[Samba] PDC + LDAP, cannot access LDAP when not root (SOLVED)
David Clymer
david at hrcsb.org
Thu Sep 29 16:53:33 GMT 2005
On Tue, 2005-09-27 at 16:34 -0400, David Clymer wrote:
> I'm using Debian Sarge, Samba (3.1.14a) with the ldapsam backend, and
> OpenLDAP (2.2.23).
>
> When attempting to join an Windows XP+SP2 computer (BILLGATES) to my
> domain (WORKGROUP), using the Administrator account, I am told by
> windows: 'Access denied.'
>
> The logs (attached) seem to indicate that the user Administrator is
> being authenticated (which would have? to use LDAP), but when It goes to
> add the computer to the domain, it fails. Apparently because samba is
> unable to access LDAP:
>
> smbldap_open: cannot access LDAP when not root..
>
> nobody and Administrator are the only users on the domain.
>
> An interesting phenomenon that I've observed (perhaps it is related?):
>
> testbox:/etc/samba# pdbedit -L
> Administrator:998:Administrator
> nobody:65534:nobody
> testbox:/etc/samba# net -U Administrator rpc group members 'Domain Computers'
> Password:
> WORKGROUP\BILLGATES$
> testbox:/etc/samba# net -U Administrator rpc group members 'Domain Admins'
> Password:
> WORKGROUP\Administrator
> testbox:/etc/samba# net -U Administrator rpc group members 'Administrators'
> Password:
> [2005/09/27 16:05:11, 0] rpc_client/cli_pipe.c:rpc_api_pipe(435)
> cli_pipe: return critical error. Error was Call timed out: server did not respond after 10000 milliseconds
> Couldn't list alias members
>
> I don't understand why Administrators group listing fails, while the
> others don't.
>
> Google searches yielded a bunch of similar problems for early versions
> of samba 3.0, related to modification of user groups. However that bug
> was supposedly fixed, and I've seen no reports of it occuring in later
> versions. There are no open bugs, that I could find, related to this on
> bugzilla.samba.org.
>
> Is there any type of (mis)configuration that could result in the same
> sort of symptom?
>
> attached is my smb.conf, smbldap.conf, and my samba log output (debug
> level=4)
>
> I would be very grateful for any ideas, FMs to R, magic wands, etc. that
> anyone might have to offer.
>
The FM to (re)R was the smb.conf man page ;o)
The solution:
add this to smb.conf:
enable privileges = yes
This allows you to grant special privileges to users (see man smb.conf
for more detail)
reload the samba config:
$ smbcontrol smbd reload-config
and grant the necessary rights to Administrator:
$ net -U Administrator rpc rights list
SeMachineAccountPrivilege Add machines to domain
SePrintOperatorPrivilege Manage printers
SeAddUsersPrivilege Add users and groups to the domain
SeRemoteShutdownPrivilege Force shutdown from a remote system
SeDiskOperatorPrivilege Manage disk shares
$ net -U Administrator rpc rights list Administrator
$ net -U Administrator rpc rights grant Administrator SeMachineAccountPrivilege
Successfully granted rights.
Now one can add machines to the domain. Better yet, the
administrator account does _not_ have to have a uid of 0!
-davidc
--
Under-Achievers Anonymous has an 11-step program.
More information about the samba
mailing list