[Samba] Needs to run smbldap-useradd as non-root user

Gaiseric Vandal gaiseric.vandal at gmail.com
Tue Jun 28 09:14:06 MDT 2011


On 06/28/2011 09:43 AM, Dermot wrote:
> On 28 June 2011 14:02, Nathan Mahu<nmahu at cyanide-studio.com>  wrote:
>> Hello,
>>
>> The abstract is :
>> How to run smbldap-useradd (and others) with a non-root user, knowing that
>> giving Samba privileges to the user's account is enough.
>>
>> Now are details :
>> My setup is FreeBSD-8, samba35, nss_ldap, smbldap-tools... And NO pam_ldap.
>> I am creating a webservice which must run smbldap-tools scripts. Everything
>> is running on a FreeBSD-8, and running fine by root. However, my webservices
>> won't have root access, so I logged in with a non-root user (#su - testwww)
>> who is in the LDAP directory (added through smbldap-useradd -a) and tried
>> smbldap-tools scripts. Here is my issue :
>>
>>     # smbldap-useradd -a userLambda
>>
>> fails with the following message :
>>
>>     "Error: modifications require authentication at
>> /usr/local/lib/perl5/site_perl/5.12.3/smbldap_tools.pm line 1200."
>>
>> OpenLDAP logs :
>>
>>     Jun 28 08:59:53 openldap slapd[1220]: conn=1098 fd=31 ACCEPT from
>> IP=10.1.5.90:24971 (IP=10.1.5.91:389)
>>     Jun 28 08:59:53 openldap slapd[1220]: conn=1098 op=0 SRCH
>> base="dc=my-domain,dc=com" scope=2 deref=2
>> filter="(&(objectClass=posixAccount)(uid=userlambda))"
>>     Jun 28 08:59:53 openldap slapd[1220]: conn=1098 op=0 SEARCH RESULT
>> tag=101 err=0 nentries=0 text=
>>     Jun 28 08:59:53 openldap slapd[1220]: conn=1098 op=1 SRCH
>> base="sambaDomainName=MYDOMAIN,dc=my-domain,dc=com" scope=0 deref=2
>> filter="(objectClass=sambaUnixIdPool)"
>>     Jun 28 08:59:53 openldap slapd[1220]: conn=1098 op=1 SEARCH RESULT
>> tag=101 err=0 nentries=1 text=
>>     Jun 28 08:59:53 openldap slapd[1220]: conn=1098 op=2 MOD
>> dn="sambaDomainName=MYDOMAIN,dc=my-domain,dc=com"
>>     Jun 28 08:59:53 openldap slapd[1220]: conn=1098 op=2 MOD attr=uidNumber
>>     Jun 28 08:59:53 openldap slapd[1220]: conn=1098 op=2 RESULT tag=103 err=8
>> text=modifications require authentication
>>     Jun 28 08:59:53 openldap slapd[1220]: conn=1098 fd=31 closed (connection
>> lost)
>>
>> Immediately we see it doesn't BIND (since it says "require authentication").
>> I tested with the user :
> I'm no expert so please consider this as me thinking out loud. Do you
> have a ACL in the slapd.conf that allows testwww to modify the tree? I
> would have thought that you would have required a stanza for that if
> you want testwww to modify other elements of the tree.
>
> HTH,
> Dermot.
When samba runs smbldap tools, I thought you had to provide the bind 
credentials in either smb.conf or the actual smbldap scripts?

Your issues doesn't seem like an ACL issue only-   if it doesn't bind or 
authenticate it doesn't matter whether the user has the permissions in 
LDAP or not.




More information about the samba mailing list