               description ) )

dn: cn={6}rfc2307bis,cn=schema,cn=config
changetype: modify
add: olcObjectClasses
olcObjectClasses: {2}( 1.3.6.1.1.1.2.2 NAME 'posixGroup' DESC 'Abstraction of a group of accounts' SUP top STRUCTURAL MUST ( cn $ gidNumber ) MAY ( userPassword $ memberUid $ description ) )

The RFC for 2307 says this:
https://www.ietf.org/rfc/rfc2307.txt
 ( nisSchema.2.2 NAME 'posixGroup' SUP top STRUCTURAL
          DESC 'Abstraction of a group of accounts'
          MUST ( cn $ gidNumber )
          MAY ( userPassword $ memberUid $ description ) )
Comment 1 Luke McKee 2017-07-08 13:15:28 UTC
It looks like this bug has to be redirected away from LDAP to the samba team....

from #openldap

<hojuruku> lwlvl, here's my gentoo bug, you have a schema problem at a guess something is AUX when your app expects it to not be (error #65)
<hojuruku> https://bugs.gentoo.org/show_bug.cgi?id=624036 lwlvl that should help you alot
<BtbN> weird, the sn is clearly there
<hojuruku> BtbN, I'm using SSHA512, the pw-sha2 / pw-pbdf password modules are ok?
<BtbN> not for me
<BtbN> They probably still "work", as openldap itself happens to be linked against the same libs. But it's pure luck
<hojuruku> yay I just tested ppolicy lockout policy and it's working :) but the ppolicy.schema hides the attributes from all users including the Root DN with the NO USER option in the schema.

<BtbN> hojuruku, also, with 2307bis, posixGroup being auxilliary is the whole point.
<BtbN> so you can have a groupOfNames with a gid

<hojuruku> hyc, BtbN  OlCPasswordHash with MORE than one option doesn't take one password in cleartext and make 3 hashes. It makes the LAST hash in the list only i noticed.
<BtbN> I'm using that exact schema and it works great
<hojuruku> so i've broken groupOfNames?
<BtbN> groupOfNames is structual, and 2307bis makes posixGroup auxilliary, so you can add it there
<hojuruku> i thought structural was just a check like this, one object class has to be structual to make a new object.

<BtbN> an object can only have one chain of structual classes

<hojuruku> BtbN, yeah but samba only does that if you say your are running IPA
<hojuruku> maybe it's a samba bug after all

<BtbN> so if you are using rfc2307bis instead of nis, that's what I'd expect
<BtbN> the rfc you linked also shows the posixGroup class as auxiliary
(TRUE)

<hojuruku> samba only uses groupofNames and some other stuff if you use a different name for your passwrd-db connector that isn't documented in the manuals - the ipa flavor.

<BtbN> The whole 2307bis thing is kinda deprecated, but due to lack of alternatives still exists
<BtbN> samba seems to assume the non-bis schema
<BtbN> Not a bug anywhere, you are just using an incompatible schema for samba
<hojuruku> https://github.com/samba-team/samba/blob/master/source3/utils/net_sam.c - it's using groupofNames only for IPA server in Samba

They need to document their ipa connector and make it rfc2307bis compatible as well.
Comment 2 Luke McKee 2017-07-08 13:30:47 UTC
P.S. I've ran away from using rfc2307bis, going back to NIS.schema. Thought I'd be able to use the GroupOfNames feature with padl.com pam/nss, but it was just too much suffering.

My hack broke groupofNames

You can bounce this to samba, to make samba check the subschema for rfc2307bis or allow it to be configured in smb conf

Previously such support for rfc2307bis used to exist.
https://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#sbewinbindex
Comment 3 Luke McKee 2017-07-11 14:11:53 UTC
thanks for bouncing it on.

If you see the samba source, redhat ipa already has support for groupOfNames, and the samba ldap passdb plugin has also been given an alias to behave differently when connecting to redhat ipa (that has groupOfNames support unlike the stardard samba3 module).

extending the ldap passwdb functionality so samba can support rfc2307bis schema could be done in the same way it was done for ipa, or samba could read the subschema.

I wash my hands of this matter. My site is too small to care abou this feature in any great way now.