[Samba] winbind with ldap backend permissions
Thorsten Scherf
tscherf at redhat.com
Wed Oct 6 11:15:08 GMT 2004
hi,
I set up a winbindd with a ldap backend, here is the relevant part of my
smb.conf:
idmap backend = ldap:ldap://mail.rhel.homelinux.com
ldap admin dn = cn=winbind,dc=example,dc=com
ldap suffix = dc=example,dc=com
ldap idmap suffix = ou=idmap
On the ldap server I set up the ou=idmap and also permissions for
cn=winbind to write into the ou=idmap:
access to dn="(.),ou=idmap,dc=example,dc=com"
by dn="cn=winbind,dc=example,dc=com"
by * read
when trying a "getent passwd" on the client I get the following error
messages on the ldap-server:
Oct 6 13:02:49 mail slapd[21955]: conn=2 op=22 SEARCH RESULT tag=101
err=0 text=
Oct 6 13:02:49 mail slapd[21955]: conn=2 op=23 MOD
dn="cn=IdPool,ou=Idmap,dc=example,dc=com"
Oct 6 13:02:49 mail slapd[21955]: conn=2 op=23 RESULT tag=103 err=0
text=
Oct 6 13:02:49 mail slapd[21955]: conn=2 op=24 ADD
dn="SAMBASID=S-1-5-32-546,OU=IDMAP,DC=EXAMPLE,DC=COM"
Oct 6 13:02:49 mail slapd[21955]: conn=2 op=24 RESULT tag=105 err=50
text=no write access to parent
Oct 6 13:02:49 mail slapd[21955]: conn=2 op=25 SRCH
base="ou=idmap,dc=example,dc=com" scope=2
filter="(&(objectClass=sambaIdmapEntry)(sambaSID=S-1-5-32-547))"
so, seems that winbind have no write access on the PARENT! if I give him
write access on dc=example,dc=com everything works just fine and the
sid/uid/gib-mapping works wonderful. but why is winbind needing access
on the parent and not just on the ou-container where the id-mapping
happens, ou=idmap?
can anybody explain that to me?!
thanks and greetings,
thorsten
--
Thorsten Scherf <tscherf at redhat.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
Url : http://lists.samba.org/archive/samba/attachments/20041006/eaa54039/attachment.bin
More information about the samba
mailing list