[Samba] Needs to run smbldap-useradd as non-root user

Tue, 28 Jun 2011 06:11:11 -0700 

Hello,

The abstract is :
How to run smbldap-useradd (and others) with a non-root user, knowing that giving Samba privileges to the user's account is enough. 

Now are details :
My setup is FreeBSD-8, samba35, nss_ldap, smbldap-tools... And NO pam_ldap.

I am creating a webservice which must run smbldap-tools scripts. 
Everything is running on a FreeBSD-8, and running fine by root. However, 
my webservices won't have root access, so I logged in with a non-root 
user (#su - testwww) who is in the LDAP directory (added through 
smbldap-useradd -a) and tried smbldap-tools scripts. Here is my issue :


    # smbldap-useradd -a userLambda

fails with the following message :


    "Error: modifications require authentication at 
/usr/local/lib/perl5/site_perl/5.12.3/smbldap_tools.pm line 1200."


OpenLDAP logs :


    Jun 28 08:59:53 openldap slapd[1220]: conn=1098 fd=31 ACCEPT from 
IP=10.1.5.90:24971 (IP=10.1.5.91:389)
    Jun 28 08:59:53 openldap slapd[1220]: conn=1098 op=0 SRCH 
base="dc=my-domain,dc=com" scope=2 deref=2 
filter="(&(objectClass=posixAccount)(uid=userlambda))"
    Jun 28 08:59:53 openldap slapd[1220]: conn=1098 op=0 SEARCH RESULT 
tag=101 err=0 nentries=0 text=
    Jun 28 08:59:53 openldap slapd[1220]: conn=1098 op=1 SRCH 
base="sambaDomainName=MYDOMAIN,dc=my-domain,dc=com" scope=0 deref=2 
filter="(objectClass=sambaUnixIdPool)"
    Jun 28 08:59:53 openldap slapd[1220]: conn=1098 op=1 SEARCH RESULT 
tag=101 err=0 nentries=1 text=
    Jun 28 08:59:53 openldap slapd[1220]: conn=1098 op=2 MOD 
dn="sambaDomainName=MYDOMAIN,dc=my-domain,dc=com"

    Jun 28 08:59:53 openldap slapd[1220]: conn=1098 op=2 MOD attr=uidNumber

    Jun 28 08:59:53 openldap slapd[1220]: conn=1098 op=2 RESULT tag=103 
err=8 text=modifications require authentication
    Jun 28 08:59:53 openldap slapd[1220]: conn=1098 fd=31 closed 
(connection lost)



Immediately we see it doesn't BIND (since it says "require 
authentication"). I tested with the user :


    # smbldap-passwd

which works fine... and BIND with its name ("testwww") :


    Jun 28 11:49:29 openldap slapd[1220]: conn=1178 fd=18 ACCEPT from 
IP=10.1.5.90:21258 (IP=10.1.5.91:389)
    Jun 28 11:49:29 openldap slapd[1220]: conn=1178 op=0 BIND 
dn="uid=testwww,ou=Users,dc=my-domain,dc=com" method=128
    Jun 28 11:49:29 openldap slapd[1220]: conn=1178 op=0 BIND 
dn="uid=testwww,ou=Users,dc=my-domain,dc=com" mech=SIMPLE ssf=0
    Jun 28 11:49:29 openldap slapd[1220]: conn=1178 op=0 RESULT tag=97 
err=0 text=

    [...]


Then I thought I had to gives testwww samba rights to add users, so I 
added testwww my administrators group which has the following rights :


    BUILTIN\Administrators
    SeMachineAccountPrivilege
    SeTakeOwnershipPrivilege
    SeBackupPrivilege
    SeRestorePrivilege
    SeRemoteShutdownPrivilege
    SePrintOperatorPrivilege
    SeAddUsersPrivilege
    SeDiskOperatorPrivilege

Restarted samba, but no way, it still not BIND.


Finally, I started thinking I need pam_ldap, but since I can log in with 
LDAP users and they can BIND with smbldap-passwd, I really doubt it is 
what it misses. To prevent some questions : non-root user can see LDAP 
accounts & group (# getent passwd/group).


Thank you by advance for helping me !

Nathan
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba






















					Reply via email to