[Samba] Srvtools causes smbldap_open: cannot access LDAP when not root

Sergey Loskutov lsm at tts.magadan.su
Tue Mar 1 00:04:27 GMT 2005

Tony Earnshaw:
> Doug Campbell:
> [...]
>>>>smbldap_open: cannot access LDAP when not root...
> [...]
>>>As which user (Unix) is slapd (presume this is OpenLDAP)running?
>>>Do you have an 'ldap admin dn' entry in smb.conf with rights to all LDAP
>>> ACLs?
>>>I.e., I don't have this problem with Samba 3.0.11/OL 2.2.17-23 and
>>>didn't with 3.0.7, either.
>>My smb.conf file does have the ldap admin dn entry.  The relevant section
>>of my smb.conf file is as follows:
> [...]
> Again, as which Unix user is slapd running? Who is the owner of your DB
> files, config files, etc.? What are the permissions on them? Have you
> certificates (i.e. the CA cert) or anything that smbd has to try to read
> that can only be read by root? Is "cn=Manager,dc=swro,dc=local" a proxy
> user in your DIT, or the rootdn user in slapd.conf (it's better to make a
> proxy user in the DIT and comment out the rootdn). Can a normal user run
> ldapsearch, for example, without being root?Etc. ;)
> --Tonni
> --
> mail: tonye at billy.demon.nl
> http://www.billy.demon.nl


samba have next code in smbldap.c:

if (geteuid() != 0) {
  DEBUG(0, ("smbldap_open: cannot access LDAP when not root..\n"));

If you user account not have uid=0 sometimes you have a problem 
described above.

If you have next lines in smb.conf and user have above privileges this 
code affect:


  map to guest = Bad User
  enable privileges = Yes
User account:

SeMachineAccountPrivilege:  if you enter to domain as guest
SeAddUsersPrivilege:  if you try create group or change membership users

not tested:

Better ask what "uid" :)

Who will write to  bug-report ? ;)

Best regards,
Loskutov Sergey

More information about the samba mailing list