[Samba] smbldap-useradd problem

Frank Van Damme frank.vandamme at gmail.com
Thu Sep 27 09:53:29 GMT 2007 

On 9/27/07, Jerome Tournier <jtournier at gmail.com> wrote:
> Hi,
> which version of the smbldap-tools are you using ?

0.9.2 (Debian Etch)

> Have you check your configuration files ?
> Have you include samba schema to slapd.conf definition ?

Off course. I can see the objectClasses in an LDAP browsers schema
viewer, and smbldap-populate has had nog problems creating groups and
copying the "nobody" and "root" users off my system to the LDAP tree.
This may be an important detail. nobody has 514 as gidNumber, which is
the gidNumber of the "Domain Guests".

> Are you sure you don't have ACL access problem ?

If it can create the object and stuff the posix-related attributes in
them, you'd think it could do the Samba ones as well.

However.

I did discover some strangeities with my ldap configuration though.
When starting the ldap server, this is printed in the logs (when I set
the loglevel to 232):
/etc/ldap/slapd.conf: line 123: warning: cannot assess the validity of
the ACL scope within backend naming context

Well, this is the result of the following acl settings in slapd.conf:

access to *
    by dn="cn=admin,dc=sambadomein" write
    by * read

(the last line is line 123)

or:

access to attrs=userPassword,shadowLastChange
    by dn="cn=admin,dc=sambadomein" write
    by anonymous auth
    by self write
    by * none

The problem disappears if you explicitly mention which tree to apply the acl to:


access to dn.subtree="dc=sambadomein"
    by dn="cn=admin,dc=sambadomein" write
    by * read


respectively:

access to dn.subtree="dc=sambadomein" attrs=userPassword,shadowLastChange
    by dn="cn=admin,dc=sambadomein" write
    by anonymous auth
    by self write
    by * none

So, this wasn't necessarily an obvious problem, log level 232 means
stats logs + connection management, I'd had expected to find these
sort of warnings under level 128 - acl processing. So I'm posting
enough googleable details for future reference :-)

So, case closed, onto the next stumbling block. Thanks for your help!

-- 
Frank Van Damme   A: Because it destroys the flow of the conversation
                  Q: Why is it bad?
                  A: No, it's bad.
                  Q: Should I top post in replies to mails or on usenet?

More information about the samba mailing list