[Samba] Srvtools causes smbldap_open: cannot access LDAP when not root

[Sergey Loskutov]

Tony Earnshaw:
> Doug Campbell:
> 
> [...]
> 
> 
>>>>smbldap_open: cannot access LDAP when not root...
> 
> 
> [...]
> 
> 
>>>As which user (Unix) is slapd (presume this is OpenLDAP)running?
>>>Do you have an 'ldap admin dn' entry in smb.conf with rights to all LDAP
>>> ACLs?
>>>
>>>
>>>I.e., I don't have this problem with Samba 3.0.11/OL 2.2.17-23 and
>>>didn't with 3.0.7, either.
>>
>>My smb.conf file does have the ldap admin dn entry.  The relevant section
>>of my smb.conf file is as follows:
> 
> 
> [...]
> 
> Again, as which Unix user is slapd running? Who is the owner of your DB
> files, config files, etc.? What are the permissions on them? Have you
> certificates (i.e. the CA cert) or anything that smbd has to try to read
> that can only be read by root? Is "cn=Manager,dc=swro,dc=local" a proxy
> user in your DIT, or the rootdn user in slapd.conf (it's better to make a
> proxy user in the DIT and comment out the rootdn). Can a normal user run
> ldapsearch, for example, without being root?Etc. ;)
> 
> 
> --Tonni
> 
> --
> mail: tonye at billy.demon.nl
> http://www.billy.demon.nl
> 

Hello!

samba have next code in smbldap.c:

#ifndef NO_LDAP_SECURITY
if (geteuid() != 0) {
  DEBUG(0, ("smbldap_open: cannot access LDAP when not root..\n"));
  return  LDAP_INSUFFICIENT_ACCESS;
}
#endif

If you user account not have uid=0 sometimes you have a problem 
described above.


If you have next lines in smb.conf and user have above privileges this 
code affect:

---------------------------
smb.conf:

[global]
  map to guest = Bad User
  enable privileges = Yes
---------------------------
User account:

SeMachineAccountPrivilege:  if you enter to domain as guest
SeAddUsersPrivilege:  if you try create group or change membership users

not tested:
SePrintOperatorPrivilege
SeRemoteShutdownPrivilege
SeDiskOperatorPrivilege


Better ask what "uid" :)

Who will write to  bug-report ? ;)


Best regards,
Loskutov Sergey