ldapsam:trusted questions

Jon Belanger jon at chem.umass.edu
Wed Oct 25 03:54:05 GMT 2006

I'm having trouble with the ldapsam:trusted configuration option.  When enabling
the option I intentionally did not setup /etc/ldap.conf to perform nss lookups
via LDAP, then , restarted samba, which did not come up.  Tracking down the
problem I saw that it was attempting to query for the "514" guest user in my
domain, which existed in LDAP as a sambaSamAccount AND a posixAccount
(structural class: inetOrgPerson).  I suspected that the lack of correct NSS
info was to blame, so I configured /etc/ldap.conf via the YaST LDAP client tool.
 After which samba started fine, presumably now able to perform NSS lookups.  I
should also note that I tried to config the /etc/ldap.conf and
/etc/nsswitch.conf files by hand but did not work.  My OpenSUSE 10.1 x86_64
system apparently needed the 32 bit nss_ldap/pam_ldap dependencies.  But YaST
installed those for me automagically and after that hand config of
/etc/ldap.conf worked fine.  I was able to disable nss_ldap and reproduce the
samba error, then re-able it and have it work fine.

Also, with the ldapsam:trusted option on, I could not authenticate to shares on
my domain server with the user root (which existed as uidNumber:0, uid=root, and
in sambaSamAccount and posixAccount object classes).  I realize this is
insecure, I just wanted to know if it worked.

Commenting out the config option and restarting samba allowed me to log in as
the root user with all the filesystem privileges the user should have.

So, my question is: I thought that ldapsam:trusted would disable any and all
dependencies to the nss_ldap libs, and what's the deal with root not working
when ldapsam:trusted is turned on.  Does the sambaSID HAVE to be domainsid-1000,
or maybe it has to have a primaryGroupSid of domainsid-1001??  The uidNumber was
0, but the sambaSIDs were something non-default in my test setup.
domainsid-20005 I think...


Jon Belanger
Computer Systems Specialist
Departments of Chemistry, Biochemistry and Molecular Biology
University of Massachusetts at Amherst

More information about the samba-technical mailing list