[Samba] Adding workstations to domain as non-root

James Cort james.cort at u4eatech.com
Mon Jan 16 09:41:55 GMT 2006


Hi,

The Problem:

I have a samba domain using LDAP as the backend, complete with the 
IdealX LDAP scripts.

Most of my Unix boxes (certainly anything which does any Samba stuff) 
authenticates against the same LDAP backend, using it for groups and 
users.

I need to grant some people sufficient priviliges to add workstations 
to the domain, but I don't want to give them the root password in LDAP 
as doing so will also give them root access to the Unix boxes.

I would therefore like to configure the system such that users who are 
a member of a specific group (Domain Admins springs immediately to 
mind) are able to add workstations to the domain.

I have already added myself to the "Domain Admins" group:

# Domain Admins, Group, u4eatech.com
dn: cn=Domain Admins,ou=Group,dc=u4eatech,dc=com
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 512
cn: Domain Admins
memberUid: Administrator
memberUid: jamesc
description: Netbios Domain Administrators
sambaSID: S-1-5-21-2044582568-1589646193-1504741369-512
sambaGroupType: 2
displayName: Domain Admins


And I've chown/chmod'ed the smbldap config files so members of the 
Domain Admins  group can read them:

elli sbin # ls -ail /etc/smbldap-tools/
total 27
238406 drwxr-xr-x   2 root root           192 Jan 11 16:16 .
  9120 drwxr-xr-x  42 root root          3160 Jan 12 09:31 ..
238451 -rw-r--r--   1 root root          7634 Jan 11 16:06 smbldap.conf
30283 -rw-r--r--   1 root root          7728 Jan 10 13:44 smbldap.conf.old
238421 -rw-r-----   1 root Domain Admins  438 Jan 11 08:52 smbldap_bind.conf


However, I can't add users using the smbldap-useradd script:

jamesc at elli ~ $ /usr/sbin/smbldap-useradd  -w "phobos$"
Could not find base dn, to get next uidNumber at 
/usr/sbin//smbldap_tools.pm line 995.

Looking at the OpenLDAP logs, it seems that smbldap-useradd is 
performing the search without first authenticating with the LDAP server:


Jan 16 09:24:19 cygnus_new slapd[12571]: conn=67383 fd=52 ACCEPT from 
IP=172.30.1.22:60342 (IP=0.0.0.0:389)
Jan 16 09:24:19 cygnus_new slapd[26453]: conn=67383 op=1 SRCH 
base="dc=u4eatech,dc=com" scope=2 deref=2 
filter="(&(objectClass=posixAccount)(uid=phobos$))"
Jan 16 09:24:19 cygnus_new slapd[26453]: conn=67383 op=1 SEARCH RESULT 
tag=101 err=0 nentries=0 text=
Jan 16 09:24:19 cygnus_new slapd[16367]: conn=67383 op=2 SRCH 
base="sambaDomainName=U4EATECH,dc=u4eatech,dc=com" scope=0 deref=2 
filter="(objectClass=sambaUnixIdPool)"
Jan 16 09:24:19 cygnus_new slapd[16367]: conn=67383 op=2 SEARCH RESULT 
tag=101 err=0 nentries=0 text=
Jan 16 09:24:19 cygnus_new slapd[12571]: conn=67383 fd=52 closed






More information about the samba mailing list