Hi, The Problem: I have a samba domain using LDAP as the backend, complete with the IdealX LDAP scripts. Most of my Unix boxes (certainly anything which does any Samba stuff) authenticates against the same LDAP backend, using it for groups and users. I need to grant some people sufficient priviliges to add workstations to the domain, but I don't want to give them the root password in LDAP as doing so will also give them root access to the Unix boxes. I would therefore like to configure the system such that users who are a member of a specific group (Domain Admins springs immediately to mind) are able to add workstations to the domain. I have already added myself to the "Domain Admins" group: # Domain Admins, Group, u4eatech.com dn: cn=Domain Admins,ou=Group,dc=u4eatech,dc=com objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 512 cn: Domain Admins memberUid: Administrator memberUid: jamesc description: Netbios Domain Administrators sambaSID: S-1-5-21-2044582568-1589646193-1504741369-512 sambaGroupType: 2 displayName: Domain Admins And I've chown/chmod'ed the smbldap config files so members of the Domain Admins group can read them: elli sbin # ls -ail /etc/smbldap-tools/ total 27 238406 drwxr-xr-x 2 root root 192 Jan 11 16:16 . 9120 drwxr-xr-x 42 root root 3160 Jan 12 09:31 .. 238451 -rw-r--r-- 1 root root 7634 Jan 11 16:06 smbldap.conf 30283 -rw-r--r-- 1 root root 7728 Jan 10 13:44 smbldap.conf.old 238421 -rw-r----- 1 root Domain Admins 438 Jan 11 08:52 smbldap_bind.conf However, I can't add users using the smbldap-useradd script: jamesc@elli ~ $ /usr/sbin/smbldap-useradd -w "phobos$" Could not find base dn, to get next uidNumber at /usr/sbin//smbldap_tools.pm line 995. Looking at the OpenLDAP logs, it seems that smbldap-useradd is performing the search without first authenticating with the LDAP server: Jan 16 09:24:19 cygnus_new slapd[12571]: conn=67383 fd=52 ACCEPT from IP=172.30.1.22:60342 (IP=0.0.0.0:389) Jan 16 09:24:19 cygnus_new slapd[26453]: conn=67383 op=1 SRCH base="dc=u4eatech,dc=com" scope=2 deref=2 filter="(&(objectClass=posixAccount)(uid=phobos$))" Jan 16 09:24:19 cygnus_new slapd[26453]: conn=67383 op=1 SEARCH RESULT tag=101 err=0 nentries=0 textJan 16 09:24:19 cygnus_new slapd[16367]: conn=67383 op=2 SRCH base="sambaDomainName=U4EATECH,dc=u4eatech,dc=com" scope=0 deref=2 filter="(objectClass=sambaUnixIdPool)" Jan 16 09:24:19 cygnus_new slapd[16367]: conn=67383 op=2 SEARCH RESULT tag=101 err=0 nentries=0 textJan 16 09:24:19 cygnus_new slapd[12571]: conn=67383 fd=52 closed
stephane.purnelle@corman.be
2006-Jan-16 10:04 UTC
RE [Samba] Adding workstations to domain as non-root
I your log I see two problem or comment : - Have you configured idealx-tools (smbldap.conf & smbldap_bind.conf) - Have you added in your ldap_tree the objectclass sambaUnixIdPool into the entry sambaDomainName="xxxxxxx" (it's the preference entry from idealx-howto) ----------------------------------- St?phane PURNELLE stephane.purnelle@corman.be Service Informatique Corman S.A. Tel : 00 32 087/342467 samba-bounces+stephane.purnelle=corman.be@lists.samba.org a ?crit sur 16/01/2006 10:41:55 :> Hi, > > The Problem: > > I have a samba domain using LDAP as the backend, complete with the > IdealX LDAP scripts. > > Most of my Unix boxes (certainly anything which does any Samba stuff) > authenticates against the same LDAP backend, using it for groups and > users. > > I need to grant some people sufficient priviliges to add workstations > to the domain, but I don't want to give them the root password in LDAP > as doing so will also give them root access to the Unix boxes. > > I would therefore like to configure the system such that users who are > a member of a specific group (Domain Admins springs immediately to > mind) are able to add workstations to the domain. > > I have already added myself to the "Domain Admins" group: > > # Domain Admins, Group, u4eatech.com > dn: cn=Domain Admins,ou=Group,dc=u4eatech,dc=com > objectClass: posixGroup > objectClass: sambaGroupMapping > gidNumber: 512 > cn: Domain Admins > memberUid: Administrator > memberUid: jamesc > description: Netbios Domain Administrators > sambaSID: S-1-5-21-2044582568-1589646193-1504741369-512 > sambaGroupType: 2 > displayName: Domain Admins > > > And I've chown/chmod'ed the smbldap config files so members of the > Domain Admins group can read them: > > elli sbin # ls -ail /etc/smbldap-tools/ > total 27 > 238406 drwxr-xr-x 2 root root 192 Jan 11 16:16 . > 9120 drwxr-xr-x 42 root root 3160 Jan 12 09:31 .. > 238451 -rw-r--r-- 1 root root 7634 Jan 11 16:06 smbldap.conf > 30283 -rw-r--r-- 1 root root 7728 Jan 10 13:44smbldap.conf.old> 238421 -rw-r----- 1 root Domain Admins 438 Jan 11 08:52smbldap_bind.conf> > > However, I can't add users using the smbldap-useradd script: > > jamesc@elli ~ $ /usr/sbin/smbldap-useradd -w "phobos$" > Could not find base dn, to get next uidNumber at > /usr/sbin//smbldap_tools.pm line 995. > > Looking at the OpenLDAP logs, it seems that smbldap-useradd is > performing the search without first authenticating with the LDAP server: > > > Jan 16 09:24:19 cygnus_new slapd[12571]: conn=67383 fd=52 ACCEPT from > IP=172.30.1.22:60342 (IP=0.0.0.0:389) > Jan 16 09:24:19 cygnus_new slapd[26453]: conn=67383 op=1 SRCH > base="dc=u4eatech,dc=com" scope=2 deref=2 > filter="(&(objectClass=posixAccount)(uid=phobos$))" > Jan 16 09:24:19 cygnus_new slapd[26453]: conn=67383 op=1 SEARCH RESULT > tag=101 err=0 nentries=0 text> Jan 16 09:24:19 cygnus_new slapd[16367]: conn=67383 op=2 SRCH > base="sambaDomainName=U4EATECH,dc=u4eatech,dc=com" scope=0 deref=2 > filter="(objectClass=sambaUnixIdPool)" > Jan 16 09:24:19 cygnus_new slapd[16367]: conn=67383 op=2 SEARCH RESULT > tag=101 err=0 nentries=0 text> Jan 16 09:24:19 cygnus_new slapd[12571]: conn=67383 fd=52 closed > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba
On Mon, 2006-01-16 at 09:41 +0000, James Cort wrote:> Hi, > > The Problem: > > I have a samba domain using LDAP as the backend, complete with the > IdealX LDAP scripts. > > Most of my Unix boxes (certainly anything which does any Samba stuff) > authenticates against the same LDAP backend, using it for groups and > users. > > I need to grant some people sufficient priviliges to add workstations > to the domain, but I don't want to give them the root password in LDAP > as doing so will also give them root access to the Unix boxes.Set "enable privileges = yes" in smb.conf Create a specific group for the users that you want to be able to add the group. Map the group with net groupmap When done, use net rights grant to grant this group the SeMacchineAccount privilege. No need to chown the scripts, samba will take care of everything. Simo. -- Simo Sorce Samba Team email: idra@samba.org http://samba.org/~idra
Reasonably Related Threads
- smbldap_open: cannot access LDAP when not root
- Account Unknown for users with Samba 3.0.11/14
- Performance issues: have eliminated disk and network as cause
- Coredump v2.3.8 specific msg fetch, corrupted record in index cache, Broken physical size
- smbstatus show open files when none are