[Samba] Adding local group -> Access denied

Tony Earnshaw tonye at billy.demon.nl
Mon Apr 25 21:05:32 GMT 2005

man, 25.04.2005 kl. 17.48 skrev Holger Wesser:

> short question: I try to add a local group via the NT-Usermanager
> ("usrmgr.exe"), but everytime I get a "Access denied". Adding a global
> group works. I'm logged on as "Administrator". I'm running Samba 3.0.14a
> on Debian Sarge (testing) with the smbldap-tools (v0.8.8).
> What could I have done wrong?

Basically using LDAP and the smbldap-tools (v0.8.8) knowing what they
do, how they do it or having read through *all* the official Samba
documentation and done everything in it. Had you done so (judging that
tens of thousands have got it to work before you) it would work for you.

That having been said (my bounden duty to the Samba team), I have always
contended and still contend that the idealx smbldap-tools (whichever
version whatever) are UTTERLY USELESS to an LDAP pro who already has an
LDAP DSA running with a completely different DIT to which the idealx and
Samba people might decree.

However, the good news is, that whichever sysadmin:

a: first understands  LDAP (at least several months experience for any
other use than Samba whatsoever)
b: second has had a concentrated look at Samba 3 utils and daemons;
c: third has a reasonable experience in awk, shell and sed scripting
(each of awk and sed one can teach oneself in a weekend, shell costs one
years, learn it first)

doesn't need  the idealx tools.

Not needing the idealx tools means that the sysadmin is free to choose
his own LDAP DIT as he/she has already implemented it (long before
having started with Samba 3). The Samba daemons and utils of all kinds
do not need the idealx tools, they work perfectly without them. They
(the Samba daemons and uitils) were implemented by prophets of the true
way. idealx has to drag itself, groaning, to the heights that these
magnificent tools reached some time ago.

The Samba people don't need teaching, the idealx people need training in
what LDAP is. They seem to be utterly ignorant, as to that extent.

No, John H. T. I have not contacted the idealx people. That would be
useless. There are several thousand others besides me who find idealx's
method perfect, then there's me that doesn't. The difference is, that I
already had my DIT (multiple user bases, multiple group bases and much
more. Samba isn't there for LDAP, LDAP is there for Samba) and had to
make it work with Samba, not the other way around. So I can't use the
"on the fly" Samba scripts, I have to do things by hand. No skin off my


Nothing sucksseeds like a pigeon without a beak ...

mail: tonye at billy.demon.nl
They'll love us, won't they? They feed us, don't they? ...

More information about the samba mailing list