[Samba] Re: winbind with ldap backend permissions
Igor Belyi
sambauser at katehok.ac93.org
Wed Oct 6 15:00:39 GMT 2004
Thorsten Scherf wrote:
> hi,
>
> I set up a winbindd with a ldap backend, here is the relevant part of my
> smb.conf:
>
> idmap backend = ldap:ldap://mail.rhel.homelinux.com
> ldap admin dn = cn=winbind,dc=example,dc=com
> ldap suffix = dc=example,dc=com
> ldap idmap suffix = ou=idmap
>
> On the ldap server I set up the ou=idmap and also permissions for
> cn=winbind to write into the ou=idmap:
>
> access to dn="(.),ou=idmap,dc=example,dc=com"
> by dn="cn=winbind,dc=example,dc=com"
> by * read
Did you try to change your 'what' part of the access to:
dn.subtree="ou=idmap,dc=example,dc=com"
Igor
> when trying a "getent passwd" on the client I get the following error
> messages on the ldap-server:
>
> Oct 6 13:02:49 mail slapd[21955]: conn=2 op=22 SEARCH RESULT tag=101
> err=0 text=
> Oct 6 13:02:49 mail slapd[21955]: conn=2 op=23 MOD
> dn="cn=IdPool,ou=Idmap,dc=example,dc=com"
> Oct 6 13:02:49 mail slapd[21955]: conn=2 op=23 RESULT tag=103 err=0
> text=
> Oct 6 13:02:49 mail slapd[21955]: conn=2 op=24 ADD
> dn="SAMBASID=S-1-5-32-546,OU=IDMAP,DC=EXAMPLE,DC=COM"
> Oct 6 13:02:49 mail slapd[21955]: conn=2 op=24 RESULT tag=105 err=50
> text=no write access to parent
> Oct 6 13:02:49 mail slapd[21955]: conn=2 op=25 SRCH
> base="ou=idmap,dc=example,dc=com" scope=2
> filter="(&(objectClass=sambaIdmapEntry)(sambaSID=S-1-5-32-547))"
>
> so, seems that winbind have no write access on the PARENT! if I give him
> write access on dc=example,dc=com everything works just fine and the
> sid/uid/gib-mapping works wonderful. but why is winbind needing access
> on the parent and not just on the ou-container where the id-mapping
> happens, ou=idmap?
>
> can anybody explain that to me?!
>
> thanks and greetings,
> thorsten
>
>
More information about the samba
mailing list