Re: [Samba] Needs to run smbldap-useradd as non-root user

Tue, 28 Jun 2011 08:14:16 -0700 

On 06/28/2011 09:43 AM, Dermot wrote:

On 28 June 2011 14:02, Nathan Mahu<[email protected]>  wrote:

Hello,

The abstract is :
How to run smbldap-useradd (and others) with a non-root user, knowing that
giving Samba privileges to the user's account is enough.

Now are details :
My setup is FreeBSD-8, samba35, nss_ldap, smbldap-tools... And NO pam_ldap.
I am creating a webservice which must run smbldap-tools scripts. Everything
is running on a FreeBSD-8, and running fine by root. However, my webservices
won't have root access, so I logged in with a non-root user (#su - testwww)
who is in the LDAP directory (added through smbldap-useradd -a) and tried
smbldap-tools scripts. Here is my issue :

    # smbldap-useradd -a userLambda

fails with the following message :

    "Error: modifications require authentication at
/usr/local/lib/perl5/site_perl/5.12.3/smbldap_tools.pm line 1200."

OpenLDAP logs :

    Jun 28 08:59:53 openldap slapd[1220]: conn=1098 fd=31 ACCEPT from
IP=10.1.5.90:24971 (IP=10.1.5.91:389)
    Jun 28 08:59:53 openldap slapd[1220]: conn=1098 op=0 SRCH
base="dc=my-domain,dc=com" scope=2 deref=2
filter="(&(objectClass=posixAccount)(uid=userlambda))"
    Jun 28 08:59:53 openldap slapd[1220]: conn=1098 op=0 SEARCH RESULT
tag=101 err=0 nentries=0 text=
    Jun 28 08:59:53 openldap slapd[1220]: conn=1098 op=1 SRCH
base="sambaDomainName=MYDOMAIN,dc=my-domain,dc=com" scope=0 deref=2
filter="(objectClass=sambaUnixIdPool)"
    Jun 28 08:59:53 openldap slapd[1220]: conn=1098 op=1 SEARCH RESULT
tag=101 err=0 nentries=1 text=
    Jun 28 08:59:53 openldap slapd[1220]: conn=1098 op=2 MOD
dn="sambaDomainName=MYDOMAIN,dc=my-domain,dc=com"
    Jun 28 08:59:53 openldap slapd[1220]: conn=1098 op=2 MOD attr=uidNumber
    Jun 28 08:59:53 openldap slapd[1220]: conn=1098 op=2 RESULT tag=103 err=8
text=modifications require authentication
    Jun 28 08:59:53 openldap slapd[1220]: conn=1098 fd=31 closed (connection
lost)

Immediately we see it doesn't BIND (since it says "require authentication").
I tested with the user :

I'm no expert so please consider this as me thinking out loud. Do you
have a ACL in the slapd.conf that allows testwww to modify the tree? I
would have thought that you would have required a stanza for that if
you want testwww to modify other elements of the tree.

HTH,
Dermot.
When samba runs smbldap tools, I thought you had to provide the bind credentials in either smb.conf or the actual smbldap scripts?
Your issues doesn't seem like an ACL issue only- if it doesn't bind or authenticate it doesn't matter whether the user has the permissions in LDAP or not. 


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Reply via email to