[Samba] SAMBA3 + LDAP = Round 5 :(((

benjamin.dupuis at armorarena-fr.com benjamin.dupuis at armorarena-fr.com
Tue Mar 22 10:20:58 GMT 2005 

I've got :

# users can authenticate and change their password
access to attrs=userPassword,sambaNTPassword,sambaLMPassword
        by dn="cn=samba,ou=DSA,dc=arzur,dc=local" write
        by dn="cn=nssldap,ou=DSA,dc=arzur,dc=local" write
        by self write
        by anonymous auth

# the objectClass needed for everyone
access to attrs=objectClass,entry
        by dn="cn=samba,ou=DSA,dc=arzur,dc=local" read
        by dn="cn=nssldap,ou=DSA,dc=arzur,dc=local" read
        by dn="cn=postfix-auth,ou=DSA,dc=arzur,dc=local" read
        by self read

# some attributes need to be readable by everyone
access to attrs=uidNumber,gidNumber
        by dn="cn=samba,ou=DSA,dc=arzur,dc=local" write
        by dn="cn=nssldap,ou=DSA,dc=arzur,dc=local" read
        by self read

# some attributes can be writable by users themselves
access to attrs=description,telephoneNumber
        by dn="cn=samba,ou=DSA,dc=arzur,dc=local" write
        by self write
        by users read

# some attributes need to be readable so that 'id user' can answer correctly
access to attrs=@posixAccount, at posixGroup, at inetOrgPerson
        by dn="cn=samba,ou=DSA,dc=arzur,dc=local" write
        by dn="cn=nssldap,ou=DSA,dc=arzur,dc=local" read
        by self read

# some attributes need to be writable for samba
access to 
attrs=@sambaSamAccount, at sambaGroupMapping, at sambaTrustPassword, at sambaDomain, at sambaShare, at sambaConfigOption, at sambaPrivilege
        by dn="cn=samba,ou=DSA,dc=arzur,dc=local" write
        by self read

# samba need to be able to create the sambaDomain account and NextFreeUnixId
access to dn="dc=arzur,dc=local" attrs=children
        by dn="cn=samba,ou=DSA,dc=arzur,dc=local" write
access to dn="cn=NextFreeUnixId,dc=arzur,dc=local"
        by dn="cn=samba,ou=DSA,dc=arzur,dc=local" write
access to dn.one="dc=arzur,dc=local" filter="(objectClass=sambaDomain)"
        by dn="cn=samba,ou=DSA,dc=arzur,dc=local" write

# samba need to be able to create new users account
access to dn="ou=People,dc=arzur,dc=local"
        by dn="cn=samba,ou=DSA,dc=arzur,dc=local" write

# samba need to be able to create new groups account
access to dn="ou=Groups,dc=arzur,dc=local"
        by dn="cn=samba,ou=DSA,dc=arzur,dc=local" write

# samba need to be able to create new computers account
access to dn="ou=Computers,dc=arzur,dc=local"
        by dn="cn=samba,ou=DSA,dc=arzur,dc=local" write

# samba need to be able to create new idmap entries
access to dn="ou=Idmap,dc=arzur,dc=local"
        by dn="cn=samba,ou=DSA,dc=arzur,dc=local" write

# Default access rights
access to *
       by self read

Bruno Guerreiro a écrit :

>Hi, i think i've found your problem.
>You've set rootbinddn	cn=nssldap,ou=DSA,dc=ARZUR,dc=LOCAL but you didn't
>give that user Admin LDAP rights.
>Have you done this? http://samba.idealx.org/smbldap-howto.en.html#htoc116
>And this? http://samba.idealx.org/smbldap-howto.en.html#htoc111
>attention that since you're using an root bind different from Manager, you
>must give it admin acess. Something like 
>
>access to * by cn=nssldap,ou=DSA,dc=ARZUR,dc=LOCAL write
>
>This is a very WIDE configuration, you may restrict which object you admin
>user can access, in order for it to have write permissions only to samba
>objects.
>Something like 
>
>access to
>attrs=sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange,samb
>aAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaPr
>ofilePath,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,sambaSI
>D,sambaGroupType,sambaNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgori
>thmicRidBase,
>
>Best Regards,
>Bruno Guerreiro
>
>-----Original Message-----
>From: Poil [mailto:poil at own-you.com]
>Sent: terça-feira, 22 de Março de 2005 8:55
>To: samba at lists.samba.org
>Subject: [Samba] SAMBA3 + LDAP = Round 5 :(((
>
>
>Okay, if anyone can help me, I put all my config and log on 
>http://www.arzurproduction.com/temp/
>
>I cannot join the domain on my Windows XP (Access Deny)
>
>So I try :
>1- An Administrator user create by smbldap-populate, I have root = 
>Administrator on my /etc/samba/smbusers
>Error :
>[2005/03/21 10:09:03, 2] auth/auth.c:check_ntlm_password(312)
>  check_ntlm_password:  Authentication for user [administrator] -> 
>[root] FAILED with error NT_STATUS_NO_SUCH_USER
>
>
>2- The same Administrator but I comment root = Administrator
>Error :
>[2005/03/22 09:47:04, 2] lib/smbldap.c:smbldap_open_connection(692)
>  smbldap_open_connection: connection opened
>[2005/03/22 09:47:04, 2] passdb/pdb_ldap.c:init_sam_from_ldap(518)
>  init_sam_from_ldap: Entry found for user: Administrator
>[2005/03/22 09:47:04, 2] passdb/pdb_ldap.c:init_group_from_ldap(2057)
>  init_group_from_ldap: Entry found for group: 512
>[2005/03/22 09:47:04, 2] auth/auth.c:check_ntlm_password(305)
>  check_ntlm_password:  authentication for user [administrator] -> 
>[administrator] -> [Administrator] succeeded
>[2005/03/22 09:47:05, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2482)
>  Returning domain sid for domain ARZUR-NT -> 
>S-1-5-21-1874299889-3982645529-2160850509
>[2005/03/22 09:47:05, 2] 
>rpc_server/srv_samr_nt.c:access_check_samr_object(93)
>  _samr_open_domain: ACCESS DENIED  (requested: 0x00000211)
>[2005/03/22 09:47:05, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2482)
>  Returning domain sid for domain ARZUR-NT -> 
>S-1-5-21-1874299889-3982645529-2160850509
>[2005/03/22 09:47:05, 2] 
>rpc_server/srv_samr_nt.c:access_check_samr_function(115)
>  _samr_create_user: ACCESS DENIED (granted: 0x00000201;  required: 
>0x00000010)
>[2005/03/22 09:47:05, 2] smbd/server.c:exit_server(575)
>  Closing connections
>
>
>3- The same Administrator, I create a root ldap user (same as the old 
>smbldap-tools)
>[2005/03/22 09:49:42, 2] lib/smbldap.c:smbldap_open_connection(692)
>  smbldap_open_connection: connection opened
>[2005/03/22 09:49:42, 2] passdb/pdb_ldap.c:init_sam_from_ldap(518)
>  init_sam_from_ldap: Entry found for user: root
>[2005/03/22 09:49:42, 2] passdb/pdb_ldap.c:init_group_from_ldap(2057)
>  init_group_from_ldap: Entry found for group: 513
>[2005/03/22 09:49:42, 2] auth/auth.c:check_ntlm_password(305)
>  check_ntlm_password:  authentication for user [administrator] -> 
>[root] -> [root] succeeded
>[2005/03/22 09:49:43, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2482)
>  Returning domain sid for domain ARZUR-NT -> 
>S-1-5-21-1874299889-3982645529-2160850509
>[2005/03/22 09:49:43, 2] passdb/pdb_ldap.c:init_group_from_ldap(2057)
>  init_group_from_ldap: Entry found for group: 515
>[2005/03/22 09:49:43, 2] passdb/pdb_ldap.c:init_ldap_from_sam(929)
>  init_ldap_from_sam: Setting entry for user: poil-barebone$
>[2005/03/22 09:49:43, 1] passdb/pdb_ldap.c:ldapsam_modify_entry(1552)
>  ldapsam_modify_entry: Failed to modify user dn= 
>uid=poil-barebone$,ou=Computers,dc=arzur,dc=local with: Insufficient access
> 
>[2005/03/22 09:49:43, 0] passdb/pdb_ldap.c:ldapsam_add_sam_account(1994)
>  ldapsam_add_sam_account: failed to modify/add user with uid = 
>poil-barebone$ (dn = uid=poil-barebone$,ou=Computers,dc=arzur,dc=local)
>[2005/03/22 09:49:43, 0] rpc_server/srv_samr_nt.c:_samr_create_user(2272)
>  could not add user/computer poil-barebone$ to passdb.  Check permissions?
>[2005/03/22 09:49:43, 2] smbd/server.c:exit_server(575)
>  Closing connections
>
>
>4- In root (ldap root)
>[2005/03/22 09:50:21, 2] lib/smbldap.c:smbldap_open_connection(692)
>  smbldap_open_connection: connection opened
>[2005/03/22 09:50:21, 2] passdb/pdb_ldap.c:init_sam_from_ldap(518)
>  init_sam_from_ldap: Entry found for user: root
>[2005/03/22 09:50:21, 2] passdb/pdb_ldap.c:init_group_from_ldap(2057)
>  init_group_from_ldap: Entry found for group: 513
>[2005/03/22 09:50:21, 2] auth/auth.c:check_ntlm_password(305)
>  check_ntlm_password:  authentication for user [root] -> [root] -> 
>[root] succeeded
>[2005/03/22 09:50:22, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2482)
>  Returning domain sid for domain ARZUR-NT -> 
>S-1-5-21-1874299889-3982645529-2160850509
>[2005/03/22 09:50:22, 2] passdb/pdb_ldap.c:init_group_from_ldap(2057)
>  init_group_from_ldap: Entry found for group: 515
>[2005/03/22 09:50:22, 2] passdb/pdb_ldap.c:init_ldap_from_sam(929)
>  init_ldap_from_sam: Setting entry for user: poil-barebone$
>[2005/03/22 09:50:22, 1] passdb/pdb_ldap.c:ldapsam_modify_entry(1552)
>  ldapsam_modify_entry: Failed to modify user dn= 
>uid=poil-barebone$,ou=Computers,dc=arzur,dc=local with: Insufficient access
> 
>[2005/03/22 09:50:22, 0] passdb/pdb_ldap.c:ldapsam_add_sam_account(1994)
>  ldapsam_add_sam_account: failed to modify/add user with uid = 
>poil-barebone$ (dn = uid=poil-barebone$,ou=Computers,dc=arzur,dc=local)
>[2005/03/22 09:50:22, 0] rpc_server/srv_samr_nt.c:_samr_create_user(2272)
>  could not add user/computer poil-barebone$ to passdb.  Check permissions?
>[2005/03/22 09:50:22, 2] smbd/server.c:exit_server(575)
>  Closing connections
>
>
>Thanks all for helping me!
>  
>

More information about the samba mailing list