[Samba] PDC + LDAP, cannot access LDAP when not root (SOLVED)

David Clymer david at hrcsb.org
Thu Sep 29 16:53:33 GMT 2005 

On Tue, 2005-09-27 at 16:34 -0400, David Clymer wrote:
> I'm using Debian Sarge, Samba (3.1.14a) with the ldapsam backend, and
> OpenLDAP (2.2.23).
> 
> When attempting to join an Windows XP+SP2 computer (BILLGATES) to my
> domain (WORKGROUP), using the Administrator account, I am told by
> windows: 'Access denied.'
> 
> The logs (attached) seem to indicate that the user Administrator is
> being authenticated (which would have? to use LDAP), but when It goes to
> add the computer to the domain, it fails. Apparently because samba is
> unable to access LDAP:
> 
> smbldap_open: cannot access LDAP when not root..
> 
> nobody and Administrator are the only users on the domain.
> 
> An interesting phenomenon that I've observed (perhaps it is related?):
> 
> testbox:/etc/samba# pdbedit -L
> Administrator:998:Administrator
> nobody:65534:nobody
> testbox:/etc/samba# net -U Administrator rpc group members 'Domain Computers'
> Password:
> WORKGROUP\BILLGATES$
> testbox:/etc/samba# net -U Administrator rpc group members 'Domain Admins'
> Password:
> WORKGROUP\Administrator
> testbox:/etc/samba# net -U Administrator rpc group members 'Administrators'
> Password:
> [2005/09/27 16:05:11, 0] rpc_client/cli_pipe.c:rpc_api_pipe(435)
>   cli_pipe: return critical error. Error was Call timed out: server did not respond after 10000 milliseconds
> Couldn't list alias members
> 
> I don't understand why Administrators group listing fails, while the
> others don't.
> 
> Google searches yielded a bunch of similar problems for early versions
> of samba 3.0, related to modification of user groups. However that bug
> was supposedly fixed, and I've seen no reports of it occuring in later
> versions. There are no open bugs, that I could find, related to this on
> bugzilla.samba.org.
> 
> Is there any type of (mis)configuration that could result in the same
> sort of symptom?
> 
> attached is my smb.conf, smbldap.conf, and my samba log output (debug
> level=4)
> 
> I would be very grateful for any ideas, FMs to R, magic wands, etc. that
> anyone might have to offer.
> 

The FM to (re)R was the smb.conf man page ;o)

The solution:

add this to smb.conf:

enable privileges = yes

This allows you to grant special privileges to users (see man smb.conf
for more detail)

reload the samba config:

$ smbcontrol smbd reload-config

and grant the necessary rights to Administrator:

$ net -U Administrator rpc rights list
     SeMachineAccountPrivilege  Add machines to domain
      SePrintOperatorPrivilege  Manage printers
           SeAddUsersPrivilege  Add users and groups to the domain
     SeRemoteShutdownPrivilege  Force shutdown from a remote system
       SeDiskOperatorPrivilege  Manage disk shares

$ net -U Administrator rpc rights list Administrator

$ net -U Administrator rpc rights grant Administrator SeMachineAccountPrivilege
Successfully granted rights.

Now one can add machines to the domain. Better yet, the
administrator account does _not_ have to have a uid of 0!

-davidc

--
Under-Achievers Anonymous has an 11-step program.

More information about the samba mailing list