[Samba] Samba PDC (3.0.14a) with LDAP cannot add machines
David Clymer
david at hrcsb.org
Thu Sep 29 16:48:54 GMT 2005
On Wed, 2005-09-28 at 14:48 +0200, Eduard Witteveen wrote:
> Hello list,
>
> Im still trying to get the add machine script working.
>
> I have a user which is named "administrator", which is stored in ldap,
> i can login using this user(i attached a loginshell) and execute the
> command: '/usr/sbin/smbldap-useradd -w "eduard-laptop$"' succesfull
> (UID=0,USER=root)
>
> Howevery, when this command is executed by samba, it will not run, since
> ldap doesnt like the way the command was started:
> (UID=65534,USER=root)
>
> How can i get this script to be executed the same way as when it is run
> from the commandline?
I fought with this problem for a long time, and no one seemed to know
the answer (other than the kludge mentioned in this thread:
http://lists.samba.org/archive/samba/2005-September/110520.html)
However...the answer lay in the documentation the whole time. :o(
you need add this to your smb.conf:
enable privileges = yes
This allows you to grant special privileges to users (see man smb.conf
for more detail)
reload your samba config:
$ smbcontrol smbd reload-config
and grant the necessary rights to Administrator:
$ net -U Administrator rpc rights list
SeMachineAccountPrivilege Add machines to domain
SePrintOperatorPrivilege Manage printers
SeAddUsersPrivilege Add users and groups to the domain
SeRemoteShutdownPrivilege Force shutdown from a remote system
SeDiskOperatorPrivilege Manage disk shares
$ net -U Administrator rpc rights list Administrator
$ net -U Administrator rpc rights grant Administrator SeMachineAccountPrivilege
Successfully granted rights.
You should now be able to add machines to the domain. Better yet, your
administrator account does _not_ have to have a uid of 0!
Hope that helps.
-davidc
--
The one real object of education is to have a man in the condition of
continually asking questions. -Bishop Mandell Creighton
More information about the samba
mailing list