I cannot create a user

v7
activedirectory

(And) #1

NethServer Version: NethServer release 7.4.1708 (Final) + last upd
Module: Samba AD

Nov 18 19:35:44 srv02 esmith::event[3774]: Event: user-create testgggggg ggggggtest /usr/libexec/openssh/sftp-server
Nov 18 19:35:54 srv02 esmith::event[3774]: [ERROR] User testgggggg creation failed
Nov 18 19:35:54 srv02 esmith::event[3774]: Action: /etc/e-smith/events/user-create/S40nethserver-dc-user-create FAILED: 3 [10.031321]
Nov 18 19:35:54 srv02 esmith::event[3774]: Action: /etc/e-smith/events/user-create/S50nethserver-dc-sync-upn SUCCESS [0.330044]
Nov 18 19:35:54 srv02 esmith::event[3774]: [NOTICE] clearing sssd cache for user testgggggg@bsmpnojk.lan
Nov 18 19:35:54 srv02 esmith::event[3774]: No cache object matched the specified search
Nov 18 19:35:54 srv02 esmith::event[3774]: No cache object matched the specified search
Nov 18 19:35:54 srv02 esmith::event[3774]: Action: /etc/e-smith/events/user-create/S90nethserver-sssd-clear-cache SUCCESS [0.019504]
Nov 18 19:35:54 srv02 esmith::event[3774]: Event: user-create FAILED
Nov 18 19:35:55 srv02 esmith::event[3796]: Event: password-policy-update testgggggg no
Nov 18 19:35:55 srv02 esmith::event[3796]: [NOTICE] clearing sssd cache for user testgggggg@bsmpnojk.lan
Nov 18 19:35:55 srv02 esmith::event[3796]: No cache object matched the specified search
Nov 18 19:35:55 srv02 esmith::event[3796]: No cache object matched the specified search
Nov 18 19:35:55 srv02 esmith::event[3796]: Action: /etc/e-smith/events/password-policy-update/S10nethserver-sssd-clear-cache SUCCESS [0.023761]
Nov 18 19:36:05 srv02 esmith::event[3796]: [ERROR] Faild to set expiry on user testgggggg
Nov 18 19:36:05 srv02 esmith::event[3796]: Action: /etc/e-smith/events/password-policy-update/S30nethserver-dc-password-policy FAILED: 3 [10.16399]
Nov 18 19:36:05 srv02 esmith::event[3796]: Event: password-policy-update FAILED
Nov 18 19:36:05 srv02 esmith::event[3813]: Event: password-modify testgggggg@bsmpnojk.lan /tmp/ng-8M81G9
Nov 18 19:36:05 srv02 esmith::event[3813]: Action: /etc/e-smith/events/password-modify/S25password-set SUCCESS [0.005451]
Nov 18 19:36:05 srv02 esmith::event[3813]: spawn /usr/bin/systemd-run -M nsdc -q -t /usr/bin/samba-tool user setpassword testgggggg
Nov 18 19:36:09 srv02 esmith::event[3813]: Failed to start transient service unit: Activation of org.freedesktop.systemd1 timed out
Nov 18 19:36:09 srv02 esmith::event[3813]: Action: /etc/e-smith/events/password-modify/S30nethserver-dc-password-set SUCCESS [3.776073]
Nov 18 19:36:19 srv02 esmith::event[3813]: Action: /etc/e-smith/events/password-modify/S40nethserver-dc-user-unlock FAILED: 2 [10.017433]
Nov 18 19:36:19 srv02 systemd: Reloading.
Nov 18 19:36:19 srv02 esmith::event[3813]: [INFO] service squid reload
Nov 18 19:36:19 srv02 squid: 2017/11/18 19:36:19| Warning: empty ACL: acl no_cache dstdomain "/etc/squid/acls/no_cache.acl"
Nov 18 19:36:19 srv02 systemd: Reloaded Squid caching proxy.
Nov 18 19:36:19 srv02 esmith::event[3813]: Action: /etc/e-smith/events/actions/adjust-services SUCCESS [0.429503]
Nov 18 19:36:19 srv02 esmith::event[3813]: Action: /etc/e-smith/events/password-modify/S90password-cleanup SUCCESS [0.240674]
Nov 18 19:36:19 srv02 esmith::event[3813]: Event: password-modify FAILED

Error when I create a new user
(Markus Neuberger) #2

Hello @xcod,

did you get an error message in web UI?
Is the domain join OK in the domain accounts status page? If not you may try to change IP of the Samba container via “Accounts Provider” in web UI.
Do you use the delegation module? Maybe the “admin” user has no elevated rights.


(And) #3

Hi, thank you for answer
i think i found bug
if “Name” field contain my locale Russian
and it is long
it crashes
and after crash no more users creation to
only restart server fix its

sorry my english

/var/log/message
Nov 21 11:15:39 srv02 esmith::event[3791]: Event: user-create jv_sidorov Сидоровсидоров СидоровСидоров Сидоров /usr/libexec/openssh/sftp-server
Nov 21 11:15:39 srv02 esmith::event[3791]: Failed to start transient service unit: Message did not receive a reply (timeout by message bus)
Nov 21 11:15:39 srv02 esmith::event[3791]: [ERROR] User jv_sidorov creation failed
Nov 21 11:15:39 srv02 esmith::event[3791]: Action: /etc/e-smith/events/user-create/S40nethserver-dc-user-create FAILED: 3 [0.027746]
Nov 21 11:15:39 srv02 esmith::event[3791]: Action: /etc/e-smith/events/user-create/S50nethserver-dc-sync-upn SUCCESS [0.259417]
Nov 21 11:15:39 srv02 esmith::event[3791]: [NOTICE] clearing sssd cache for user jv_sidorov@bsmpnojk.lan
Nov 21 11:15:39 srv02 esmith::event[3791]: No cache object matched the specified search
Nov 21 11:15:39 srv02 esmith::event[3791]: No cache object matched the specified search
Nov 21 11:15:39 srv02 esmith::event[3791]: Action: /etc/e-smith/events/user-create/S90nethserver-sssd-clear-cache SUCCESS [0.022503]
Nov 21 11:15:39 srv02 esmith::event[3791]: Event: user-create FAILED
Nov 21 11:15:40 srv02 esmith::event[3817]: Event: group-modify dlo_grp an_kostomarov fghfghghj kgfhfhfgh sd_ivanov testbbgbg testdfngffggf testfdnfghgh testfghfgh testfgnngfg testnghfgfgbn testnmghmg testnmkhjff testnmngghj tyesgbdfh jv_sidorov
Nov 21 11:15:40 srv02 esmith::event[3817]: expanding /etc/ufdbguard/ufdbGuard.conf
Nov 21 11:15:41 srv02 dbus-daemon: dbus[1177]: [system] Activating via systemd: service name=‘org.freedesktop.timedate1’ unit='dbus-org.freedesktop.timedate1.service’
Nov 21 11:15:41 srv02 dbus[1177]: [system] Activating via systemd: service name=‘org.freedesktop.timedate1’ unit='dbus-org.freedesktop.timedate1.service’
Nov 21 11:15:41 srv02 systemd: Starting Time & Date Service…
Nov 21 11:15:41 srv02 dbus[1177]: [system] Successfully activated service 'org.freedesktop.timedate1’
Nov 21 11:15:41 srv02 dbus-daemon: dbus[1177]: [system] Successfully activated service 'org.freedesktop.timedate1’
Nov 21 11:15:41 srv02 systemd: Started Time & Date Service.
Nov 21 11:15:41 srv02 esmith::event[3817]: Action: /etc/e-smith/events/actions/generic_template_expand SUCCESS [0.284716]
Nov 21 11:16:01 srv02 esmith::event[3817]: [ERROR] Failed to update the members list of group dlo_grp at /etc/e-smith/events/group-modify/S40nethserver-dc-group-modify line 86.
Nov 21 11:16:01 srv02 esmith::event[3817]: Action: /etc/e-smith/events/group-modify/S40nethserver-dc-group-modify FAILED: 1 [20.036309]
Nov 21 11:16:01 srv02 systemd: Reloading.
Nov 21 11:16:01 srv02 esmith::event[3817]: [INFO] service ufdb reload
Nov 21 11:16:01 srv02 ufdb: sent signal sighup to ufdbguardd (pid=1843)
Nov 21 11:16:01 srv02 systemd: Reloaded LSB: ufdbguardd daemons from URLfilterDB.
Nov 21 11:16:01 srv02 esmith::event[3817]: Action: /etc/e-smith/events/actions/adjust-services SUCCESS [0.525687]
Nov 21 11:16:01 srv02 esmith::event[3817]: [NOTICE] clearing sssd cache for group dlo_grp@bsmpnojk.lan
Nov 21 11:16:02 srv02 esmith::event[3817]: Action: /etc/e-smith/events/group-modify/S90nethserver-sssd-clear-cache SUCCESS [0.433407]
Nov 21 11:16:02 srv02 esmith::event[3817]: Event: group-modify FAILED
Nov 21 11:16:02 srv02 esmith::event[3886]: Event: password-policy-update jv_sidorov no
Nov 21 11:16:02 srv02 esmith::event[3886]: [NOTICE] clearing sssd cache for user jv_sidorov@bsmpnojk.lan
Nov 21 11:16:02 srv02 esmith::event[3886]: No cache object matched the specified search
Nov 21 11:16:02 srv02 esmith::event[3886]: No cache object matched the specified search
Nov 21 11:16:02 srv02 esmith::event[3886]: Action: /etc/e-smith/events/password-policy-update/S10nethserver-sssd-clear-cache SUCCESS [0.032173]
Nov 21 11:16:06 srv02 esmith::event[3886]: Failed to start transient service unit: Activation of org.freedesktop.systemd1 timed out
Nov 21 11:16:06 srv02 esmith::event[3886]: [ERROR] Faild to set expiry on user jv_sidorov
Nov 21 11:16:06 srv02 esmith::event[3886]: Action: /etc/e-smith/events/password-policy-update/S30nethserver-dc-password-policy FAILED: 3 [3.773374]
Nov 21 11:16:06 srv02 esmith::event[3886]: Event: password-policy-update FAILED
Nov 21 11:16:06 srv02 esmith::event[3903]: Event: password-modify jv_sidorov@bsmpnojk.lan /tmp/ng-yqgub3
Nov 21 11:16:06 srv02 esmith::event[3903]: Action: /etc/e-smith/events/password-modify/S25password-set SUCCESS [0.006084]
Nov 21 11:16:06 srv02 esmith::event[3903]: spawn /usr/bin/systemd-run -M nsdc -q -t /usr/bin/samba-tool user setpassword jv_sidorov
Nov 21 11:16:16 srv02 esmith::event[3903]: Action: /etc/e-smith/events/password-modify/S30nethserver-dc-password-set SUCCESS [10.016026]
Nov 21 11:16:26 srv02 esmith::event[3903]: Action: /etc/e-smith/events/password-modify/S40nethserver-dc-user-unlock FAILED: 2 [10.018673]
Nov 21 11:16:26 srv02 systemd: Reloading.
Nov 21 11:16:26 srv02 esmith::event[3903]: [INFO] service squid reload
Nov 21 11:16:26 srv02 squid: 2017/11/21 11:16:26| Warning: empty ACL: acl no_cache dstdomain "/etc/squid/acls/no_cache.acl"
Nov 21 11:16:26 srv02 systemd: Reloaded Squid caching proxy.
Nov 21 11:16:26 srv02 esmith::event[3903]: Action: /etc/e-smith/events/actions/adjust-services SUCCESS [0.407371]
Nov 21 11:16:26 srv02 esmith::event[3903]: Action: /etc/e-smith/events/password-modify/S90password-cleanup SUCCESS [0.193641]
Nov 21 11:16:26 srv02 esmith::event[3903]: Event: password-modify FAILED


(Michael Träumner) #4

Could somebody else test it? I’m not russian
@ambassadors_group Do you know other russian users who could test it?


(Markus Neuberger) #5

I tested it now and can confirm: it seems to be a bug.

I used Wikipedia to get cyrillic names but you may also copy a name from the text of @xcod:

Александр Солженицын as name is working but doubled name Александр СолженицынАлександр Солженицын throws the error described above.

Oh, it’s not just a cyrillic thing, German umlauts also throw an error:
I tried sdfgfsgfgdfgdfsgsdfgdfsgdfsgdfsgsdfgsdfgsthtjtukuoöoösADFGWTHtzkrzläöäö as name and same error.

ASDGHKLalsdhgaGAGHFDggafdghHDFHFAHDGFFSGJAgdhhdfdfahtuwr (no special chars) as Name is working
äääääääääääääääääääää(21) as Name is working
ääääääääääääääääääääääääääääää (30) as Name throws the error, so it’s about special chars and length.


(Michael Träumner) #6

Thanks for your work Markus. So we have a problem if we don’t use normal ASCII Codes. @dev_team Could you change this?


(Rob Bosch) #7

Maybe @Nas can test this with Cyrillic characters? (btw, you still around my friend?)


(Artem Fedai) #8

Hi, I have no new NS at my loco, I suppose bug was caused by long line and spaces in username.

user-create jv_sidorov Сидоровсидоров СидоровСидоров Сидоров /usr/libexec/openssh/sftp-server


(Alessio Fattorini) #9

Ehi man, are you still around? Where are you ended up? :smiley:


(And) #10

hi
strange behavior
after restart server
i can create user with long name field and my locale
but
next user dont create with long name field and my locale.
its same error.
sorry my English


(Markus Neuberger) #11

Please try to shorten the names to 20 characters until this bug is fixed.


(Rob Bosch) #12

[quote=“mrmarkuz, post:11, topic:8322”]
to 20 15 characters
[/quote ]

Even less if you want Samba4 AD accountprovider since the Samba4 container will be created as nscd-[servername].domain.tld
The nscd- part will take off 5 more characters of the usable name…

/edit: argg usernames… 20 characters is correct


(Markus Neuberger) #13

I think it’s a samba-tool problem. The given name (long username/full name) takes 65 chars, it may even be umlauts “äöü”.
But when using cyrillic alphabet samba tool stops with another error message.

This is just to show that after the following error (more than 65 chars), user creation is still alive, but when using cyrillic once user creation doesn’t work anymore:

[root@testserver ~]# /usr/bin/systemd-run -M nsdc -q -t /usr/bin/samba-tool user create "testuser5" --random-password --must-change-at-next-login "--login-shell=/usr/libexec/openssh/sftp-server" "--unix-home=/var/lib/nethserver/home/testuser5" "--given-name=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaääääääääääääääääääääääääääääääääääääää" --use-username-as-cn ERROR(ldb): Failed to add user 'testuser5': - objectclass_attrs: attribute 'givenName' on entry 'CN=testuser5,CN=Users,DC=ad,DC=domain,DC=local' contains at least one invalid value!

Umlauts to 65 chars are no problem, the user exists but it would have been created:

[root@testserver ~]# /usr/bin/systemd-run -M nsdc -q -t /usr/bin/samba-tool user create "testuser5" --random-password --must-change-at-next-login "--login-shell=/usr/libexec/openssh/sftp-server" "--unix-home=/var/lib/nethserver/home/testuser5" "--given-name=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaääääääääääääää" --use-username-as-cn ERROR(ldb): Failed to add user 'testuser5': - Entry CN=testuser5,CN=Users,DC=ad,DC=domain,DC=local already exists

Umlauts more than 65 chars are a problem, so 65 is the limit here, that’s ok.

[root@testserver ~]# /usr/bin/systemd-run -M nsdc -q -t /usr/bin/samba-tool user create "testuser8" --random-password --must-change-at-next-login "--login-shell=/usr/libexec/openssh/sftp-server" "--unix-home=/var/lib/nethserver/home/testuser5" "--given-name=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaääääääääääääääääääääääääääääääääääääää" --use-username-as-cn ERROR(ldb): Failed to add user 'testuser8': - objectclass_attrs: attribute 'givenName' on entry 'CN=testuser8,CN=Users,DC=ad,DC=domain,DC=local' contains at least one invalid value!

But the first try with cyrillic chars throws an error

[root@testserver ~]# /usr/bin/systemd-run -M nsdc -q -t /usr/bin/samba-tool user create "testuser7" --random-password --must-change-at-next-login "--login-shell=/usr/libexec/openssh/sftp-server" "--unix-home=/var/lib/nethserver/home/testuser5" "--given-name=Сидоровсидоров СидоровСидоров Сидоров" --use-username-as-cn Failed to start transient service unit: Message did not receive a reply (timeout by message bus)

Next try takes more time…but same error

[root@testserver ~]# /usr/bin/systemd-run -M nsdc -q -t /usr/bin/samba-tool user create "testuser7" --random-password --must-change-at-next-login "--login-shell=/usr/libexec/openssh/sftp-server" "--unix-home=/var/lib/nethserver/home/testuser5" "--given-name=Сидоровсидоров СидоровСидоров Сидоров" --use-username-as-cn Failed to start transient service unit: Connection timed out

Now the fuil name that worked before is not working anymore - user creation not working from now on (same situation as with web UI):

[root@testserver ~]# /usr/bin/systemd-run -M nsdc -q -t /usr/bin/samba-tool user 5reate "testuser8" --random-password --must-change-at-next-login "--login-shell=/usr/libexec/openssh/sftp-server" "--unix-home=/var/lib/nethserver/home/testuser5" "--given-name=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaääääääääääääää" --use-username-as-cn Failed to start transient service unit: Connection timed out

Found this but my terminal (putty) is set to UTF8:

https://lists.samba.org/archive/samba/2014-September/184752.html

So what can we do? Forbid to use the “bad” chars in UI?


(Jeroen Visser) #14

I always learned that usernames are required to be asci compatible if you want to avoid issues … is this outdated?


(Markus Neuberger) #15

It seems to be outdated. I also learned to avoid non-ascii generally and still do it. But nowadays you may use umlauts in domain names and funny stuff like that.
On the other hand it’s easy for me because my alphabet (except of umlauts) is fully supported, when my alphabet would be not supported anymore, I maybe would feel discriminated…


(Jeroen Visser) #16

Thanks for clearing that up. Seems still prudent to abide by old-school rules, given this topic :stuck_out_tongue:


(Rob Bosch) #17

Just thinking out loud: why should a module be restricted to alpha-numerical characters? A large part of the globe is not using this char set. Isn’t there any option to allow other charsets?


(Giacomo Sanchietti) #18

Could you please recap the conditions causing the error?

If I got it right:

  • limit to 65 bytes
  • any Cyrillic character

(Markus Neuberger) #19

This is not the real problem but we also may catch this error with a limit of 65 chars in web UI.

After entering cyrillic chars in full name (given name, not username) an error is thrown

Failed to start transient service unit: Connection timed out

And from now on user creation is not working anymore…


(Giacomo Sanchietti) #20

We will try to debug it a bit more, but probably any update will be released in January.

Thank you!