[Samba] Srvtools causes smbldap_open: cannot access LDAP when not root

Craig White craigwhite at azapple.com
Tue Mar 1 02:44:17 GMT 2005

On Tue, 2005-03-01 at 09:01 +0800, Doug Campbell wrote:
> > Doug Campbell:
> >
> > [...]
> >
> > >>> smbldap_open: cannot access LDAP when not root...
> >
> > [...]
> >
> > >> As which user (Unix) is slapd (presume this is OpenLDAP)running?
> > >> Do you have an 'ldap admin dn' entry in smb.conf with rights
> > to all LDAP
> > >>  ACLs?
> > >>
> > >>
> > >> I.e., I don't have this problem with Samba 3.0.11/OL 2.2.17-23 and
> > >> didn't with 3.0.7, either.
> > >
> > > My smb.conf file does have the ldap admin dn entry.  The
> > relevant section
> > > of my smb.conf file is as follows:
> >
> > [...]
> >
> > Again, as which Unix user is slapd running? Who is the owner of your DB
> > files, config files, etc.? What are the permissions on them? Have you
> > certificates (i.e. the CA cert) or anything that smbd has to try to read
> > that can only be read by root? Is "cn=Manager,dc=swro,dc=local" a proxy
> > user in your DIT, or the rootdn user in slapd.conf (it's better to make a
> > proxy user in the DIT and comment out the rootdn). Can a normal user run
> > ldapsearch, for example, without being root?Etc. ;)
> Sorry, I forgot to put some of these answers in last time :(
> slapd appears to be running as user ldap when I run  ps aux
> I enabled it to start automatically on boot up using the chkconfig utility
> in FC3.
> All config files are owned by root and have root as their group with the one
> exception of slapd.conf which has ldap as it's group
> The DB files are owned by ldap and the group is ldap.
> I don't have any certificates to deal with as I am not using SSL/TLS.  I
> actually tried to do this as a learning exercise but couldn't get it to work
> based on the documentation I read.
> "cn=Manager,dc=swro,dc=local" is the rootdn user in slapd.conf
> I wanted to have a proxy user but again when I tried using the example
> slapd.conf files for ACLs they never worked even though I followed the
> examples as given.
> if I just type ldapsearch at the console, it will prompt me for a password.
> I don't know what password it is asking though.  I tried all that I have
> used and there is still no luck.  The error I get is "user not found: no
> secret in database".  If instead I type ldapsearch -x.  It displays
> information from my ldap store.  If I now switch users to a non-root user
> and execute the same two commands, I also get the same two results.
> Does that give a better idea of what might be wrong in my setup?
LDAP is probably a mistake if user cannot comprehend basic ldap usage.

You need to get a mastery on ldapadd/ldapmodify/ldapsearch functions
before you commit your user db for the system - how in the world do you
expect to troubleshoot?

ldapsearch -x -h localhost -W - D 'cn=Manager,dc=swro,dc=local'

enter the password you used when you created your slapd.conf

don't know what password you used to when you created slapd.conf?

I definitely wouldn't/shouldn't/couldn't know that

when you figure that out...


probably shouldn't be using root-bind-dn user/password for samba but
since that would entail understanding what LDAP ACL's and general
security are about - it's your call.


More information about the samba mailing list