RE [Samba] Adding workstations to domain as non-root

stephane.purnelle at corman.be stephane.purnelle at corman.be
Mon Jan 16 09:53:08 GMT 2006


I your log I see two problem or comment : 

- Have you configured idealx-tools (smbldap.conf & smbldap_bind.conf)
- Have you added in your ldap_tree the objectclass sambaUnixIdPool into 
the entry sambaDomainName="xxxxxxx" (it's the preference entry from 
idealx-howto)


-----------------------------------
Stéphane PURNELLE                         stephane.purnelle at corman.be
Service Informatique       Corman S.A.           Tel : 00 32 087/342467

samba-bounces+stephane.purnelle=corman.be at lists.samba.org a écrit sur 
16/01/2006 10:41:55 :

> Hi,
> 
> The Problem:
> 
> I have a samba domain using LDAP as the backend, complete with the 
> IdealX LDAP scripts.
> 
> Most of my Unix boxes (certainly anything which does any Samba stuff) 
> authenticates against the same LDAP backend, using it for groups and 
> users.
> 
> I need to grant some people sufficient priviliges to add workstations 
> to the domain, but I don't want to give them the root password in LDAP 
> as doing so will also give them root access to the Unix boxes.
> 
> I would therefore like to configure the system such that users who are 
> a member of a specific group (Domain Admins springs immediately to 
> mind) are able to add workstations to the domain.
> 
> I have already added myself to the "Domain Admins" group:
> 
> # Domain Admins, Group, u4eatech.com
> dn: cn=Domain Admins,ou=Group,dc=u4eatech,dc=com
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> gidNumber: 512
> cn: Domain Admins
> memberUid: Administrator
> memberUid: jamesc
> description: Netbios Domain Administrators
> sambaSID: S-1-5-21-2044582568-1589646193-1504741369-512
> sambaGroupType: 2
> displayName: Domain Admins
> 
> 
> And I've chown/chmod'ed the smbldap config files so members of the 
> Domain Admins  group can read them:
> 
> elli sbin # ls -ail /etc/smbldap-tools/
> total 27
> 238406 drwxr-xr-x   2 root root           192 Jan 11 16:16 .
>   9120 drwxr-xr-x  42 root root          3160 Jan 12 09:31 ..
> 238451 -rw-r--r--   1 root root          7634 Jan 11 16:06 smbldap.conf
> 30283 -rw-r--r--   1 root root          7728 Jan 10 13:44 
smbldap.conf.old
> 238421 -rw-r-----   1 root Domain Admins  438 Jan 11 08:52 
smbldap_bind.conf
> 
> 
> However, I can't add users using the smbldap-useradd script:
> 
> jamesc at elli ~ $ /usr/sbin/smbldap-useradd  -w "phobos$"
> Could not find base dn, to get next uidNumber at 
> /usr/sbin//smbldap_tools.pm line 995.
> 
> Looking at the OpenLDAP logs, it seems that smbldap-useradd is 
> performing the search without first authenticating with the LDAP server:
> 
> 
> Jan 16 09:24:19 cygnus_new slapd[12571]: conn=67383 fd=52 ACCEPT from 
> IP=172.30.1.22:60342 (IP=0.0.0.0:389)
> Jan 16 09:24:19 cygnus_new slapd[26453]: conn=67383 op=1 SRCH 
> base="dc=u4eatech,dc=com" scope=2 deref=2 
> filter="(&(objectClass=posixAccount)(uid=phobos$))"
> Jan 16 09:24:19 cygnus_new slapd[26453]: conn=67383 op=1 SEARCH RESULT 
> tag=101 err=0 nentries=0 text=
> Jan 16 09:24:19 cygnus_new slapd[16367]: conn=67383 op=2 SRCH 
> base="sambaDomainName=U4EATECH,dc=u4eatech,dc=com" scope=0 deref=2 
> filter="(objectClass=sambaUnixIdPool)"
> Jan 16 09:24:19 cygnus_new slapd[16367]: conn=67383 op=2 SEARCH RESULT 
> tag=101 err=0 nentries=0 text=
> Jan 16 09:24:19 cygnus_new slapd[12571]: conn=67383 fd=52 closed
> 
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba


More information about the samba mailing list