[Samba] Re: getpwnam() fails! (with working nss_ldap setup)

M. Vancl mvancl at setuza.cz
Fri Mar 5 19:07:59 GMT 2004

I have the same experience.
IMHO problem is in access rights to password attributes on ldap (slapd).
Recomended access to userPassword for anonymous is only auth (it's right
policy). Recommended configuration of  nss_ldap is to use anonymous bind for
non-root processes (and it is also right policy). Then when getpwnam() is
called by unprivileged process and nss_ldap try to read attribute
userPassword among others from posixAccount, this must be unsuccessfull
attempt (and it is right but wrong to me).
What to do ? I think, it is mistake in nss_ldap behaviour. It must omit
userPassword attribute from readed attributes when called by nonprivileged
My solution is simple, but wrong - weaken of access restrictions to password
attribute or bind to ldap as "manager" for all users.

M. Vancl

More information about the samba mailing list