[Samba] Samba LDAP rootpw error

Gary Dale garydale at torfree.net
Mon Mar 27 04:02:15 GMT 2006

Further to my previous message: I've gone over section 8.1 of 
http://samba.idealx.org/smbldap-tools.en.html, which shows some working 
.conf files, and put back a few things the way I'd previously had them. 
The example files use Manager while I use admin is the main thing. I've 
kept samba in smb.conf however. Because there is now a samba user in the 
LDAP database, this seems to work now.

However, I still can't do smbpasswd -a root. I'm still getting:

semper:/etc/ldap# smbpasswd -a root
New SMB password:
Retype new SMB password:
ldapsam_modify_entry: Failed to add user dn= 
uid=root,ou=Users,dc=rahim-dale,dc=org with: Insufficient access
        no write access to parent
ldapsam_add_sam_account: failed to modify/add user with uid = root (dn = 
Failed to add entry for user root.
Failed to modify password entry for user root

I have a samba-access.conf file that is included in slapd.conf that 
combines the 8.2 samba uid stuff with a shorter list from the original 
howto I was following. I've attached it in case it helps.

An ldap search gives the following results:
semper:/etc/ldap# ldapsearch -D cn=admin,dc=rahim-dale,dc=org -b 
dc=rahim-dale,dc=org -h -x -W ""
Enter LDAP Password:
# extended LDIF
# LDAPv3
# base <dc=rahim-dale,dc=org> with scope sub
# filter: (objectclass=*)
# requesting:

# rahim-dale.org
dn: dc=rahim-dale,dc=org

# admin, rahim-dale.org
dn: cn=admin,dc=rahim-dale,dc=org

# Users, rahim-dale.org
dn: ou=Users,dc=rahim-dale,dc=org

# Groups, rahim-dale.org
dn: ou=Groups,dc=rahim-dale,dc=org

# Computers, rahim-dale.org
dn: ou=Computers,dc=rahim-dale,dc=org

# Idmap, rahim-dale.org
dn: ou=Idmap,dc=rahim-dale,dc=org

# rahim-dale, rahim-dale.org
dn: sambaDomainName=rahim-dale,dc=rahim-dale,dc=org

# Administrator, Users, rahim-dale.org
dn: uid=Administrator,ou=Users,dc=rahim-dale,dc=org

# nobody, Users, rahim-dale.org
dn: uid=nobody,ou=Users,dc=rahim-dale,dc=org

# Domain Admins, Groups, rahim-dale.org
dn: cn=Domain Admins,ou=Groups,dc=rahim-dale,dc=org

# Domain Users, Groups, rahim-dale.org
dn: cn=Domain Users,ou=Groups,dc=rahim-dale,dc=org

# Domain Guests, Groups, rahim-dale.org
dn: cn=Domain Guests,ou=Groups,dc=rahim-dale,dc=org

# Domain Computers, Groups, rahim-dale.org
dn: cn=Domain Computers,ou=Groups,dc=rahim-dale,dc=org

# Administrators, Groups, rahim-dale.org
dn: cn=Administrators,ou=Groups,dc=rahim-dale,dc=org

# Print Operators, Groups, rahim-dale.org
dn: cn=Print Operators,ou=Groups,dc=rahim-dale,dc=org

# Backup Operators, Groups, rahim-dale.org
dn: cn=Backup Operators,ou=Groups,dc=rahim-dale,dc=org

# Replicators, Groups, rahim-dale.org
dn: cn=Replicators,ou=Groups,dc=rahim-dale,dc=org

# samba, Users, rahim-dale.org
dn: uid=samba,ou=Users,dc=rahim-dale,dc=org

# search result
search: 2
result: 0 Success

# numResponses: 19
# numEntries: 18

-------------- next part --------------
# users can authenticate and change their password
access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange
      by dn="uid=samba,ou=Users,dc=rahim-dale,dc=org" write
      by self write
      by anonymous auth
      by * none
# some attributes need to be readable anonymously so that 'id user' can answer correctly
access to attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,memberUid
      by dn="uid=samba,ou=Users,dc=rahim-dale,dc=org" write
      by * read
# somme attributes can be writable by users themselves
access to attrs=description,telephoneNumber
      by dn="uid=samba,ou=Users,dc=rahim-dale,dc=org" write
      by self write
      by * read
# some attributes need to be writable for samba
access to attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange,sambaPwdMustChange,sambaAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaProfilePath,description,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,sambaSID,sambaGroupType,sambaNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase
      by dn="uid=samba,ou=Users,dc=rahim-dale,dc=org" write
      by self read
      by * none
# samba need to be able to create the samba domain account
access to dn.base="dc=rahim-dale,dc=org"
      by dn="uid=samba,ou=Users,dc=rahim-dale,dc=org" write
      by * none
# samba need to be able to create new users account
access to dn="ou=Users,dc=rahim-dale,dc=org"
      by dn="uid=samba,ou=Users,dc=rahim-dale,dc=org" write
      by * none
# samba need to be able to create new groups account
access to dn="ou=Groups,dc=rahim-dale,dc=org"
      by dn="uid=samba,ou=Users,dc=rahim-dale,dc=org" write
      by * none
# samba need to be able to create new computers account
access to dn="ou=Computers,dc=rahim-dale,dc=org"
      by dn="uid=samba,ou=Users,dc=rahim-dale,dc=org" write
      by * none
# this can be omitted but we leave it: there could be other branch
# in the directory
access to *
      by self read
      by * none

access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPWDMustChange
	by dn="cn=admin,dc=rahim-dale,dc=org" write
	by anonymous auth
	by self write
	by * none

access to attrs=loginShell
	by dn="cn=admin,dc=rahim-dale,dc=org" write
	by * none

access to attrs=description,telephoneNumber,roomNumber,homePhone,gecos,cn,sn,givenname
	by dn="cn=admin,dc=rahim-dale,dc=org" write
	by self write
	by * read

More information about the samba mailing list