[Samba] Needs to run smbldap-useradd as non-root user

Nathan Mahu nmahu at cyanide-studio.com
Tue Jun 28 07:02:27 MDT 2011 

Hello,

The abstract is :
How to run smbldap-useradd (and others) with a non-root user, knowing 
that giving Samba privileges to the user's account is enough.

Now are details :
My setup is FreeBSD-8, samba35, nss_ldap, smbldap-tools... And NO pam_ldap.
I am creating a webservice which must run smbldap-tools scripts. 
Everything is running on a FreeBSD-8, and running fine by root. However, 
my webservices won't have root access, so I logged in with a non-root 
user (#su - testwww) who is in the LDAP directory (added through 
smbldap-useradd -a) and tried smbldap-tools scripts. Here is my issue :

     # smbldap-useradd -a userLambda

fails with the following message :

     "Error: modifications require authentication at 
/usr/local/lib/perl5/site_perl/5.12.3/smbldap_tools.pm line 1200."

OpenLDAP logs :

     Jun 28 08:59:53 openldap slapd[1220]: conn=1098 fd=31 ACCEPT from 
IP=10.1.5.90:24971 (IP=10.1.5.91:389)
     Jun 28 08:59:53 openldap slapd[1220]: conn=1098 op=0 SRCH 
base="dc=my-domain,dc=com" scope=2 deref=2 
filter="(&(objectClass=posixAccount)(uid=userlambda))"
     Jun 28 08:59:53 openldap slapd[1220]: conn=1098 op=0 SEARCH RESULT 
tag=101 err=0 nentries=0 text=
     Jun 28 08:59:53 openldap slapd[1220]: conn=1098 op=1 SRCH 
base="sambaDomainName=MYDOMAIN,dc=my-domain,dc=com" scope=0 deref=2 
filter="(objectClass=sambaUnixIdPool)"
     Jun 28 08:59:53 openldap slapd[1220]: conn=1098 op=1 SEARCH RESULT 
tag=101 err=0 nentries=1 text=
     Jun 28 08:59:53 openldap slapd[1220]: conn=1098 op=2 MOD 
dn="sambaDomainName=MYDOMAIN,dc=my-domain,dc=com"
     Jun 28 08:59:53 openldap slapd[1220]: conn=1098 op=2 MOD attr=uidNumber
     Jun 28 08:59:53 openldap slapd[1220]: conn=1098 op=2 RESULT tag=103 
err=8 text=modifications require authentication
     Jun 28 08:59:53 openldap slapd[1220]: conn=1098 fd=31 closed 
(connection lost)

Immediately we see it doesn't BIND (since it says "require 
authentication"). I tested with the user :

     # smbldap-passwd

which works fine... and BIND with its name ("testwww") :

     Jun 28 11:49:29 openldap slapd[1220]: conn=1178 fd=18 ACCEPT from 
IP=10.1.5.90:21258 (IP=10.1.5.91:389)
     Jun 28 11:49:29 openldap slapd[1220]: conn=1178 op=0 BIND 
dn="uid=testwww,ou=Users,dc=my-domain,dc=com" method=128
     Jun 28 11:49:29 openldap slapd[1220]: conn=1178 op=0 BIND 
dn="uid=testwww,ou=Users,dc=my-domain,dc=com" mech=SIMPLE ssf=0
     Jun 28 11:49:29 openldap slapd[1220]: conn=1178 op=0 RESULT tag=97 
err=0 text=
     [...]

Then I thought I had to gives testwww samba rights to add users, so I 
added testwww my administrators group which has the following rights :

     BUILTIN\Administrators
     SeMachineAccountPrivilege
     SeTakeOwnershipPrivilege
     SeBackupPrivilege
     SeRestorePrivilege
     SeRemoteShutdownPrivilege
     SePrintOperatorPrivilege
     SeAddUsersPrivilege
     SeDiskOperatorPrivilege

Restarted samba, but no way, it still not BIND.

Finally, I started thinking I need pam_ldap, but since I can log in with 
LDAP users and they can BIND with smbldap-passwd, I really doubt it is 
what it misses. To prevent some questions : non-root user can see LDAP 
accounts & group (# getent passwd/group).

Thank you by advance for helping me !

Nathan

More information about the samba mailing list