[Samba] [Samba4] modifying attributes: no write access to self

Michael De Groote ict at sint-pietersschool.be
Mon May 20 14:32:02 MDT 2013 

[*update*]

I've modified the sssd config to use Administrator as the default
principal, and i've also done a "*kinit Administrator*"... and now i'm able
to add and modify group and user attributes...
seems like i need to either delegate this to a specific user or keep the
"administrator does all" config

One question tho: i _was_ able to create/delete users and groups and also
add users to and delete them from a group... (with the DC computer account
as default principal)
Why then doesn't this work with the attribute stufff?

(last but not least: i *really* need to look into these things called
"principals" ... i honestly don't know what i'm playing with here, and i'm
kinda ashamed to do so.. so next days i'll be reading up :)

micahel


2013/5/20 Michael De Groote <ict at sint-pietersschool.be>

> Hi all
>
> *Context:*
> I'm trying to use the s4bind scripts (
> http://linuxcostablanca.blogspot.com.es/p/s4bind.html)
>
> k5start is running
>
> So far, i've succeeded in
> * modifying (posixifying) the built-in "Domain Users"
> * adding a user to this group and i can login with this user (ssh), create
> files that are correctly owned, etc... The user also shows up correcly in
> ADUC.
> * retrieving user and group info (for user added in AD, and not existing
> locally) via getent
>
>
> *Problem:
> *
> I'm added a new group
>  *samba-tool group add Leerkrachten*
> Then i tryied posixifying the group (as i did with the builtin group
> "Domain Users"
>  *s4bind upgradegroup Leerkrachten 30000*
> This however gives me
>
>  ERR: (insufficient access rights) "LDAP error 50
> LDAP_INSUFFICIENT_ACCESS_RIGHTS -  <00002098: Object
> cn=Leerkrachten,cn=Users,DC=stp4,DC=stp,DC=internal has no write property
> access
> > <>" on DN cn=Leerkrachten,cn=Users,DC=stp4,DC=stp,DC=internal at block
> before line 7
> Modify failed after processing 0 records
>
> It seems that there is no write access to "self" (i seem to remember
> something from my old openldap setup that is in place on the old samba3
> domain) that specified things about "access to blablable by self write". Is
> there something in the directory component of s4 like this too? and how to
> specifiy it? Is there a way to list acls on directory objects?)
>
> *Extra info*
> The s4bind script does the following:
> 1. creates a file (* /tmp/group ) *with the following content:
>  *dn: cn=Leerkrachten,cn=Users,DC=stp4,DC=stp,DC=internal
>  changetype: modify
>  add: objectClass
>  objectClass: posixGroup
>  -
>  add: gidNumber
>  gidNumber: 30000*
>
> It then runs the following command
> * ldbmodify --url=ldap://samba4-3.stp4.stp.internal --kerberos=yes
> --krb5-ccache=FILE:/tmp/krb5cc_0 /tmp/group*
>
> klist shows the following:
>
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: SAMBA4-3$@STP4.STP.INTERNAL
>
> Valid starting     Expires            Service principal
> 05/20/13 09:34:48  05/20/13 19:34:48
> krbtgt/STP4.STP.INTERNAL at STP4.STP.INTERNAL
> 05/20/13 10:37:42  05/20/13 19:34:48
> ldap/samba4-3.stp4.stp.internal at STP4.STP.INTERNAL
>
> thanx in advance !
>
>
> --
> Michael De Groote
> ICT-coordinator Sint-Pietersschool Korbeek-Lo
> ICT-support Sancta Maria Basisschool Leuven
>



-- 
Michael De Groote
ICT-coordinator Sint-Pietersschool Korbeek-Lo
ICT-support Sancta Maria Basisschool Leuven

More information about the samba mailing list