[Samba] Srvtools causes smbldap_open: cannot access LDAP when
not root
Sergey Loskutov
lsm at tts.magadan.su
Tue Mar 1 00:04:27 GMT 2005
Tony Earnshaw:
> Doug Campbell:
>
> [...]
>
>
>>>>smbldap_open: cannot access LDAP when not root...
>
>
> [...]
>
>
>>>As which user (Unix) is slapd (presume this is OpenLDAP)running?
>>>Do you have an 'ldap admin dn' entry in smb.conf with rights to all LDAP
>>> ACLs?
>>>
>>>
>>>I.e., I don't have this problem with Samba 3.0.11/OL 2.2.17-23 and
>>>didn't with 3.0.7, either.
>>
>>My smb.conf file does have the ldap admin dn entry. The relevant section
>>of my smb.conf file is as follows:
>
>
> [...]
>
> Again, as which Unix user is slapd running? Who is the owner of your DB
> files, config files, etc.? What are the permissions on them? Have you
> certificates (i.e. the CA cert) or anything that smbd has to try to read
> that can only be read by root? Is "cn=Manager,dc=swro,dc=local" a proxy
> user in your DIT, or the rootdn user in slapd.conf (it's better to make a
> proxy user in the DIT and comment out the rootdn). Can a normal user run
> ldapsearch, for example, without being root?Etc. ;)
>
>
> --Tonni
>
> --
> mail: tonye at billy.demon.nl
> http://www.billy.demon.nl
>
Hello!
samba have next code in smbldap.c:
#ifndef NO_LDAP_SECURITY
if (geteuid() != 0) {
DEBUG(0, ("smbldap_open: cannot access LDAP when not root..\n"));
return LDAP_INSUFFICIENT_ACCESS;
}
#endif
If you user account not have uid=0 sometimes you have a problem
described above.
If you have next lines in smb.conf and user have above privileges this
code affect:
---------------------------
smb.conf:
[global]
map to guest = Bad User
enable privileges = Yes
---------------------------
User account:
SeMachineAccountPrivilege: if you enter to domain as guest
SeAddUsersPrivilege: if you try create group or change membership users
not tested:
SePrintOperatorPrivilege
SeRemoteShutdownPrivilege
SeDiskOperatorPrivilege
Better ask what "uid" :)
Who will write to bug-report ? ;)
Best regards,
Loskutov Sergey
More information about the samba
mailing list