Samba binding anonymously (was: Re: [Samba] smbldap-tools not playing
nice w/ samba ?)
Ben Davis
ben at xsusio.com
Fri Apr 8 23:16:43 GMT 2005
After looking at this further, I realized I had only grepped the log
for the last connection that I saw. What happened was samba opened up a
connection (conn=20538), and after that a new connection (conn=20539)
was opened up, the conn=20539 connection was the one that _added_ the
machine account... and it looks like samba did some further operations
on the 20538 connection, the last of which is a search for the machine
user. So, Tony, I stand corrected!
I discovered that the reason this search failed is because samba was
binding anonymously on the 20538 connection, and my ACLs are set up to
deny access for anonymous binds. My conf file is set up to bind with
the cn=Manager dn. Why would Samba ever bind to ldap anonymously?
Tony Earnshaw wrote:
>tor, 07.04.2005 kl. 20.10 skrev Ben Davis:
>
>
>
>>I tried this and it still did not work. The problem as far as I can
>>tell is that samba is not even attempting to search for the user after
>>it adds it. The very last operations in my slapd.log after the error
>>occured, were:
>>
>>
>
>This is not so:
>
>
>
>>conn=20539 op=1 SRCH base="dc=pca-wichita,dc=com" scope=2
>>filter="(&(objectClass=posixAccount)(uid=melisa$))"
>>
>>
>
>This is a search, scope sub, for
>(&(objectClass=posixAccount)(uid=melisa$))
>
>
>
>>conn=20539 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=
>>conn=20539 op=2 SRCH
>>
>>
>
>This is the log entry that says that no object is found. I.e., there is
>either no combination of objectClass=posixAccount and uid=melisa$, or
>the LDAP ACL prohibits it being read.
>
>Do a search with 'ldapsearch -x' and the same filter. If it doesn't
>return anything, the object probably doesn't exist. Don't get led astray
>by nss, it's not used here.
>
>The samba ldapsam backend and tools (not idealx) are first class and
>brilliantly written.
>
>--Tonni
>
>
>
More information about the samba
mailing list