[Samba] Adding workstations to domain as non-root
James Cort
james.cort at u4eatech.com
Mon Jan 16 09:41:55 GMT 2006
Hi,
The Problem:
I have a samba domain using LDAP as the backend, complete with the
IdealX LDAP scripts.
Most of my Unix boxes (certainly anything which does any Samba stuff)
authenticates against the same LDAP backend, using it for groups and
users.
I need to grant some people sufficient priviliges to add workstations
to the domain, but I don't want to give them the root password in LDAP
as doing so will also give them root access to the Unix boxes.
I would therefore like to configure the system such that users who are
a member of a specific group (Domain Admins springs immediately to
mind) are able to add workstations to the domain.
I have already added myself to the "Domain Admins" group:
# Domain Admins, Group, u4eatech.com
dn: cn=Domain Admins,ou=Group,dc=u4eatech,dc=com
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 512
cn: Domain Admins
memberUid: Administrator
memberUid: jamesc
description: Netbios Domain Administrators
sambaSID: S-1-5-21-2044582568-1589646193-1504741369-512
sambaGroupType: 2
displayName: Domain Admins
And I've chown/chmod'ed the smbldap config files so members of the
Domain Admins group can read them:
elli sbin # ls -ail /etc/smbldap-tools/
total 27
238406 drwxr-xr-x 2 root root 192 Jan 11 16:16 .
9120 drwxr-xr-x 42 root root 3160 Jan 12 09:31 ..
238451 -rw-r--r-- 1 root root 7634 Jan 11 16:06 smbldap.conf
30283 -rw-r--r-- 1 root root 7728 Jan 10 13:44 smbldap.conf.old
238421 -rw-r----- 1 root Domain Admins 438 Jan 11 08:52 smbldap_bind.conf
However, I can't add users using the smbldap-useradd script:
jamesc at elli ~ $ /usr/sbin/smbldap-useradd -w "phobos$"
Could not find base dn, to get next uidNumber at
/usr/sbin//smbldap_tools.pm line 995.
Looking at the OpenLDAP logs, it seems that smbldap-useradd is
performing the search without first authenticating with the LDAP server:
Jan 16 09:24:19 cygnus_new slapd[12571]: conn=67383 fd=52 ACCEPT from
IP=172.30.1.22:60342 (IP=0.0.0.0:389)
Jan 16 09:24:19 cygnus_new slapd[26453]: conn=67383 op=1 SRCH
base="dc=u4eatech,dc=com" scope=2 deref=2
filter="(&(objectClass=posixAccount)(uid=phobos$))"
Jan 16 09:24:19 cygnus_new slapd[26453]: conn=67383 op=1 SEARCH RESULT
tag=101 err=0 nentries=0 text=
Jan 16 09:24:19 cygnus_new slapd[16367]: conn=67383 op=2 SRCH
base="sambaDomainName=U4EATECH,dc=u4eatech,dc=com" scope=0 deref=2
filter="(objectClass=sambaUnixIdPool)"
Jan 16 09:24:19 cygnus_new slapd[16367]: conn=67383 op=2 SEARCH RESULT
tag=101 err=0 nentries=0 text=
Jan 16 09:24:19 cygnus_new slapd[12571]: conn=67383 fd=52 closed
More information about the samba
mailing list