[Samba] Srvtools causes smbldap_open: cannot access LDAP when not root

Doug Campbell doug at bpta.net
Tue Mar 1 01:01:16 GMT 2005

> Doug Campbell:
> [...]
> >>> smbldap_open: cannot access LDAP when not root...
> [...]
> >> As which user (Unix) is slapd (presume this is OpenLDAP)running?
> >> Do you have an 'ldap admin dn' entry in smb.conf with rights
> to all LDAP
> >>  ACLs?
> >>
> >>
> >> I.e., I don't have this problem with Samba 3.0.11/OL 2.2.17-23 and
> >> didn't with 3.0.7, either.
> >
> > My smb.conf file does have the ldap admin dn entry.  The
> relevant section
> > of my smb.conf file is as follows:
> [...]
> Again, as which Unix user is slapd running? Who is the owner of your DB
> files, config files, etc.? What are the permissions on them? Have you
> certificates (i.e. the CA cert) or anything that smbd has to try to read
> that can only be read by root? Is "cn=Manager,dc=swro,dc=local" a proxy
> user in your DIT, or the rootdn user in slapd.conf (it's better to make a
> proxy user in the DIT and comment out the rootdn). Can a normal user run
> ldapsearch, for example, without being root?Etc. ;)

Sorry, I forgot to put some of these answers in last time :(

slapd appears to be running as user ldap when I run  ps aux

I enabled it to start automatically on boot up using the chkconfig utility
in FC3.

All config files are owned by root and have root as their group with the one
exception of slapd.conf which has ldap as it's group

The DB files are owned by ldap and the group is ldap.

I don't have any certificates to deal with as I am not using SSL/TLS.  I
actually tried to do this as a learning exercise but couldn't get it to work
based on the documentation I read.

"cn=Manager,dc=swro,dc=local" is the rootdn user in slapd.conf

I wanted to have a proxy user but again when I tried using the example
slapd.conf files for ACLs they never worked even though I followed the
examples as given.

if I just type ldapsearch at the console, it will prompt me for a password.
I don't know what password it is asking though.  I tried all that I have
used and there is still no luck.  The error I get is "user not found: no
secret in database".  If instead I type ldapsearch -x.  It displays
information from my ldap store.  If I now switch users to a non-root user
and execute the same two commands, I also get the same two results.

Does that give a better idea of what might be wrong in my setup?



> --Tonni
> --
> mail: tonye at billy.demon.nl
> http://www.billy.demon.nl
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list