Samba binding anonymously (was: Re: [Samba] smbldap-tools not playing nice w/ samba ?)

[Ben Davis]

After looking at this further,  I realized I had only grepped the log 
for the last connection that I saw.  What happened was samba opened up a 
connection (conn=20538),  and  after that a new  connection (conn=20539) 
was opened up,  the conn=20539 connection was the one that _added_ the 
machine account...  and it looks like samba did some further operations 
on the 20538 connection,  the last of which is a search for the machine 
user.  So, Tony,  I stand corrected!   

I discovered that the reason this search failed is because samba was 
binding anonymously on the 20538 connection, and my ACLs are set up to 
deny  access for anonymous binds.  My conf file is set up to bind with 
the cn=Manager dn.  Why would Samba ever bind to ldap anonymously?


Tony Earnshaw wrote:

>tor, 07.04.2005 kl. 20.10 skrev Ben Davis:
>
>  
>
>>I tried this and it still did not work.  The problem as far as I can 
>>tell is that samba is not even attempting to search for the user after 
>>it adds it.  The very last operations in my slapd.log after the error 
>>occured,  were:
>>    
>>
>
>This is not so:
>
>  
>
>>conn=20539 op=1 SRCH base="dc=pca-wichita,dc=com" scope=2 
>>filter="(&(objectClass=posixAccount)(uid=melisa$))"
>>    
>>
>
>This is a search, scope sub, for
>(&(objectClass=posixAccount)(uid=melisa$))
>
>  
>
>>conn=20539 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=
>>conn=20539 op=2 SRCH 
>>    
>>
>
>This is the log entry that says that no object is found. I.e., there is
>either no combination of objectClass=posixAccount and uid=melisa$, or
>the LDAP ACL prohibits it being read.
>
>Do a search with 'ldapsearch -x' and the same filter. If it doesn't
>return anything, the object probably doesn't exist. Don't get led astray
>by nss, it's not used here.
>
>The samba ldapsam backend and tools (not idealx) are first class and
>brilliantly written.
>
>--Tonni
>
>  
>