[Samba] Samba LDAP rootpw error
Gary Dale
garydale at torfree.net
Mon Mar 27 04:02:15 GMT 2006
Further to my previous message: I've gone over section 8.1 of
http://samba.idealx.org/smbldap-tools.en.html, which shows some working
.conf files, and put back a few things the way I'd previously had them.
The example files use Manager while I use admin is the main thing. I've
kept samba in smb.conf however. Because there is now a samba user in the
LDAP database, this seems to work now.
However, I still can't do smbpasswd -a root. I'm still getting:
semper:/etc/ldap# smbpasswd -a root
New SMB password:
Retype new SMB password:
ldapsam_modify_entry: Failed to add user dn=
uid=root,ou=Users,dc=rahim-dale,dc=org with: Insufficient access
no write access to parent
ldapsam_add_sam_account: failed to modify/add user with uid = root (dn =
uid=root,ou=Users,dc=rahim-dale,dc=org)
Failed to add entry for user root.
Failed to modify password entry for user root
I have a samba-access.conf file that is included in slapd.conf that
combines the 8.2 samba uid stuff with a shorter list from the original
howto I was following. I've attached it in case it helps.
An ldap search gives the following results:
semper:/etc/ldap# ldapsearch -D cn=admin,dc=rahim-dale,dc=org -b
dc=rahim-dale,dc=org -h 127.0.0.1 -x -W ""
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=rahim-dale,dc=org> with scope sub
# filter: (objectclass=*)
# requesting:
#
# rahim-dale.org
dn: dc=rahim-dale,dc=org
# admin, rahim-dale.org
dn: cn=admin,dc=rahim-dale,dc=org
# Users, rahim-dale.org
dn: ou=Users,dc=rahim-dale,dc=org
# Groups, rahim-dale.org
dn: ou=Groups,dc=rahim-dale,dc=org
# Computers, rahim-dale.org
dn: ou=Computers,dc=rahim-dale,dc=org
# Idmap, rahim-dale.org
dn: ou=Idmap,dc=rahim-dale,dc=org
# rahim-dale, rahim-dale.org
dn: sambaDomainName=rahim-dale,dc=rahim-dale,dc=org
# Administrator, Users, rahim-dale.org
dn: uid=Administrator,ou=Users,dc=rahim-dale,dc=org
# nobody, Users, rahim-dale.org
dn: uid=nobody,ou=Users,dc=rahim-dale,dc=org
# Domain Admins, Groups, rahim-dale.org
dn: cn=Domain Admins,ou=Groups,dc=rahim-dale,dc=org
# Domain Users, Groups, rahim-dale.org
dn: cn=Domain Users,ou=Groups,dc=rahim-dale,dc=org
# Domain Guests, Groups, rahim-dale.org
dn: cn=Domain Guests,ou=Groups,dc=rahim-dale,dc=org
# Domain Computers, Groups, rahim-dale.org
dn: cn=Domain Computers,ou=Groups,dc=rahim-dale,dc=org
# Administrators, Groups, rahim-dale.org
dn: cn=Administrators,ou=Groups,dc=rahim-dale,dc=org
# Print Operators, Groups, rahim-dale.org
dn: cn=Print Operators,ou=Groups,dc=rahim-dale,dc=org
# Backup Operators, Groups, rahim-dale.org
dn: cn=Backup Operators,ou=Groups,dc=rahim-dale,dc=org
# Replicators, Groups, rahim-dale.org
dn: cn=Replicators,ou=Groups,dc=rahim-dale,dc=org
# samba, Users, rahim-dale.org
dn: uid=samba,ou=Users,dc=rahim-dale,dc=org
# search result
search: 2
result: 0 Success
# numResponses: 19
# numEntries: 18
-------------- next part --------------
# users can authenticate and change their password
access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange
by dn="uid=samba,ou=Users,dc=rahim-dale,dc=org" write
by self write
by anonymous auth
by * none
# some attributes need to be readable anonymously so that 'id user' can answer correctly
access to attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,memberUid
by dn="uid=samba,ou=Users,dc=rahim-dale,dc=org" write
by * read
# somme attributes can be writable by users themselves
access to attrs=description,telephoneNumber
by dn="uid=samba,ou=Users,dc=rahim-dale,dc=org" write
by self write
by * read
# some attributes need to be writable for samba
access to attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange,sambaPwdMustChange,sambaAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaProfilePath,description,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,sambaSID,sambaGroupType,sambaNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase
by dn="uid=samba,ou=Users,dc=rahim-dale,dc=org" write
by self read
by * none
# samba need to be able to create the samba domain account
access to dn.base="dc=rahim-dale,dc=org"
by dn="uid=samba,ou=Users,dc=rahim-dale,dc=org" write
by * none
# samba need to be able to create new users account
access to dn="ou=Users,dc=rahim-dale,dc=org"
by dn="uid=samba,ou=Users,dc=rahim-dale,dc=org" write
by * none
# samba need to be able to create new groups account
access to dn="ou=Groups,dc=rahim-dale,dc=org"
by dn="uid=samba,ou=Users,dc=rahim-dale,dc=org" write
by * none
# samba need to be able to create new computers account
access to dn="ou=Computers,dc=rahim-dale,dc=org"
by dn="uid=samba,ou=Users,dc=rahim-dale,dc=org" write
by * none
# this can be omitted but we leave it: there could be other branch
# in the directory
access to *
by self read
by * none
access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPWDMustChange
by dn="cn=admin,dc=rahim-dale,dc=org" write
by anonymous auth
by self write
by * none
access to attrs=loginShell
by dn="cn=admin,dc=rahim-dale,dc=org" write
by * none
access to attrs=description,telephoneNumber,roomNumber,homePhone,gecos,cn,sn,givenname
by dn="cn=admin,dc=rahim-dale,dc=org" write
by self write
by * read
More information about the samba
mailing list