[Samba] smbpasswd + ldap -- changing stuff it shouldn't
bnelson at cis.ysu.edu
Mon May 13 16:49:02 GMT 2002
using samba with --enable-ldapsam...
When changing a user's password with sampasswd 'username', I get this error:
failed to modify user with uid = bnelson with: Insufficient access
Insufficient 'write' privilege to the 'uid' attribute of entry
Looking at a snoop of the network, it seems like smbpasswd is trying to modify
ALL of these attributes:
Most of these I understand, but some (cn,uid,displayname,rid, and
primarygroupID) should not be being changed just to update the password.
I understand that sampasswd can be used to add users to ldap, which is ok, and
that those attributes would be added/modified then, but I dont plan to do that,
and i only want the sambaadmin account to be able to modify the samba-related
stuff (not uid or cn,etc).
My thought is this: those five attributes should be modified only in the -a
(add user) mode, and even then, ONLY if they do not allready exist (ie a
completely new/blank user). Running a -a against an allready existing posixuser
(or otherwise) should only add the samba bits and the sambaaccount objectclass,
and still not touch uid or cn, as these are often authoritatively controlled
Also, attribs that arent different shouldnt really be re-modified. IE only
change them if the new value is different. It looks like smbpasswd pushes most
of this stuff unconditionally.
This seems to be the case with objectclass, as it only seems to attempt to add
the sambauser class if it is NOT allready there.
This is just my opinion :) Please tell me if there is some reasoning I am
More information about the samba