[Samba] Add machine as non-root (was: Samba LDAP and add
machine script problems)
Mark Roach
mrroach at okmaybe.com
Tue Jan 25 22:22:09 GMT 2005
On Mon, 2005-01-24 at 18:18 +0100, Tony Earnshaw wrote:
> Geoff Scott:
> >
> > root# cd /var/lib/samba/sbin root# ./smbldap-usermod.pl -u 0
> > Administrator
> >
> >
> > OK. I see the criticism, but where's your solution? You know, on the
> >
> Bottom line: Ignacio Coupeau tells you (blam) right out that your LDAP
> admin user has to have a uidnumber and gidnumber attribute both of 0 and
> you'd better believe him, since otherwise nothing works from XP/2000's
> side.
> So. I end up with an LDAP "root" with uidnumber 0, gidnumber 0, who may
> well have another password than the /etc/passwd root, but who gets the job
> done (i.e. enabling XP/200 Windows domain logons). I find this abhorrent,
> but "the boss" pays me, and my job is to provide the solutions for which
> he pays my beer.
I too hate this. It seems to be a hardcoded rule though, perhaps one
that can be patched around. As a test, I tried "chown -R :Domain\
Admins /var/lib/samba" and "chmod -R g+rw /var/lib/samba" and running
"smbpasswd -L -m -a test$" as a non-root user in the Domain Admins
group. It whines and moans about not being able to perform the operation
as non-root. However, if as the same user, you run the command as
"fakeroot smbpasswd -L -m -a test$" it works fine.
When performing a join, samba doesn't even try to run the machine add
script unless the user is root. Maybe someone who knows the code can
remove that check or make a "allow non root join pretty please"
option...
More information about the samba
mailing list