[Samba] [Samba4] modifying attributes: no write access to self

Michael De Groote ict at sint-pietersschool.be
Mon May 20 03:36:43 MDT 2013 

Hi all

*Context:*
I'm trying to use the s4bind scripts (
http://linuxcostablanca.blogspot.com.es/p/s4bind.html)

k5start is running

So far, i've succeeded in
* modifying (posixifying) the built-in "Domain Users"
* adding a user to this group and i can login with this user (ssh), create
files that are correctly owned, etc... The user also shows up correcly in
ADUC.
* retrieving user and group info (for user added in AD, and not existing
locally) via getent


*Problem:
*
I'm added a new group
 *samba-tool group add Leerkrachten*
Then i tryied posixifying the group (as i did with the builtin group
"Domain Users"
 *s4bind upgradegroup Leerkrachten 30000*
This however gives me

 ERR: (insufficient access rights) "LDAP error 50
LDAP_INSUFFICIENT_ACCESS_RIGHTS -  <00002098: Object
cn=Leerkrachten,cn=Users,DC=stp4,DC=stp,DC=internal has no write property
access
> <>" on DN cn=Leerkrachten,cn=Users,DC=stp4,DC=stp,DC=internal at block
before line 7
Modify failed after processing 0 records

It seems that there is no write access to "self" (i seem to remember
something from my old openldap setup that is in place on the old samba3
domain) that specified things about "access to blablable by self write". Is
there something in the directory component of s4 like this too? and how to
specifiy it? Is there a way to list acls on directory objects?)

*Extra info*
The s4bind script does the following:
1. creates a file (* /tmp/group ) *with the following content:
 *dn: cn=Leerkrachten,cn=Users,DC=stp4,DC=stp,DC=internal
 changetype: modify
 add: objectClass
 objectClass: posixGroup
 -
 add: gidNumber
 gidNumber: 30000*

It then runs the following command
* ldbmodify --url=ldap://samba4-3.stp4.stp.internal --kerberos=yes
--krb5-ccache=FILE:/tmp/krb5cc_0 /tmp/group*

klist shows the following:

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: SAMBA4-3$@STP4.STP.INTERNAL

Valid starting     Expires            Service principal
05/20/13 09:34:48  05/20/13 19:34:48
krbtgt/STP4.STP.INTERNAL at STP4.STP.INTERNAL
05/20/13 10:37:42  05/20/13 19:34:48
ldap/samba4-3.stp4.stp.internal at STP4.STP.INTERNAL

thanx in advance !


-- 
Michael De Groote
ICT-coordinator Sint-Pietersschool Korbeek-Lo
ICT-support Sancta Maria Basisschool Leuven

More information about the samba mailing list