[Samba] Domain Admins can't modify ldapsam entries
Craig White
craigwhite at azapple.com
Wed Oct 19 04:25:45 GMT 2005
On Wed, 2005-10-19 at 00:05 -0400, Eric A. Hall wrote:
> On 10/18/2005 9:26 AM, Gerald (Jerry) Carter wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Günter Gersdorf wrote:
> >
> > | Domain Admins are not allowed to modify the ldapsam
> > | database via usrmgr.
> > | lib/smbldap.c: smbldap_open: cannot access LDAP when not root..
> > |
> > | Is this by design?
> >
> > Yes. It is by design. You have to assign the
> > SeAddUsersPrivilege to the Domain Admins group.
>
> Where are the privs stored nowadays? I found lots of references to
> privilege[s].tdb but nothing like that seems to exist anywhere.
----
on my systems, tdb's are stored in /var/cache/samba (RHEL)
if slocate is current, you should be able to find it easily enough...
locate account_policy.tdb
if slocate is not current, execute 'updatedb' first
The SeAddUsersPrivilege was added somewhere around 3.0.14 - depends upon
which version of samba you are using as to whether command is available.
Craig
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the samba
mailing list