RE: [Samba] Srvtools causes smbldap_open: cannot access LDAP when not root - SOLUTION
Thanks to those of you who responded. Andrew Bartlett came through with the answer I needed to hear, which was that I was trying to do something that wasn't supported. I am it has two weeks trying to twirl the PDC with samba + LDAP and ties the moment only migraines. It would like to know which is the problem, now, below described in mine log's? What user are you trying to use to join the domain. It must either be root (Samba 3.0.11) or an user with the SeMachineAccount privilege (Samba = 3.0.11). Andrew Bartlett Is it also true in Samba 3.0.11 that only root can add users/groups and make modifications using the SRVTOOLS package? Correct. Thanks Andrew for the answer! Doug -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Tony Earnshaw Sent: Monday, February 28, 2005 9:41 PM To: samba@lists.samba.org Subject: RE: [Samba] Srvtools causes smbldap_open: cannot access LDAP when not root Doug Campbell: [...] smbldap_open: cannot access LDAP when not root... [...] As which user (Unix) is slapd (presume this is OpenLDAP)running? Do you have an 'ldap admin dn' entry in smb.conf with rights to all LDAP ACLs? I.e., I don't have this problem with Samba 3.0.11/OL 2.2.17-23 and didn't with 3.0.7, either. My smb.conf file does have the ldap admin dn entry. The relevant section of my smb.conf file is as follows: [...] Again, as which Unix user is slapd running? Who is the owner of your DB files, config files, etc.? What are the permissions on them? Have you certificates (i.e. the CA cert) or anything that smbd has to try to read that can only be read by root? Is cn=Manager,dc=swro,dc=local a proxy user in your DIT, or the rootdn user in slapd.conf (it's better to make a proxy user in the DIT and comment out the rootdn). Can a normal user run ldapsearch, for example, without being root?Etc. ;) --Tonni -- mail: [EMAIL PROTECTED] http://www.billy.demon.nl -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Srvtools causes smbldap_open: cannot access LDAP when not root
Sergey Loskutov:
[...]
samba have next code in smbldap.c:
#ifndef NO_LDAP_SECURITY
if (geteuid() != 0) { DEBUG(0, (smbldap_open: cannot access LDAP when not
root..\n)); return LDAP_INSUFFICIENT_ACCESS; }
#endif
If you user account not have uid=0 sometimes you have a problem
described above.
This would be it, yes. This is covered in the Samba (3.0) docs.
--Tonni
--
mail: [EMAIL PROTECTED]
http://www.billy.demon.nl
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Srvtools causes smbldap_open: cannot access LDAP when not root
Doug Campbell: [...] Sorry, I forgot to put some of these answers in last time :( slapd appears to be running as user ldap when I run ps aux I enabled it to start automatically on boot up using the chkconfig utility in FC3. All config files are owned by root and have root as their group with the one exception of slapd.conf which has ldap as it's group The DB files are owned by ldap and the group is ldap. O.k. I don't have any certificates to deal with as I am not using SSL/TLS. I actually tried to do this as a learning exercise but couldn't get it to work based on the documentation I read. Try http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html cn=Manager,dc=swro,dc=local is the rootdn user in slapd.conf I wanted to have a proxy user but again when I tried using the example slapd.conf files for ACLs they never worked even though I followed the examples as given. You *have* to get ACLs working. You can't possibly use OpenLDAP (in production, at least) without some quite complex ACLs. if I just type ldapsearch at the console, it will prompt me for a password. I don't know what password it is asking though. I tried all that I have used and there is still no luck. The error I get is user not found: no secret in database. If instead I type ldapsearch -x. It displays information from my ldap store. If I now switch users to a non-root user and execute the same two commands, I also get the same two results. 'man ldapsearch'. ldapsearch without -x assumes that you are asking for SASL support that you have configured in slapd.conf, and you haven't. The fact that you get the same results for root or a non-root user doesn't have anything to do with the Unix user that you are logged in as; slapd doesn't care about the Unix )posix) user. It only cares about users in DNs that you feed it. Does that give a better idea of what might be wrong in my setup? Yes. I have to agree with Craig White here (I usually do ;) LDAP for me is the be-all and end-all. i use it for across-platform authentication in production for *everything* It is the corner stone to all services that my users may use. If an application doesn't work with it, then that application is useless to me. Examples of apps that use a single login and password at one site I administer (runs 3 servers under RHAS3 using the same LDAP DSA) are postfix smtp, Courier IMAP, Linux Terminal Server Project, Pykota print quota admin, ssh and a Samba PDC. To be able to master the LDAP part thoroughly, I chose to use source code and subscribe to the 4-5 mailing lists dealing with this. Craig does the same. Get samba working without LDAP first, then make sure you master every possible aspect of openldap and are completely confident with it. Then you can adapt what you've done to Samba. Best, --Tonni -- mail: [EMAIL PROTECTED] http://www.billy.demon.nl -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Srvtools causes smbldap_open: cannot access LDAP when not root
I don't have any certificates to deal with as I am not using SSL/TLS. I actually tried to do this as a learning exercise but couldn't get it to work based on the documentation I read. Try http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html I will check that out. [snip] 'man ldapsearch'. ldapsearch without -x assumes that you are asking for SASL support that you have configured in slapd.conf, and you haven't. The fact that you get the same results for root or a non-root user doesn't have anything to do with the Unix user that you are logged in as; slapd doesn't care about the Unix )posix) user. It only cares about users in DNs that you feed it. That makes sense to me and I think gives me a clue on some of the problems I was having with the LDAP ACLs. Does that give a better idea of what might be wrong in my setup? Yes. I have to agree with Craig White here (I usually do ;) LDAP for me is the be-all and end-all. i use it for across-platform authentication in production for *everything* It is the corner stone to all services that my users may use. If an application doesn't work with it, then that application is useless to me. Examples of apps that use a single login and password at one site I administer (runs 3 servers under RHAS3 using the same LDAP DSA) are postfix smtp, Courier IMAP, Linux Terminal Server Project, Pykota print quota admin, ssh and a Samba PDC. To be able to master the LDAP part thoroughly, I chose to use source code and subscribe to the 4-5 mailing lists dealing with this. Craig does the same. Get samba working without LDAP first, then make sure you master every possible aspect of openldap and are completely confident with it. Then you can adapt what you've done to Samba. I will do that. Thanks for your time in patiently helping me through this. Doug -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Srvtools causes smbldap_open: cannot access LDAP when not root
On Wed, 2005-03-02 at 10:40 +0800, Doug Campbell wrote: Yes. I have to agree with Craig White here (I usually do ;) LDAP for me is the be-all and end-all. i use it for across-platform authentication in production for *everything* It is the corner stone to all services that my users may use. If an application doesn't work with it, then that application is useless to me. Examples of apps that use a single login and password at one site I administer (runs 3 servers under RHAS3 using the same LDAP DSA) are postfix smtp, Courier IMAP, Linux Terminal Server Project, Pykota print quota admin, ssh and a Samba PDC. To be able to master the LDAP part thoroughly, I chose to use source code and subscribe to the 4-5 mailing lists dealing with this. Craig does the same. Get samba working without LDAP first, then make sure you master every possible aspect of openldap and are completely confident with it. Then you can adapt what you've done to Samba. I will do that. Thanks for your time in patiently helping me through this. I will say the unpopular thing that people don't want to hear. Learning LDAP through samba is probably one of the most obtuse angles that one can take and it seems certain to confound, confuse and frustrate those who try. I know this because I spent 2 or 3 days trying and said to myself - self, this isn't teaching me what I need to know about LDAP So I put Samba on the side - bought Gerry Carter's LDAP System Administration book (great book by the way - perhaps a bit dated but definitely tells you the things you NEED to know). Set up LDAP on the base server, added some users, tested it out with various packages like ssh, imap etc. By this time, I was comfortable with ldapadd/ldapmodify/ldapsearch etc. I was working. I then began working on LDAP ACL's. This took time but by then, I was getting the picture. All in all, this probably took me a week to get a 'basic' understanding of LDAP and I was able to add in Samba stuff. You need to understand LDAP to the point of troubleshooting connections, errors etc. Without this ability, and putting total reliance upon something like the IDEALX tools to populate and maintain LDAP, at the first problem you don't know where to look for causes, you don't know how to solve these problems and you are begging lists for help and you can't even accurately describe the problems you are having except in the most general ways. I understand what people are saying when they say, it seems to be working fine except for...I've been there. It means that they don't know what they are doing and have gotten lucky to a point. Samba/IDEALX is not a turnkey system to create the LDAP backend that works out of the box. In a way, I fear the day that some distribution packages it up with that claim since it will engender a lot of 'Administrators' that don't have a clue what they're doing...Point and click know not the ramification administration is not a Windows patented technology I think. I see all of the people like Steve Zeng - without a clue why things aren't working. When I say, you really need to learn LDAP first - I get a message back - why don't you give me some constructive feedback and I think to myself, damn, I thought I just gave them the most constructive advice that they could get - in case you haven't figured it out yet, this is why I didn't respond to your personal email to me. (Doug - not Steve) I have this saved in my 'subscriptions' file... Thu, 14 Jun 2001 01:14:45 GMT (Wed, 18:14 MST) Welcome to the openldap-software mailing list! I 'monitored' the list for nearly 2 1/2 years before I actually implemented my first DSA. (I admit that I had used LDAP for a year and didn't know what DSA meant - but had the humility to ask what it meant a few weeks ago). I observed. I am on several other lists - I observe. I am not that smart and it probably takes me longer than most but I know that I am not willing to trust the most powerful system on my network to work without doing everything that I can to understand how it works. Knowledge is the power to take responsibility for what I do. Lastly, if LDAP provides core authentication for users on the system, are you gonna feel comfortable relying upon it when you can't operate it, troubleshoot it, articulate how it is structured and/or define the security methods you are using to protect it? Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Srvtools causes smbldap_open: cannot access LDAP when not root
Doug Campbell: [...] smbldap_open: cannot access LDAP when not root... [...] As which user (Unix) is slapd (presume this is OpenLDAP)running? Do you have an 'ldap admin dn' entry in smb.conf with rights to all LDAP ACLs? I.e., I don't have this problem with Samba 3.0.11/OL 2.2.17-23 and didn't with 3.0.7, either. My smb.conf file does have the ldap admin dn entry. The relevant section of my smb.conf file is as follows: [...] Again, as which Unix user is slapd running? Who is the owner of your DB files, config files, etc.? What are the permissions on them? Have you certificates (i.e. the CA cert) or anything that smbd has to try to read that can only be read by root? Is cn=Manager,dc=swro,dc=local a proxy user in your DIT, or the rootdn user in slapd.conf (it's better to make a proxy user in the DIT and comment out the rootdn). Can a normal user run ldapsearch, for example, without being root?Etc. ;) --Tonni -- mail: [EMAIL PROTECTED] http://www.billy.demon.nl -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Srvtools causes smbldap_open: cannot access LDAP when not root
Tony Earnshaw:
Doug Campbell:
[...]
smbldap_open: cannot access LDAP when not root...
[...]
As which user (Unix) is slapd (presume this is OpenLDAP)running?
Do you have an 'ldap admin dn' entry in smb.conf with rights to all LDAP
ACLs?
I.e., I don't have this problem with Samba 3.0.11/OL 2.2.17-23 and
didn't with 3.0.7, either.
My smb.conf file does have the ldap admin dn entry. The relevant section
of my smb.conf file is as follows:
[...]
Again, as which Unix user is slapd running? Who is the owner of your DB
files, config files, etc.? What are the permissions on them? Have you
certificates (i.e. the CA cert) or anything that smbd has to try to read
that can only be read by root? Is cn=Manager,dc=swro,dc=local a proxy
user in your DIT, or the rootdn user in slapd.conf (it's better to make a
proxy user in the DIT and comment out the rootdn). Can a normal user run
ldapsearch, for example, without being root?Etc. ;)
--Tonni
--
mail: [EMAIL PROTECTED]
http://www.billy.demon.nl
Hello!
samba have next code in smbldap.c:
#ifndef NO_LDAP_SECURITY
if (geteuid() != 0) {
DEBUG(0, (smbldap_open: cannot access LDAP when not root..\n));
return LDAP_INSUFFICIENT_ACCESS;
}
#endif
If you user account not have uid=0 sometimes you have a problem
described above.
If you have next lines in smb.conf and user have above privileges this
code affect:
---
smb.conf:
[global]
map to guest = Bad User
enable privileges = Yes
---
User account:
SeMachineAccountPrivilege: if you enter to domain as guest
SeAddUsersPrivilege: if you try create group or change membership users
not tested:
SePrintOperatorPrivilege
SeRemoteShutdownPrivilege
SeDiskOperatorPrivilege
Better ask what uid :)
Who will write to bug-report ? ;)
Best regards,
Loskutov Sergey
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Srvtools causes smbldap_open: cannot access LDAP when not root
Doug Campbell: [...] smbldap_open: cannot access LDAP when not root... [...] As which user (Unix) is slapd (presume this is OpenLDAP)running? Do you have an 'ldap admin dn' entry in smb.conf with rights to all LDAP ACLs? I.e., I don't have this problem with Samba 3.0.11/OL 2.2.17-23 and didn't with 3.0.7, either. My smb.conf file does have the ldap admin dn entry. The relevant section of my smb.conf file is as follows: [...] Again, as which Unix user is slapd running? Who is the owner of your DB files, config files, etc.? What are the permissions on them? Have you certificates (i.e. the CA cert) or anything that smbd has to try to read that can only be read by root? Is cn=Manager,dc=swro,dc=local a proxy user in your DIT, or the rootdn user in slapd.conf (it's better to make a proxy user in the DIT and comment out the rootdn). Can a normal user run ldapsearch, for example, without being root?Etc. ;) Sorry, I forgot to put some of these answers in last time :( slapd appears to be running as user ldap when I run ps aux I enabled it to start automatically on boot up using the chkconfig utility in FC3. All config files are owned by root and have root as their group with the one exception of slapd.conf which has ldap as it's group The DB files are owned by ldap and the group is ldap. I don't have any certificates to deal with as I am not using SSL/TLS. I actually tried to do this as a learning exercise but couldn't get it to work based on the documentation I read. cn=Manager,dc=swro,dc=local is the rootdn user in slapd.conf I wanted to have a proxy user but again when I tried using the example slapd.conf files for ACLs they never worked even though I followed the examples as given. if I just type ldapsearch at the console, it will prompt me for a password. I don't know what password it is asking though. I tried all that I have used and there is still no luck. The error I get is user not found: no secret in database. If instead I type ldapsearch -x. It displays information from my ldap store. If I now switch users to a non-root user and execute the same two commands, I also get the same two results. Does that give a better idea of what might be wrong in my setup? Thanks! Doug --Tonni -- mail: [EMAIL PROTECTED] http://www.billy.demon.nl -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Srvtools causes smbldap_open: cannot access LDAP when not root
On Tue, 2005-03-01 at 09:01 +0800, Doug Campbell wrote: Doug Campbell: [...] smbldap_open: cannot access LDAP when not root... [...] As which user (Unix) is slapd (presume this is OpenLDAP)running? Do you have an 'ldap admin dn' entry in smb.conf with rights to all LDAP ACLs? I.e., I don't have this problem with Samba 3.0.11/OL 2.2.17-23 and didn't with 3.0.7, either. My smb.conf file does have the ldap admin dn entry. The relevant section of my smb.conf file is as follows: [...] Again, as which Unix user is slapd running? Who is the owner of your DB files, config files, etc.? What are the permissions on them? Have you certificates (i.e. the CA cert) or anything that smbd has to try to read that can only be read by root? Is cn=Manager,dc=swro,dc=local a proxy user in your DIT, or the rootdn user in slapd.conf (it's better to make a proxy user in the DIT and comment out the rootdn). Can a normal user run ldapsearch, for example, without being root?Etc. ;) Sorry, I forgot to put some of these answers in last time :( slapd appears to be running as user ldap when I run ps aux I enabled it to start automatically on boot up using the chkconfig utility in FC3. All config files are owned by root and have root as their group with the one exception of slapd.conf which has ldap as it's group The DB files are owned by ldap and the group is ldap. I don't have any certificates to deal with as I am not using SSL/TLS. I actually tried to do this as a learning exercise but couldn't get it to work based on the documentation I read. cn=Manager,dc=swro,dc=local is the rootdn user in slapd.conf I wanted to have a proxy user but again when I tried using the example slapd.conf files for ACLs they never worked even though I followed the examples as given. if I just type ldapsearch at the console, it will prompt me for a password. I don't know what password it is asking though. I tried all that I have used and there is still no luck. The error I get is user not found: no secret in database. If instead I type ldapsearch -x. It displays information from my ldap store. If I now switch users to a non-root user and execute the same two commands, I also get the same two results. Does that give a better idea of what might be wrong in my setup? LDAP is probably a mistake if user cannot comprehend basic ldap usage. You need to get a mastery on ldapadd/ldapmodify/ldapsearch functions before you commit your user db for the system - how in the world do you expect to troubleshoot? ldapsearch -x -h localhost -W - D 'cn=Manager,dc=swro,dc=local' '(uid=*)' enter the password you used when you created your slapd.conf don't know what password you used to when you created slapd.conf? I definitely wouldn't/shouldn't/couldn't know that when you figure that out... smbpasswd -w PASSWD_THAT_YOU_USED_IN_SLAPD.CONF probably shouldn't be using root-bind-dn user/password for samba but since that would entail understanding what LDAP ACL's and general security are about - it's your call. Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Srvtools causes smbldap_open: cannot access LDAP when not root
I am using Samba 3.0.10-1 on Fedora Core 3. Most everything seems to be working as I expect it to except when I try to use the srvtools package to administrate the users and groups in the domain. I want to check and see whether maybe I am just misunderstanding usage as opposed to their being a configuration problem. If I log into my workstation as Administrator, either the local account or into the domain. I can administrate the server using the srvtools. But if I login as a user who is in the Administrators group, Domain Admins group and I even added the user to the root group and I try to run srvtools. I can view all the settings but when I try to submit changes I get the following error showing up in the smbd.log file: smbldap_open: cannot access LDAP when not root... Is this normal? I would think that Samba would check and see that I am a part of the Domain Admins group and allow the changes I have submitted but it doesn't want to allow anyone but root to access LDAP. Appreciate any insight on this. As which user (Unix) is slapd (presume this is OpenLDAP)running? Do you have an 'ldap admin dn' entry in smb.conf with rights to all LDAP ACLs? I.e., I don't have this problem with Samba 3.0.11/OL 2.2.17-23 and didn't with 3.0.7, either. My smb.conf file does have the ldap admin dn entry. The relevant section of my smb.conf file is as follows: [global] workgroup = SWRO netbios name = snoopy server string = Snoopy Samba-LDAP PDC Server domain logons = yes os level = 20 preferred master = yes domain master = yes local master = yes encrypt passwords = yes wins support =yes username map = /etc/samba/smbusers ; SAMBA-LDAP declarations passdb backend = ldapsam:ldap://127.0.0.1/ ldap admin dn = cn=Manager,dc=swro,dc=local ldap suffix = dc=swro,dc=local ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers add machine script = /usr/local/sbin/smbldap-useradd -w %u add user script = /usr/local/sbin/smbldap-useradd -m %u ldap delete dn = Yes add group script = /usr/local/sbin/smbldap-groupadd -p %g add user to group script = /usr/local/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/local/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/local/sbin/smbldap-usermod -g %g %u Also, /etc/samba/smbusers is: # Unix_name = SMB_name1 SMB_name2 ... root = administrator admin nobody = guest pcguest smbguest So I can join the domain without problem. I can even use the SRVTOOLS when logged in as administrator which because of smbusers file is really just an alias for root. But if I log in as user dcampbell who is in the Domain Admins group, I can't use the SRVTOOLS. Is this what you say you have working for you? Also, I just noticed that Samba 3.0.11 came out with the ability to assign privileges. This seems to indicate to me the previously, it may have not been possible to do what I want to do. I went ahead and upgraded and made the necessary changes and now I can log in as dcampbell who is in the Domain Admins group and be able to use the SRVTOOLS package. I am curious to know if you really are indeed logging in as a user that isn't some how aliased as root because I would like to make sure I understand how Samba is supposed to handle this. Thanks! Doug Campbell -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Srvtools causes smbldap_open: cannot access LDAP when not root
Doug Campbell: I am using Samba 3.0.10-1 on Fedora Core 3. Most everything seems to be working as I expect it to except when I try to use the srvtools package to administrate the users and groups in the domain. I want to check and see whether maybe I am just misunderstanding usage as opposed to their being a configuration problem. If I log into my workstation as Administrator, either the local account or into the domain. I can administrate the server using the srvtools. But if I login as a user who is in the Administrators group, Domain Admins group and I even added the user to the root group and I try to run srvtools. I can view all the settings but when I try to submit changes I get the following error showing up in the smbd.log file: smbldap_open: cannot access LDAP when not root... Is this normal? I would think that Samba would check and see that I am a part of the Domain Admins group and allow the changes I have submitted but it doesn't want to allow anyone but root to access LDAP. Appreciate any insight on this. As which user (Unix) is slapd (presume this is OpenLDAP)running? Do you have an 'ldap admin dn' entry in smb.conf with rights to all LDAP ACLs? I.e., I don't have this problem with Samba 3.0.11/OL 2.2.17-23 and didn't with 3.0.7, either. --Tonni -- mail: [EMAIL PROTECTED] http://www.billy.demon.nl -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Srvtools causes smbldap_open: cannot access LDAP when not root
I am using Samba 3.0.10-1 on Fedora Core 3. Most everything seems to be working as I expect it to except when I try to use the srvtools package to administrate the users and groups in the domain. I want to check and see whether maybe I am just misunderstanding usage as opposed to their being a configuration problem. If I log into my workstation as Administrator, either the local account or into the domain. I can administrate the server using the srvtools. But if I login as a user who is in the Administrators group, Domain Admins group and I even added the user to the root group and I try to run srvtools. I can view all the settings but when I try to submit changes I get the following error showing up in the smbd.log file: smbldap_open: cannot access LDAP when not root... Is this normal? I would think that Samba would check and see that I am a part of the Domain Admins group and allow the changes I have submitted but it doesn't want to allow anyone but root to access LDAP. Appreciate any insight on this. Thanks! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
