RE [Samba] Adding workstations to domain as non-root
stephane.purnelle at corman.be
stephane.purnelle at corman.be
Mon Jan 16 09:53:08 GMT 2006
I your log I see two problem or comment :
- Have you configured idealx-tools (smbldap.conf & smbldap_bind.conf)
- Have you added in your ldap_tree the objectclass sambaUnixIdPool into
the entry sambaDomainName="xxxxxxx" (it's the preference entry from
idealx-howto)
-----------------------------------
Stéphane PURNELLE stephane.purnelle at corman.be
Service Informatique Corman S.A. Tel : 00 32 087/342467
samba-bounces+stephane.purnelle=corman.be at lists.samba.org a écrit sur
16/01/2006 10:41:55 :
> Hi,
>
> The Problem:
>
> I have a samba domain using LDAP as the backend, complete with the
> IdealX LDAP scripts.
>
> Most of my Unix boxes (certainly anything which does any Samba stuff)
> authenticates against the same LDAP backend, using it for groups and
> users.
>
> I need to grant some people sufficient priviliges to add workstations
> to the domain, but I don't want to give them the root password in LDAP
> as doing so will also give them root access to the Unix boxes.
>
> I would therefore like to configure the system such that users who are
> a member of a specific group (Domain Admins springs immediately to
> mind) are able to add workstations to the domain.
>
> I have already added myself to the "Domain Admins" group:
>
> # Domain Admins, Group, u4eatech.com
> dn: cn=Domain Admins,ou=Group,dc=u4eatech,dc=com
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> gidNumber: 512
> cn: Domain Admins
> memberUid: Administrator
> memberUid: jamesc
> description: Netbios Domain Administrators
> sambaSID: S-1-5-21-2044582568-1589646193-1504741369-512
> sambaGroupType: 2
> displayName: Domain Admins
>
>
> And I've chown/chmod'ed the smbldap config files so members of the
> Domain Admins group can read them:
>
> elli sbin # ls -ail /etc/smbldap-tools/
> total 27
> 238406 drwxr-xr-x 2 root root 192 Jan 11 16:16 .
> 9120 drwxr-xr-x 42 root root 3160 Jan 12 09:31 ..
> 238451 -rw-r--r-- 1 root root 7634 Jan 11 16:06 smbldap.conf
> 30283 -rw-r--r-- 1 root root 7728 Jan 10 13:44
smbldap.conf.old
> 238421 -rw-r----- 1 root Domain Admins 438 Jan 11 08:52
smbldap_bind.conf
>
>
> However, I can't add users using the smbldap-useradd script:
>
> jamesc at elli ~ $ /usr/sbin/smbldap-useradd -w "phobos$"
> Could not find base dn, to get next uidNumber at
> /usr/sbin//smbldap_tools.pm line 995.
>
> Looking at the OpenLDAP logs, it seems that smbldap-useradd is
> performing the search without first authenticating with the LDAP server:
>
>
> Jan 16 09:24:19 cygnus_new slapd[12571]: conn=67383 fd=52 ACCEPT from
> IP=172.30.1.22:60342 (IP=0.0.0.0:389)
> Jan 16 09:24:19 cygnus_new slapd[26453]: conn=67383 op=1 SRCH
> base="dc=u4eatech,dc=com" scope=2 deref=2
> filter="(&(objectClass=posixAccount)(uid=phobos$))"
> Jan 16 09:24:19 cygnus_new slapd[26453]: conn=67383 op=1 SEARCH RESULT
> tag=101 err=0 nentries=0 text=
> Jan 16 09:24:19 cygnus_new slapd[16367]: conn=67383 op=2 SRCH
> base="sambaDomainName=U4EATECH,dc=u4eatech,dc=com" scope=0 deref=2
> filter="(objectClass=sambaUnixIdPool)"
> Jan 16 09:24:19 cygnus_new slapd[16367]: conn=67383 op=2 SEARCH RESULT
> tag=101 err=0 nentries=0 text=
> Jan 16 09:24:19 cygnus_new slapd[12571]: conn=67383 fd=52 closed
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/listinfo/samba
More information about the samba
mailing list