[Samba] Needs to run smbldap-useradd as non-root user

Nathan Mahu nmahu at cyanide-studio.com
Tue Jun 28 09:29:42 MDT 2011 

Le 28/06/2011 17:14, Gaiseric Vandal a écrit :
> On 06/28/2011 09:43 AM, Dermot wrote:
>> On 28 June 2011 14:02, Nathan Mahu<nmahu at cyanide-studio.com>  wrote:
>>> Hello,
>>>
>>> The abstract is :
>>> How to run smbldap-useradd (and others) with a non-root user, 
>>> knowing that
>>> giving Samba privileges to the user's account is enough.
>>>
>>> Now are details :
>>> My setup is FreeBSD-8, samba35, nss_ldap, smbldap-tools... And NO 
>>> pam_ldap.
>>> I am creating a webservice which must run smbldap-tools scripts. 
>>> Everything
>>> is running on a FreeBSD-8, and running fine by root. However, my 
>>> webservices
>>> won't have root access, so I logged in with a non-root user (#su - 
>>> testwww)
>>> who is in the LDAP directory (added through smbldap-useradd -a) and 
>>> tried
>>> smbldap-tools scripts. Here is my issue :
>>>
>>>     # smbldap-useradd -a userLambda
>>>
>>> fails with the following message :
>>>
>>>     "Error: modifications require authentication at
>>> /usr/local/lib/perl5/site_perl/5.12.3/smbldap_tools.pm line 1200."
>>>
>>> OpenLDAP logs :
>>>
>>>     Jun 28 08:59:53 openldap slapd[1220]: conn=1098 fd=31 ACCEPT from
>>> IP=10.1.5.90:24971 (IP=10.1.5.91:389)
>>>     Jun 28 08:59:53 openldap slapd[1220]: conn=1098 op=0 SRCH
>>> base="dc=my-domain,dc=com" scope=2 deref=2
>>> filter="(&(objectClass=posixAccount)(uid=userlambda))"
>>>     Jun 28 08:59:53 openldap slapd[1220]: conn=1098 op=0 SEARCH RESULT
>>> tag=101 err=0 nentries=0 text=
>>>     Jun 28 08:59:53 openldap slapd[1220]: conn=1098 op=1 SRCH
>>> base="sambaDomainName=MYDOMAIN,dc=my-domain,dc=com" scope=0 deref=2
>>> filter="(objectClass=sambaUnixIdPool)"
>>>     Jun 28 08:59:53 openldap slapd[1220]: conn=1098 op=1 SEARCH RESULT
>>> tag=101 err=0 nentries=1 text=
>>>     Jun 28 08:59:53 openldap slapd[1220]: conn=1098 op=2 MOD
>>> dn="sambaDomainName=MYDOMAIN,dc=my-domain,dc=com"
>>>     Jun 28 08:59:53 openldap slapd[1220]: conn=1098 op=2 MOD 
>>> attr=uidNumber
>>>     Jun 28 08:59:53 openldap slapd[1220]: conn=1098 op=2 RESULT 
>>> tag=103 err=8
>>> text=modifications require authentication
>>>     Jun 28 08:59:53 openldap slapd[1220]: conn=1098 fd=31 closed 
>>> (connection
>>> lost)
>>>
>>> Immediately we see it doesn't BIND (since it says "require 
>>> authentication").
>>> I tested with the user :
>> I'm no expert so please consider this as me thinking out loud. Do you
>> have a ACL in the slapd.conf that allows testwww to modify the tree? I
>> would have thought that you would have required a stanza for that if
>> you want testwww to modify other elements of the tree.
>>
>> HTH,
>> Dermot.
> When samba runs smbldap tools, I thought you had to provide the bind 
> credentials in either smb.conf or the actual smbldap scripts?
>
> Your issues doesn't seem like an ACL issue only-   if it doesn't bind 
> or authenticate it doesn't matter whether the user has the permissions 
> in LDAP or not.
>
>

Thank you guys for your help.

I've put my slapd.conf ACL to :

     access to *
             by * manage

in order to ensure it is not the problem...

smbldap bind is in 0600 mode so only root can use it. However I've tried 
to put it in 0666, even this case it doesn't bind, I guess it is not 
read. Concerning samba, I've provided smb.conf with the following 
directive :

     ldap admin dn = cn=Manager,dc=my-domain,dc=com

Finally, is smbldap-tools really intended to be used by non-root users...?

More information about the samba mailing list