[Samba] smbldap_open: cannot access LDAP when not root

James Cort james.cort at u4eatech.com
Wed Feb 1 12:07:11 GMT 2006 

I'm using Samba 3.0.14a as a PDC with an LDAP backend.

I am having trouble using the Windows "User Manager for Domains" tool.

As an example, I shall be looking at the "Domain Users" group. Whenever 
I try modifying anybody's group membership, I get the error message:

  "The following error occurred changing the properties of the global 
group Domain Users:

The group name could not be found."

I am running User Manager as a user with Domain Admin privileges.  
Domain Admins have been granted every available right using the net rpc 
rights command.  Samba is definitely doing an LDAP search for the group 
and is getting sensible results (logs below).  The research I've done 
suggests this may be a known issue, but generally with older versions 
of Samba.

Samba logs show a point which I'll mention here:

[2006/02/01 11:33:46, 0] lib/smbldap.c:smbldap_open(882)
  smbldap_open: cannot access LDAP when not root..



The LDAP entry for the Domain Users group shows:

# Domain Users, Group, u4eatech.com
dn: cn=Domain Users,ou=Group,dc=u4eatech,dc=com
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 513
cn: Domain Users
description: Netbios Domain Users
sambaSID: S-1-5-21-2044582568-1589646193-1504741369-513
sambaGroupType: 2
displayName: Domain Users


Domain Admin privs:

elli ~ # net rpc -U jamesc rights list "U4EATECH\Domain Admins"
Password:
SeMachineAccountPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeRemoteShutdownPrivilege
SeDiskOperatorPrivilege


In the Samba logs, I see the following error:


  smbldap_open: cannot access LDAP when not root..
[2006/02/01 11:33:46, 0] lib/smbldap.c:smbldap_open(882)
  smbldap_open: cannot access LDAP when not root..
[2006/02/01 11:33:47, 0] lib/smbldap.c:smbldap_open(882)
  smbldap_open: cannot access LDAP when not root..
[2006/02/01 11:33:48, 0] lib/smbldap.c:smbldap_open(882)
  smbldap_open: cannot access LDAP when not root..
[2006/02/01 11:33:49, 0] lib/smbldap.c:smbldap_open(882)
  smbldap_open: cannot access LDAP when not root..
[2006/02/01 11:33:50, 0] lib/smbldap.c:smbldap_open(882)
  smbldap_open: cannot access LDAP when not root..
[2006/02/01 11:33:51, 0] lib/smbldap.c:smbldap_open(882)
  smbldap_open: cannot access LDAP when not root..
[2006/02/01 11:33:52, 0] lib/smbldap.c:smbldap_open(882)
  smbldap_open: cannot access LDAP when not root..
[2006/02/01 11:33:53, 0] lib/smbldap.c:smbldap_open(882)
  smbldap_open: cannot access LDAP when not root..
[2006/02/01 11:33:54, 0] lib/smbldap.c:smbldap_open(882)
  smbldap_open: cannot access LDAP when not root..
[2006/02/01 11:33:55, 0] lib/smbldap.c:smbldap_open(882)
  smbldap_open: cannot access LDAP when not root..
[2006/02/01 11:33:56, 0] lib/smbldap.c:smbldap_open(882)
  smbldap_open: cannot access LDAP when not root..
[2006/02/01 11:33:57, 0] lib/smbldap.c:smbldap_open(882)
  smbldap_open: cannot access LDAP when not root..
[2006/02/01 11:33:58, 0] lib/smbldap.c:smbldap_open(882)
  smbldap_open: cannot access LDAP when not root..
[2006/02/01 11:33:59, 0] lib/smbldap.c:smbldap_open(882)
  smbldap_open: cannot access LDAP when not root..
[2006/02/01 11:34:00, 0] lib/smbldap.c:smbldap_open(882)
  smbldap_open: cannot access LDAP when not root..
[2006/02/01 11:34:00, 0] passdb/pdb_ldap.c:ldapsam_search_one_group(1971)
  ldapsam_search_one_group: Problem during the LDAP search: LDAP error: 
  (Timed out)


LDAP Logs:


Feb  1 11:37:30 cygnus_new slapd[30055]: conn=310691 op=62 SRCH 
base="ou=Group,dc=u4eatech,dc=com" scope=2 deref=0 
filter="(&(objectClass=sambaGroupMapping)(|(displayName=domain 
users)(cn=domain users)))"
Feb  1 11:37:30 cygnus_new slapd[30055]: conn=310691 op=62 SRCH 
attr=gidNumber sambaSID sambaGroupType sambaSIDList description 
displayName cn objectClass
Feb  1 11:37:30 cygnus_new slapd[30055]: conn=310691 op=62 ENTRY 
dn="cn=Domain Users,ou=Group,dc=u4eatech,dc=com"
Feb  1 11:37:30 cygnus_new slapd[30055]: conn=310691 op=62 SEARCH 
RESULT tag=101 err=0 nentries=1 text=
Feb  1 11:37:30 cygnus_new slapd[8490]: conn=310691 op=63 SRCH 
base="ou=Group,dc=u4eatech,dc=com" scope=2 deref=0 
filter="(&(objectClass=sambaGroupMapping)(sambaSID=s-1-5-21-2044582568-1589646193-1504741369-513))"
Feb  1 11:37:30 cygnus_new slapd[8490]: conn=310691 op=63 SRCH 
attr=gidNumber sambaSID sambaGroupType sambaSIDList description 
displayName cn objectClass
Feb  1 11:37:30 cygnus_new slapd[8490]: conn=310691 op=63 ENTRY 
dn="cn=Domain Users,ou=Group,dc=u4eatech,dc=com"
Feb  1 11:37:30 cygnus_new slapd[8490]: conn=310691 op=63 SEARCH RESULT 
tag=101 err=0 nentries=1 text=
Feb  1 11:37:30 cygnus_new slapd[26454]: conn=310772 op=2 UNBIND
Feb  1 11:37:30 cygnus_new slapd[26454]: conn=310772 fd=30 closed
Feb  1 11:37:30 cygnus_new slapd[12571]: conn=310793 fd=30 ACCEPT from 
IP=172.30.1.22:59861 (IP=0.0.0.0:389)
Feb  1 11:37:30 cygnus_new slapd[16367]: conn=310793 op=0 BIND 
dn="cn=manager,dc=u4eatech,dc=com" method=128
Feb  1 11:37:30 cygnus_new slapd[16367]: conn=310793 op=0 BIND 
dn="cn=manager,dc=u4eatech,dc=com" mech=SIMPLE ssf=0
Feb  1 11:37:30 cygnus_new slapd[16367]: conn=310793 op=0 RESULT tag=97 
err=0 text=
Feb  1 11:37:30 cygnus_new slapd[2070]: conn=310793 op=1 SRCH 
base="ou=Group,dc=u4eatech,dc=com" scope=1 deref=0 
filter="(&(objectClass=posixGroup)(gidNumber=513))"
Feb  1 11:37:30 cygnus_new slapd[2070]: conn=310793 op=1 SRCH attr=cn 
userPassword memberUid uniqueMember gidNumber
Feb  1 11:37:30 cygnus_new slapd[2070]: conn=310793 op=1 ENTRY 
dn="cn=Domain Users,ou=Group,dc=u4eatech,dc=com"
Feb  1 11:37:30 cygnus_new slapd[2070]: conn=310793 op=1 SEARCH RESULT 
tag=101 err=0 nentries=1 text=
Feb  1 11:37:30 cygnus_new slapd[2069]: conn=310691 op=64 SRCH 
base="ou=Group,dc=u4eatech,dc=com" scope=2 deref=0 
filter="(&(objectClass=sambaGroupMapping)(sambaSID=s-1-5-21-2044582568-1589646193-1504741369-513))"
Feb  1 11:37:30 cygnus_new slapd[2069]: conn=310691 op=64 SRCH 
attr=gidNumber sambaSID sambaGroupType sambaSIDList description 
displayName cn objectClass
Feb  1 11:37:30 cygnus_new slapd[2069]: conn=310691 op=64 ENTRY 
dn="cn=Domain Users,ou=Group,dc=u4eatech,dc=com"
Feb  1 11:37:30 cygnus_new slapd[2069]: conn=310691 op=64 SEARCH RESULT 
tag=101 err=0 nentries=1 text=
Feb  1 11:37:30 cygnus_new slapd[12628]: conn=310793 op=2 UNBIND

More information about the samba mailing list