hi, I set up a winbindd with a ldap backend, here is the relevant part of my smb.conf: idmap backend = ldap:ldap://mail.rhel.homelinux.com ldap admin dn = cn=winbind,dc=example,dc=com ldap suffix = dc=example,dc=com ldap idmap suffix = ou=idmap On the ldap server I set up the ou=idmap and also permissions for cn=winbind to write into the ou=idmap: access to dn="(.),ou=idmap,dc=example,dc=com" by dn="cn=winbind,dc=example,dc=com" by * read when trying a "getent passwd" on the client I get the following error messages on the ldap-server: Oct 6 13:02:49 mail slapd[21955]: conn=2 op=22 SEARCH RESULT tag=101 err=0 textOct 6 13:02:49 mail slapd[21955]: conn=2 op=23 MOD dn="cn=IdPool,ou=Idmap,dc=example,dc=com" Oct 6 13:02:49 mail slapd[21955]: conn=2 op=23 RESULT tag=103 err=0 textOct 6 13:02:49 mail slapd[21955]: conn=2 op=24 ADD dn="SAMBASID=S-1-5-32-546,OU=IDMAP,DC=EXAMPLE,DC=COM" Oct 6 13:02:49 mail slapd[21955]: conn=2 op=24 RESULT tag=105 err=50 text=no write access to parent Oct 6 13:02:49 mail slapd[21955]: conn=2 op=25 SRCH base="ou=idmap,dc=example,dc=com" scope=2 filter="(&(objectClass=sambaIdmapEntry)(sambaSID=S-1-5-32-547))" so, seems that winbind have no write access on the PARENT! if I give him write access on dc=example,dc=com everything works just fine and the sid/uid/gib-mapping works wonderful. but why is winbind needing access on the parent and not just on the ou-container where the id-mapping happens, ou=idmap? can anybody explain that to me?! thanks and greetings, thorsten -- Thorsten Scherf <tscherf@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Dies ist ein digital signierter Nachrichtenteil Url : http://lists.samba.org/archive/samba/attachments/20041006/43e7c1ed/attachment.bin
hi,
I set up a winbindd with a ldap backend, here is the relevant part of my
smb.conf:
idmap backend = ldap:ldap://mail.rhel.homelinux.com
ldap admin dn = cn=winbind,dc=example,dc=com
ldap suffix = dc=example,dc=com
ldap idmap suffix = ou=idmap
On the ldap server I set up the ou=idmap and also permissions for
cn=winbind to write into the ou=idmap:
access to dn="(.),ou=idmap,dc=example,dc=com"
by dn="cn=winbind,dc=example,dc=com"
by * read
when trying a "getent passwd" on the client I get the following error
messages on the ldap-server:
Oct 6 13:02:49 mail slapd[21955]: conn=2 op=22 SEARCH RESULT tag=101
err=0 textOct 6 13:02:49 mail slapd[21955]: conn=2 op=23 MOD
dn="cn=IdPool,ou=Idmap,dc=example,dc=com"
Oct 6 13:02:49 mail slapd[21955]: conn=2 op=23 RESULT tag=103 err=0
textOct 6 13:02:49 mail slapd[21955]: conn=2 op=24 ADD
dn="SAMBASID=S-1-5-32-546,OU=IDMAP,DC=EXAMPLE,DC=COM"
Oct 6 13:02:49 mail slapd[21955]: conn=2 op=24 RESULT tag=105 err=50
text=no write access to parent
Oct 6 13:02:49 mail slapd[21955]: conn=2 op=25 SRCH
base="ou=idmap,dc=example,dc=com" scope=2
filter="(&(objectClass=sambaIdmapEntry)(sambaSID=S-1-5-32-547))"
so, seems that winbind have no write access on the PARENT! if I give him
write access on dc=example,dc=com everything works just fine and the
sid/uid/gib-mapping works wonderful. but why is winbind needing access
on the parent and not just on the ou-container where the id-mapping
happens, ou=idmap?
can anybody explain that to me?!
thanks and greetings,
thorsten
--
Thorsten Scherf <tscherf@redhat.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
Url :
http://lists.samba.org/archive/samba/attachments/20041006/eaa54039/attachment.bin
Thorsten Scherf wrote:>On Wed,, 06.10.2004 Igor Belyi wrote: > > >>I think the difference is that you forgot to add '.regexp' to your >>access statement. It should have been: >>dn.regexp="(.*),ou=idmap,dc=example,dc=com" >>otherwise it was matching dn as it is without applying regular >>expression rules. >> >>I think I got it! :o) To add entries you need to have access to the root entry where children are created and that's what subtree does. In your example you have an extra comma which cause you the headache. Try to change it to the following: dn="(.*)ou=idmap,dc=example,dc=com" Hope it helps, Igor