[Samba] smbldap_open: cannot access LDAP when not root
James Cort
james.cort at u4eatech.com
Wed Feb 1 12:07:11 GMT 2006
I'm using Samba 3.0.14a as a PDC with an LDAP backend.
I am having trouble using the Windows "User Manager for Domains" tool.
As an example, I shall be looking at the "Domain Users" group. Whenever
I try modifying anybody's group membership, I get the error message:
"The following error occurred changing the properties of the global
group Domain Users:
The group name could not be found."
I am running User Manager as a user with Domain Admin privileges.
Domain Admins have been granted every available right using the net rpc
rights command. Samba is definitely doing an LDAP search for the group
and is getting sensible results (logs below). The research I've done
suggests this may be a known issue, but generally with older versions
of Samba.
Samba logs show a point which I'll mention here:
[2006/02/01 11:33:46, 0] lib/smbldap.c:smbldap_open(882)
smbldap_open: cannot access LDAP when not root..
The LDAP entry for the Domain Users group shows:
# Domain Users, Group, u4eatech.com
dn: cn=Domain Users,ou=Group,dc=u4eatech,dc=com
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 513
cn: Domain Users
description: Netbios Domain Users
sambaSID: S-1-5-21-2044582568-1589646193-1504741369-513
sambaGroupType: 2
displayName: Domain Users
Domain Admin privs:
elli ~ # net rpc -U jamesc rights list "U4EATECH\Domain Admins"
Password:
SeMachineAccountPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeRemoteShutdownPrivilege
SeDiskOperatorPrivilege
In the Samba logs, I see the following error:
smbldap_open: cannot access LDAP when not root..
[2006/02/01 11:33:46, 0] lib/smbldap.c:smbldap_open(882)
smbldap_open: cannot access LDAP when not root..
[2006/02/01 11:33:47, 0] lib/smbldap.c:smbldap_open(882)
smbldap_open: cannot access LDAP when not root..
[2006/02/01 11:33:48, 0] lib/smbldap.c:smbldap_open(882)
smbldap_open: cannot access LDAP when not root..
[2006/02/01 11:33:49, 0] lib/smbldap.c:smbldap_open(882)
smbldap_open: cannot access LDAP when not root..
[2006/02/01 11:33:50, 0] lib/smbldap.c:smbldap_open(882)
smbldap_open: cannot access LDAP when not root..
[2006/02/01 11:33:51, 0] lib/smbldap.c:smbldap_open(882)
smbldap_open: cannot access LDAP when not root..
[2006/02/01 11:33:52, 0] lib/smbldap.c:smbldap_open(882)
smbldap_open: cannot access LDAP when not root..
[2006/02/01 11:33:53, 0] lib/smbldap.c:smbldap_open(882)
smbldap_open: cannot access LDAP when not root..
[2006/02/01 11:33:54, 0] lib/smbldap.c:smbldap_open(882)
smbldap_open: cannot access LDAP when not root..
[2006/02/01 11:33:55, 0] lib/smbldap.c:smbldap_open(882)
smbldap_open: cannot access LDAP when not root..
[2006/02/01 11:33:56, 0] lib/smbldap.c:smbldap_open(882)
smbldap_open: cannot access LDAP when not root..
[2006/02/01 11:33:57, 0] lib/smbldap.c:smbldap_open(882)
smbldap_open: cannot access LDAP when not root..
[2006/02/01 11:33:58, 0] lib/smbldap.c:smbldap_open(882)
smbldap_open: cannot access LDAP when not root..
[2006/02/01 11:33:59, 0] lib/smbldap.c:smbldap_open(882)
smbldap_open: cannot access LDAP when not root..
[2006/02/01 11:34:00, 0] lib/smbldap.c:smbldap_open(882)
smbldap_open: cannot access LDAP when not root..
[2006/02/01 11:34:00, 0] passdb/pdb_ldap.c:ldapsam_search_one_group(1971)
ldapsam_search_one_group: Problem during the LDAP search: LDAP error:
(Timed out)
LDAP Logs:
Feb 1 11:37:30 cygnus_new slapd[30055]: conn=310691 op=62 SRCH
base="ou=Group,dc=u4eatech,dc=com" scope=2 deref=0
filter="(&(objectClass=sambaGroupMapping)(|(displayName=domain
users)(cn=domain users)))"
Feb 1 11:37:30 cygnus_new slapd[30055]: conn=310691 op=62 SRCH
attr=gidNumber sambaSID sambaGroupType sambaSIDList description
displayName cn objectClass
Feb 1 11:37:30 cygnus_new slapd[30055]: conn=310691 op=62 ENTRY
dn="cn=Domain Users,ou=Group,dc=u4eatech,dc=com"
Feb 1 11:37:30 cygnus_new slapd[30055]: conn=310691 op=62 SEARCH
RESULT tag=101 err=0 nentries=1 text=
Feb 1 11:37:30 cygnus_new slapd[8490]: conn=310691 op=63 SRCH
base="ou=Group,dc=u4eatech,dc=com" scope=2 deref=0
filter="(&(objectClass=sambaGroupMapping)(sambaSID=s-1-5-21-2044582568-1589646193-1504741369-513))"
Feb 1 11:37:30 cygnus_new slapd[8490]: conn=310691 op=63 SRCH
attr=gidNumber sambaSID sambaGroupType sambaSIDList description
displayName cn objectClass
Feb 1 11:37:30 cygnus_new slapd[8490]: conn=310691 op=63 ENTRY
dn="cn=Domain Users,ou=Group,dc=u4eatech,dc=com"
Feb 1 11:37:30 cygnus_new slapd[8490]: conn=310691 op=63 SEARCH RESULT
tag=101 err=0 nentries=1 text=
Feb 1 11:37:30 cygnus_new slapd[26454]: conn=310772 op=2 UNBIND
Feb 1 11:37:30 cygnus_new slapd[26454]: conn=310772 fd=30 closed
Feb 1 11:37:30 cygnus_new slapd[12571]: conn=310793 fd=30 ACCEPT from
IP=172.30.1.22:59861 (IP=0.0.0.0:389)
Feb 1 11:37:30 cygnus_new slapd[16367]: conn=310793 op=0 BIND
dn="cn=manager,dc=u4eatech,dc=com" method=128
Feb 1 11:37:30 cygnus_new slapd[16367]: conn=310793 op=0 BIND
dn="cn=manager,dc=u4eatech,dc=com" mech=SIMPLE ssf=0
Feb 1 11:37:30 cygnus_new slapd[16367]: conn=310793 op=0 RESULT tag=97
err=0 text=
Feb 1 11:37:30 cygnus_new slapd[2070]: conn=310793 op=1 SRCH
base="ou=Group,dc=u4eatech,dc=com" scope=1 deref=0
filter="(&(objectClass=posixGroup)(gidNumber=513))"
Feb 1 11:37:30 cygnus_new slapd[2070]: conn=310793 op=1 SRCH attr=cn
userPassword memberUid uniqueMember gidNumber
Feb 1 11:37:30 cygnus_new slapd[2070]: conn=310793 op=1 ENTRY
dn="cn=Domain Users,ou=Group,dc=u4eatech,dc=com"
Feb 1 11:37:30 cygnus_new slapd[2070]: conn=310793 op=1 SEARCH RESULT
tag=101 err=0 nentries=1 text=
Feb 1 11:37:30 cygnus_new slapd[2069]: conn=310691 op=64 SRCH
base="ou=Group,dc=u4eatech,dc=com" scope=2 deref=0
filter="(&(objectClass=sambaGroupMapping)(sambaSID=s-1-5-21-2044582568-1589646193-1504741369-513))"
Feb 1 11:37:30 cygnus_new slapd[2069]: conn=310691 op=64 SRCH
attr=gidNumber sambaSID sambaGroupType sambaSIDList description
displayName cn objectClass
Feb 1 11:37:30 cygnus_new slapd[2069]: conn=310691 op=64 ENTRY
dn="cn=Domain Users,ou=Group,dc=u4eatech,dc=com"
Feb 1 11:37:30 cygnus_new slapd[2069]: conn=310691 op=64 SEARCH RESULT
tag=101 err=0 nentries=1 text=
Feb 1 11:37:30 cygnus_new slapd[12628]: conn=310793 op=2 UNBIND
More information about the samba
mailing list