Re: [Samba] Needs to run smbldap-useradd as non-root user

Tue, 28 Jun 2011 08:36:14 -0700 

Le 28/06/2011 17:14, Gaiseric Vandal a écrit :

On 06/28/2011 09:43 AM, Dermot wrote:

On 28 June 2011 14:02, Nathan Mahu<[email protected]>  wrote:

Hello,

The abstract is :
How to run smbldap-useradd (and others) with a non-root user, knowing that 
giving Samba privileges to the user's account is enough.

Now are details :
My setup is FreeBSD-8, samba35, nss_ldap, smbldap-tools... And NO pam_ldap. I am creating a webservice which must run smbldap-tools scripts. Everything is running on a FreeBSD-8, and running fine by root. However, my webservices won't have root access, so I logged in with a non-root user (#su - testwww) who is in the LDAP directory (added through smbldap-useradd -a) and tried 
smbldap-tools scripts. Here is my issue :

    # smbldap-useradd -a userLambda

fails with the following message :

    "Error: modifications require authentication at
/usr/local/lib/perl5/site_perl/5.12.3/smbldap_tools.pm line 1200."

OpenLDAP logs :

    Jun 28 08:59:53 openldap slapd[1220]: conn=1098 fd=31 ACCEPT from
IP=10.1.5.90:24971 (IP=10.1.5.91:389)
    Jun 28 08:59:53 openldap slapd[1220]: conn=1098 op=0 SRCH
base="dc=my-domain,dc=com" scope=2 deref=2
filter="(&(objectClass=posixAccount)(uid=userlambda))"
    Jun 28 08:59:53 openldap slapd[1220]: conn=1098 op=0 SEARCH RESULT
tag=101 err=0 nentries=0 text=
    Jun 28 08:59:53 openldap slapd[1220]: conn=1098 op=1 SRCH
base="sambaDomainName=MYDOMAIN,dc=my-domain,dc=com" scope=0 deref=2
filter="(objectClass=sambaUnixIdPool)"
    Jun 28 08:59:53 openldap slapd[1220]: conn=1098 op=1 SEARCH RESULT
tag=101 err=0 nentries=1 text=
    Jun 28 08:59:53 openldap slapd[1220]: conn=1098 op=2 MOD
dn="sambaDomainName=MYDOMAIN,dc=my-domain,dc=com"
Jun 28 08:59:53 openldap slapd[1220]: conn=1098 op=2 MOD attr=uidNumber Jun 28 08:59:53 openldap slapd[1220]: conn=1098 op=2 RESULT tag=103 err=8 
text=modifications require authentication
Jun 28 08:59:53 openldap slapd[1220]: conn=1098 fd=31 closed (connection 
lost)
Immediately we see it doesn't BIND (since it says "require authentication"). 
I tested with the user :

I'm no expert so please consider this as me thinking out loud. Do you
have a ACL in the slapd.conf that allows testwww to modify the tree? I
would have thought that you would have required a stanza for that if
you want testwww to modify other elements of the tree.

HTH,
Dermot.
When samba runs smbldap tools, I thought you had to provide the bind credentials in either smb.conf or the actual smbldap scripts?
Your issues doesn't seem like an ACL issue only- if it doesn't bind or authenticate it doesn't matter whether the user has the permissions in LDAP or not. 




Thank you guys for your help.

I've put my slapd.conf ACL to :

    access to *
            by * manage

in order to ensure it is not the problem...
smbldap bind is in 0600 mode so only root can use it. However I've tried to put it in 0666, even this case it doesn't bind, I guess it is not read. Concerning samba, I've provided smb.conf with the following directive : 

    ldap admin dn = cn=Manager,dc=my-domain,dc=com

Finally, is smbldap-tools really intended to be used by non-root users...?
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Reply via email to