[Samba] Needs to run smbldap-useradd as non-root user
Dermot
paikkos at googlemail.com
Tue Jun 28 07:43:41 MDT 2011
On 28 June 2011 14:02, Nathan Mahu <nmahu at cyanide-studio.com> wrote:
> Hello,
>
> The abstract is :
> How to run smbldap-useradd (and others) with a non-root user, knowing that
> giving Samba privileges to the user's account is enough.
>
> Now are details :
> My setup is FreeBSD-8, samba35, nss_ldap, smbldap-tools... And NO pam_ldap.
> I am creating a webservice which must run smbldap-tools scripts. Everything
> is running on a FreeBSD-8, and running fine by root. However, my webservices
> won't have root access, so I logged in with a non-root user (#su - testwww)
> who is in the LDAP directory (added through smbldap-useradd -a) and tried
> smbldap-tools scripts. Here is my issue :
>
> # smbldap-useradd -a userLambda
>
> fails with the following message :
>
> "Error: modifications require authentication at
> /usr/local/lib/perl5/site_perl/5.12.3/smbldap_tools.pm line 1200."
>
> OpenLDAP logs :
>
> Jun 28 08:59:53 openldap slapd[1220]: conn=1098 fd=31 ACCEPT from
> IP=10.1.5.90:24971 (IP=10.1.5.91:389)
> Jun 28 08:59:53 openldap slapd[1220]: conn=1098 op=0 SRCH
> base="dc=my-domain,dc=com" scope=2 deref=2
> filter="(&(objectClass=posixAccount)(uid=userlambda))"
> Jun 28 08:59:53 openldap slapd[1220]: conn=1098 op=0 SEARCH RESULT
> tag=101 err=0 nentries=0 text=
> Jun 28 08:59:53 openldap slapd[1220]: conn=1098 op=1 SRCH
> base="sambaDomainName=MYDOMAIN,dc=my-domain,dc=com" scope=0 deref=2
> filter="(objectClass=sambaUnixIdPool)"
> Jun 28 08:59:53 openldap slapd[1220]: conn=1098 op=1 SEARCH RESULT
> tag=101 err=0 nentries=1 text=
> Jun 28 08:59:53 openldap slapd[1220]: conn=1098 op=2 MOD
> dn="sambaDomainName=MYDOMAIN,dc=my-domain,dc=com"
> Jun 28 08:59:53 openldap slapd[1220]: conn=1098 op=2 MOD attr=uidNumber
> Jun 28 08:59:53 openldap slapd[1220]: conn=1098 op=2 RESULT tag=103 err=8
> text=modifications require authentication
> Jun 28 08:59:53 openldap slapd[1220]: conn=1098 fd=31 closed (connection
> lost)
>
> Immediately we see it doesn't BIND (since it says "require authentication").
> I tested with the user :
I'm no expert so please consider this as me thinking out loud. Do you
have a ACL in the slapd.conf that allows testwww to modify the tree? I
would have thought that you would have required a stanza for that if
you want testwww to modify other elements of the tree.
HTH,
Dermot.
More information about the samba
mailing list