[Samba] Srvtools causes smbldap_open: cannot access LDAP when
not root
Craig White
craigwhite at azapple.com
Tue Mar 1 02:44:17 GMT 2005
On Tue, 2005-03-01 at 09:01 +0800, Doug Campbell wrote:
> > Doug Campbell:
> >
> > [...]
> >
> > >>> smbldap_open: cannot access LDAP when not root...
> >
> > [...]
> >
> > >> As which user (Unix) is slapd (presume this is OpenLDAP)running?
> > >> Do you have an 'ldap admin dn' entry in smb.conf with rights
> > to all LDAP
> > >> ACLs?
> > >>
> > >>
> > >> I.e., I don't have this problem with Samba 3.0.11/OL 2.2.17-23 and
> > >> didn't with 3.0.7, either.
> > >
> > > My smb.conf file does have the ldap admin dn entry. The
> > relevant section
> > > of my smb.conf file is as follows:
> >
> > [...]
> >
> > Again, as which Unix user is slapd running? Who is the owner of your DB
> > files, config files, etc.? What are the permissions on them? Have you
> > certificates (i.e. the CA cert) or anything that smbd has to try to read
> > that can only be read by root? Is "cn=Manager,dc=swro,dc=local" a proxy
> > user in your DIT, or the rootdn user in slapd.conf (it's better to make a
> > proxy user in the DIT and comment out the rootdn). Can a normal user run
> > ldapsearch, for example, without being root?Etc. ;)
>
> Sorry, I forgot to put some of these answers in last time :(
>
> slapd appears to be running as user ldap when I run ps aux
>
> I enabled it to start automatically on boot up using the chkconfig utility
> in FC3.
>
> All config files are owned by root and have root as their group with the one
> exception of slapd.conf which has ldap as it's group
>
> The DB files are owned by ldap and the group is ldap.
>
> I don't have any certificates to deal with as I am not using SSL/TLS. I
> actually tried to do this as a learning exercise but couldn't get it to work
> based on the documentation I read.
>
> "cn=Manager,dc=swro,dc=local" is the rootdn user in slapd.conf
>
> I wanted to have a proxy user but again when I tried using the example
> slapd.conf files for ACLs they never worked even though I followed the
> examples as given.
>
> if I just type ldapsearch at the console, it will prompt me for a password.
> I don't know what password it is asking though. I tried all that I have
> used and there is still no luck. The error I get is "user not found: no
> secret in database". If instead I type ldapsearch -x. It displays
> information from my ldap store. If I now switch users to a non-root user
> and execute the same two commands, I also get the same two results.
>
> Does that give a better idea of what might be wrong in my setup?
----
LDAP is probably a mistake if user cannot comprehend basic ldap usage.
You need to get a mastery on ldapadd/ldapmodify/ldapsearch functions
before you commit your user db for the system - how in the world do you
expect to troubleshoot?
ldapsearch -x -h localhost -W - D 'cn=Manager,dc=swro,dc=local'
'(uid=*)'
enter the password you used when you created your slapd.conf
don't know what password you used to when you created slapd.conf?
I definitely wouldn't/shouldn't/couldn't know that
when you figure that out...
smbpasswd -w PASSWD_THAT_YOU_USED_IN_SLAPD.CONF
probably shouldn't be using root-bind-dn user/password for samba but
since that would entail understanding what LDAP ACL's and general
security are about - it's your call.
Craig
More information about the samba
mailing list