[Samba] Srvtools causes smbldap_open: cannot access LDAP when not root

Doug Campbell dcampbell at zonemail.net
Mon Feb 28 07:47:43 GMT 2005 

> > I am using Samba 3.0.10-1 on Fedora Core 3.  Most everything seems to be
> > working as I expect it to except when I try to use the srvtools
> package to
> >  administrate the users and groups in the domain.
> >
> > I want to check and see whether maybe I am just
> misunderstanding usage as
> >  opposed to their being a configuration problem.
> >
> > If I log into my workstation as Administrator, either the local account
> > or into the domain.  I can administrate the server using the srvtools.
> >
> > But if I login as a user who is in the Administrators group, Domain
> > Admins
> > group and I even added the user to the root group and I try to run
> > srvtools. I can view all the settings but when I try to submit changes I
> > get the following error showing up in the smbd.log file:
> >
> > smbldap_open: cannot access LDAP when not root...
> >
> >
> > Is this normal?  I would think that Samba would check and see
> that I am a
> >  part of the Domain Admins group and allow the changes I have submitted
> > but it doesn't want to allow anyone but root to access LDAP.
> >
> > Appreciate any insight on this.
>
> As which user (Unix) is slapd (presume this is OpenLDAP)running?
> Do you have an 'ldap admin dn' entry in smb.conf with rights to all LDAP
> ACLs?
>
> I.e., I don't have this problem with Samba 3.0.11/OL 2.2.17-23 and didn't
> with 3.0.7, either.

My smb.conf file does have the ldap admin dn entry.  The relevant section of
my smb.conf file is as follows:

[global]
   workgroup = SWRO
   netbios name = snoopy
   server string = Snoopy Samba-LDAP PDC Server
   domain logons = yes
   os level = 20
   preferred master = yes
   domain master = yes
   local master = yes
   encrypt passwords = yes
   wins support =yes
   username map = /etc/samba/smbusers

   ; SAMBA-LDAP declarations
   passdb backend = ldapsam:ldap://127.0.0.1/
   ldap admin dn = cn=Manager,dc=swro,dc=local
   ldap suffix = dc=swro,dc=local
   ldap group suffix = ou=Groups
   ldap user suffix = ou=Users
   ldap machine suffix = ou=Computers

   add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
   add user script = /usr/local/sbin/smbldap-useradd -m "%u"
   ldap delete dn = Yes
   add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
   add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g"
   delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u"
"%g"
   set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u"

Also, /etc/samba/smbusers is:

# Unix_name = SMB_name1 SMB_name2 ...
root = administrator admin
nobody = guest pcguest smbguest

So I can join the domain without problem.  I can even use the SRVTOOLS when
logged in as administrator which because of smbusers file is really just an
alias for root. But if I log in as user dcampbell who is in the Domain
Admins group, I can't use the SRVTOOLS.

Is this what you say you have working for you?

Also, I just noticed that Samba 3.0.11 came out with the ability to assign
privileges.  This seems to indicate to me the previously, it may have not
been possible to do what I want to do.

I went ahead and upgraded and made the necessary changes and now I can log
in as dcampbell who is in the Domain Admins group and be able to use the
SRVTOOLS package.

I am curious to know if you really are indeed logging in as a user that
isn't some how aliased as root because I would like to make sure I
understand how Samba is supposed to handle this.

Thanks!

Doug Campbell

More information about the samba mailing list