Removing geteuid() != 0 check in smbldap_open()

Jeremy Allison jra at
Fri Oct 17 20:05:49 GMT 2008

I'm planning to remove this code in lib/smbldap.c from

        if (geteuid() != 0) {
                DEBUG(0, ("smbldap_open: cannot access LDAP when not
                return  LDAP_INSUFFICIENT_ACCESS;

We already check access via the SAMR and LSA handles,
and *every single time* this error message has come
up the hunt has been to find and add


pairs around a pdb_XXX call. It's not gaining us anything,
and it's causing more trouble than it's worth.

I'm going to audit all the handle opens and read/write
accesses in lanan.c, samr.c and lsa.c to make sure we
do access checks, then remove this code.

If anyone wants to defend this, please explain with
SPECIFIC EXAMPLES of where it protects the backends
from unauthorized access.


More information about the samba-technical mailing list