> > I am using Samba 3.0.10-1 on Fedora Core 3. Most everything seems to be > > working as I expect it to except when I try to use the srvtools > package to > > administrate the users and groups in the domain. > > > > I want to check and see whether maybe I am just > misunderstanding usage as > > opposed to their being a configuration problem. > > > > If I log into my workstation as Administrator, either the local account > > or into the domain. I can administrate the server using the srvtools. > > > > But if I login as a user who is in the Administrators group, Domain > > Admins > > group and I even added the user to the root group and I try to run > > srvtools. I can view all the settings but when I try to submit changes I > > get the following error showing up in the smbd.log file: > > > > smbldap_open: cannot access LDAP when not root... > > > > > > Is this normal? I would think that Samba would check and see > that I am a > > part of the Domain Admins group and allow the changes I have submitted > > but it doesn't want to allow anyone but root to access LDAP. > > > > Appreciate any insight on this. > > As which user (Unix) is slapd (presume this is OpenLDAP)running? > Do you have an 'ldap admin dn' entry in smb.conf with rights to all LDAP > ACLs? > > I.e., I don't have this problem with Samba 3.0.11/OL 2.2.17-23 and didn't > with 3.0.7, either.
My smb.conf file does have the ldap admin dn entry. The relevant section of my smb.conf file is as follows: [global] workgroup = SWRO netbios name = snoopy server string = Snoopy Samba-LDAP PDC Server domain logons = yes os level = 20 preferred master = yes domain master = yes local master = yes encrypt passwords = yes wins support =yes username map = /etc/samba/smbusers ; SAMBA-LDAP declarations passdb backend = ldapsam:ldap://127.0.0.1/ ldap admin dn = cn=Manager,dc=swro,dc=local ldap suffix = dc=swro,dc=local ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers add machine script = /usr/local/sbin/smbldap-useradd -w "%u" add user script = /usr/local/sbin/smbldap-useradd -m "%u" ldap delete dn = Yes add group script = /usr/local/sbin/smbldap-groupadd -p "%g" add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u" Also, /etc/samba/smbusers is: # Unix_name = SMB_name1 SMB_name2 ... root = administrator admin nobody = guest pcguest smbguest So I can join the domain without problem. I can even use the SRVTOOLS when logged in as administrator which because of smbusers file is really just an alias for root. But if I log in as user dcampbell who is in the Domain Admins group, I can't use the SRVTOOLS. Is this what you say you have working for you? Also, I just noticed that Samba 3.0.11 came out with the ability to assign privileges. This seems to indicate to me the previously, it may have not been possible to do what I want to do. I went ahead and upgraded and made the necessary changes and now I can log in as dcampbell who is in the Domain Admins group and be able to use the SRVTOOLS package. I am curious to know if you really are indeed logging in as a user that isn't some how aliased as root because I would like to make sure I understand how Samba is supposed to handle this. Thanks! Doug Campbell -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
