[Samba] Samba LDAP rootpw error

Matt Richards matt at mattstone.net
Sat Mar 25 15:19:54 GMT 2006

> Matt Richards wrote:
>>>I was following the howto below (originally posted on this list as BIG
>>>Samba howto for debian only.) to see if I could get my not-quite-working
>>>Samba 3.0.14a (debian) server fully working and able to handle my Linux
>>>logins too. The problem I'm having with my Samba setup is that I can't
>>>change user passwords except through Swat. Users can't change them from
>>>their machines using the Windows password change - but they are notified
>>>to change them by when they expire.
>>>Anyway, my attempts to follow the howto hit a roadblock at "3 LDAP
>>>Server configuration". Neither slapindex nor slapd will run. It looks
>>>like it doesn't like something about my root password, but I'm not sure
>>>what it wants (I'm no expert on LDAP).  :)
>>>Slapindex complains "bad configuration file". Slapd gives the more
>>>   line 65 (rootpw ***)
>>>   /etc/ldap/slapd.conf: line 65: rootpw can only be set when rootdn is
>>>under suffix
>>>I've attached my slapd.conf file if that is of any assistance. Any help
>>>will be greatly appreciated.
>>>Louis van Belle wrote:
>>humm well looking at the config file the first thing that i notice is
>> this
>># The base of your directory in database #1
>>suffix          "dc=rahim-dale,dc=org"
>>rootdn                "cn=admin,dc=toronto,dc=ontario,dc=ca"
>>your root dn isn't in the base of your ldap tree, this should probuly be
>>something like ...
>>suffix          "dc=rahim-dale,dc=org"
>>rootdn                "cn=admin,dc=rahim-dale,dc=org"
>>try it n let us know what happens :).
> You got it in one!  I've got slapd running.
> Now I'm stuck at "5.4 set the samba ldap admin password". I can set the
> admin password and get the expected response, but when I try
> "smbldap-populate -a Administrator -b nobody -u 2000 -g 2000", it fails
> to add the various groups. I get "failed to add entry: modifications
> require authentication at /usr/sbin/smbldap-populate line 460, <GEN1>
> line 3." for each ou=<groupname> it tries to add.
> Any ideas?

the smbldap-populate scripts requires authentication to the ldap server
there is probuly a problem with the login you have set in smbldap.conf ..
if you have set any at!

i would recommend looking through the smbldap-tools howto at
and see if there is anything you have missed out, but the first thing i
would try is this ..

3 Configuring the smbldap-tools
As mentioned in the previous section, you'll have to update two
configuration files. The first (smbldap.conf) allows you to set global
parameter that are readable by everybody, and the second
(smbldap_bind.conf) defines two administrative accounts to bind to a slave
and a master ldap server: this file must thus be readable only by root. A
script is named configure.pl can help you to set their contents up. It is
located in the tarball downloaded or in the documentation directory if you
got the RPM archive (see /usr/share/doc/smbldap-tools/). Just invoke it:


note : the smbldap-tools dir might not be located in your /usr/share/doc/

if this doesn't work you could attach your smbldap config file (with the
passwd taken out of cause) so we can have a little look.


> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list