I'm using Samba 3.0.14a as a PDC with an LDAP backend. I am having trouble using the Windows "User Manager for Domains" tool. As an example, I shall be looking at the "Domain Users" group. Whenever I try modifying anybody's group membership, I get the error message: "The following error occurred changing the properties of the global group Domain Users: The group name could not be found." I am running User Manager as a user with Domain Admin privileges. Domain Admins have been granted every available right using the net rpc rights command. Samba is definitely doing an LDAP search for the group and is getting sensible results (logs below). The research I've done suggests this may be a known issue, but generally with older versions of Samba. Samba logs show a point which I'll mention here: [2006/02/01 11:33:46, 0] lib/smbldap.c:smbldap_open(882) smbldap_open: cannot access LDAP when not root.. The LDAP entry for the Domain Users group shows: # Domain Users, Group, u4eatech.com dn: cn=Domain Users,ou=Group,dc=u4eatech,dc=com objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 513 cn: Domain Users description: Netbios Domain Users sambaSID: S-1-5-21-2044582568-1589646193-1504741369-513 sambaGroupType: 2 displayName: Domain Users Domain Admin privs: elli ~ # net rpc -U jamesc rights list "U4EATECH\Domain Admins" Password: SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeRemoteShutdownPrivilege SeDiskOperatorPrivilege In the Samba logs, I see the following error: smbldap_open: cannot access LDAP when not root.. [2006/02/01 11:33:46, 0] lib/smbldap.c:smbldap_open(882) smbldap_open: cannot access LDAP when not root.. [2006/02/01 11:33:47, 0] lib/smbldap.c:smbldap_open(882) smbldap_open: cannot access LDAP when not root.. [2006/02/01 11:33:48, 0] lib/smbldap.c:smbldap_open(882) smbldap_open: cannot access LDAP when not root.. [2006/02/01 11:33:49, 0] lib/smbldap.c:smbldap_open(882) smbldap_open: cannot access LDAP when not root.. [2006/02/01 11:33:50, 0] lib/smbldap.c:smbldap_open(882) smbldap_open: cannot access LDAP when not root.. [2006/02/01 11:33:51, 0] lib/smbldap.c:smbldap_open(882) smbldap_open: cannot access LDAP when not root.. [2006/02/01 11:33:52, 0] lib/smbldap.c:smbldap_open(882) smbldap_open: cannot access LDAP when not root.. [2006/02/01 11:33:53, 0] lib/smbldap.c:smbldap_open(882) smbldap_open: cannot access LDAP when not root.. [2006/02/01 11:33:54, 0] lib/smbldap.c:smbldap_open(882) smbldap_open: cannot access LDAP when not root.. [2006/02/01 11:33:55, 0] lib/smbldap.c:smbldap_open(882) smbldap_open: cannot access LDAP when not root.. [2006/02/01 11:33:56, 0] lib/smbldap.c:smbldap_open(882) smbldap_open: cannot access LDAP when not root.. [2006/02/01 11:33:57, 0] lib/smbldap.c:smbldap_open(882) smbldap_open: cannot access LDAP when not root.. [2006/02/01 11:33:58, 0] lib/smbldap.c:smbldap_open(882) smbldap_open: cannot access LDAP when not root.. [2006/02/01 11:33:59, 0] lib/smbldap.c:smbldap_open(882) smbldap_open: cannot access LDAP when not root.. [2006/02/01 11:34:00, 0] lib/smbldap.c:smbldap_open(882) smbldap_open: cannot access LDAP when not root.. [2006/02/01 11:34:00, 0] passdb/pdb_ldap.c:ldapsam_search_one_group(1971) ldapsam_search_one_group: Problem during the LDAP search: LDAP error: (Timed out) LDAP Logs: Feb 1 11:37:30 cygnus_new slapd[30055]: conn=310691 op=62 SRCH base="ou=Group,dc=u4eatech,dc=com" scope=2 deref=0 filter="(&(objectClass=sambaGroupMapping)(|(displayName=domain users)(cn=domain users)))" Feb 1 11:37:30 cygnus_new slapd[30055]: conn=310691 op=62 SRCH attr=gidNumber sambaSID sambaGroupType sambaSIDList description displayName cn objectClass Feb 1 11:37:30 cygnus_new slapd[30055]: conn=310691 op=62 ENTRY dn="cn=Domain Users,ou=Group,dc=u4eatech,dc=com" Feb 1 11:37:30 cygnus_new slapd[30055]: conn=310691 op=62 SEARCH RESULT tag=101 err=0 nentries=1 textFeb 1 11:37:30 cygnus_new slapd[8490]: conn=310691 op=63 SRCH base="ou=Group,dc=u4eatech,dc=com" scope=2 deref=0 filter="(&(objectClass=sambaGroupMapping)(sambaSID=s-1-5-21-2044582568-1589646193-1504741369-513))" Feb 1 11:37:30 cygnus_new slapd[8490]: conn=310691 op=63 SRCH attr=gidNumber sambaSID sambaGroupType sambaSIDList description displayName cn objectClass Feb 1 11:37:30 cygnus_new slapd[8490]: conn=310691 op=63 ENTRY dn="cn=Domain Users,ou=Group,dc=u4eatech,dc=com" Feb 1 11:37:30 cygnus_new slapd[8490]: conn=310691 op=63 SEARCH RESULT tag=101 err=0 nentries=1 textFeb 1 11:37:30 cygnus_new slapd[26454]: conn=310772 op=2 UNBIND Feb 1 11:37:30 cygnus_new slapd[26454]: conn=310772 fd=30 closed Feb 1 11:37:30 cygnus_new slapd[12571]: conn=310793 fd=30 ACCEPT from IP=172.30.1.22:59861 (IP=0.0.0.0:389) Feb 1 11:37:30 cygnus_new slapd[16367]: conn=310793 op=0 BIND dn="cn=manager,dc=u4eatech,dc=com" method=128 Feb 1 11:37:30 cygnus_new slapd[16367]: conn=310793 op=0 BIND dn="cn=manager,dc=u4eatech,dc=com" mech=SIMPLE ssf=0 Feb 1 11:37:30 cygnus_new slapd[16367]: conn=310793 op=0 RESULT tag=97 err=0 textFeb 1 11:37:30 cygnus_new slapd[2070]: conn=310793 op=1 SRCH base="ou=Group,dc=u4eatech,dc=com" scope=1 deref=0 filter="(&(objectClass=posixGroup)(gidNumber=513))" Feb 1 11:37:30 cygnus_new slapd[2070]: conn=310793 op=1 SRCH attr=cn userPassword memberUid uniqueMember gidNumber Feb 1 11:37:30 cygnus_new slapd[2070]: conn=310793 op=1 ENTRY dn="cn=Domain Users,ou=Group,dc=u4eatech,dc=com" Feb 1 11:37:30 cygnus_new slapd[2070]: conn=310793 op=1 SEARCH RESULT tag=101 err=0 nentries=1 textFeb 1 11:37:30 cygnus_new slapd[2069]: conn=310691 op=64 SRCH base="ou=Group,dc=u4eatech,dc=com" scope=2 deref=0 filter="(&(objectClass=sambaGroupMapping)(sambaSID=s-1-5-21-2044582568-1589646193-1504741369-513))" Feb 1 11:37:30 cygnus_new slapd[2069]: conn=310691 op=64 SRCH attr=gidNumber sambaSID sambaGroupType sambaSIDList description displayName cn objectClass Feb 1 11:37:30 cygnus_new slapd[2069]: conn=310691 op=64 ENTRY dn="cn=Domain Users,ou=Group,dc=u4eatech,dc=com" Feb 1 11:37:30 cygnus_new slapd[2069]: conn=310691 op=64 SEARCH RESULT tag=101 err=0 nentries=1 textFeb 1 11:37:30 cygnus_new slapd[12628]: conn=310793 op=2 UNBIND
Louis van Belle
2006-Feb-01 13:04 UTC
[Samba] smbldap_open: cannot access LDAP when not root
check the rights on libnss-ldap libpam-ldap set it to 644 Louis>-----Oorspronkelijk bericht----- >Van: samba-bounces+louis=van-belle.nl@lists.samba.org >[mailto:samba-bounces+louis=van-belle.nl@lists.samba.org] >Namens James Cort >Verzonden: woensdag 1 februari 2006 13:07 >Aan: samba@lists.samba.org >Onderwerp: [Samba] smbldap_open: cannot access LDAP when not root > >I'm using Samba 3.0.14a as a PDC with an LDAP backend. > >I am having trouble using the Windows "User Manager for Domains" tool. > >As an example, I shall be looking at the "Domain Users" group. >Whenever >I try modifying anybody's group membership, I get the error message: > > "The following error occurred changing the properties of the global >group Domain Users: > >The group name could not be found." > >I am running User Manager as a user with Domain Admin privileges. >Domain Admins have been granted every available right using >the net rpc >rights command. Samba is definitely doing an LDAP search for >the group >and is getting sensible results (logs below). The research I've done >suggests this may be a known issue, but generally with older versions >of Samba. > >Samba logs show a point which I'll mention here: > >[2006/02/01 11:33:46, 0] lib/smbldap.c:smbldap_open(882) > smbldap_open: cannot access LDAP when not root.. > > > >The LDAP entry for the Domain Users group shows: > ># Domain Users, Group, u4eatech.com >dn: cn=Domain Users,ou=Group,dc=u4eatech,dc=com >objectClass: posixGroup >objectClass: sambaGroupMapping >gidNumber: 513 >cn: Domain Users >description: Netbios Domain Users >sambaSID: S-1-5-21-2044582568-1589646193-1504741369-513 >sambaGroupType: 2 >displayName: Domain Users > > >Domain Admin privs: > >elli ~ # net rpc -U jamesc rights list "U4EATECH\Domain Admins" >Password: >SeMachineAccountPrivilege >SePrintOperatorPrivilege >SeAddUsersPrivilege >SeRemoteShutdownPrivilege >SeDiskOperatorPrivilege > > >In the Samba logs, I see the following error: > > > smbldap_open: cannot access LDAP when not root.. >[2006/02/01 11:33:46, 0] lib/smbldap.c:smbldap_open(882) > smbldap_open: cannot access LDAP when not root.. >[2006/02/01 11:33:47, 0] lib/smbldap.c:smbldap_open(882) > smbldap_open: cannot access LDAP when not root.. >[2006/02/01 11:33:48, 0] lib/smbldap.c:smbldap_open(882) > smbldap_open: cannot access LDAP when not root.. >[2006/02/01 11:33:49, 0] lib/smbldap.c:smbldap_open(882) > smbldap_open: cannot access LDAP when not root.. >[2006/02/01 11:33:50, 0] lib/smbldap.c:smbldap_open(882) > smbldap_open: cannot access LDAP when not root.. >[2006/02/01 11:33:51, 0] lib/smbldap.c:smbldap_open(882) > smbldap_open: cannot access LDAP when not root.. >[2006/02/01 11:33:52, 0] lib/smbldap.c:smbldap_open(882) > smbldap_open: cannot access LDAP when not root.. >[2006/02/01 11:33:53, 0] lib/smbldap.c:smbldap_open(882) > smbldap_open: cannot access LDAP when not root.. >[2006/02/01 11:33:54, 0] lib/smbldap.c:smbldap_open(882) > smbldap_open: cannot access LDAP when not root.. >[2006/02/01 11:33:55, 0] lib/smbldap.c:smbldap_open(882) > smbldap_open: cannot access LDAP when not root.. >[2006/02/01 11:33:56, 0] lib/smbldap.c:smbldap_open(882) > smbldap_open: cannot access LDAP when not root.. >[2006/02/01 11:33:57, 0] lib/smbldap.c:smbldap_open(882) > smbldap_open: cannot access LDAP when not root.. >[2006/02/01 11:33:58, 0] lib/smbldap.c:smbldap_open(882) > smbldap_open: cannot access LDAP when not root.. >[2006/02/01 11:33:59, 0] lib/smbldap.c:smbldap_open(882) > smbldap_open: cannot access LDAP when not root.. >[2006/02/01 11:34:00, 0] lib/smbldap.c:smbldap_open(882) > smbldap_open: cannot access LDAP when not root.. >[2006/02/01 11:34:00, 0] >passdb/pdb_ldap.c:ldapsam_search_one_group(1971) > ldapsam_search_one_group: Problem during the LDAP search: >LDAP error: > (Timed out) > > >LDAP Logs: > > >Feb 1 11:37:30 cygnus_new slapd[30055]: conn=310691 op=62 SRCH >base="ou=Group,dc=u4eatech,dc=com" scope=2 deref=0 >filter="(&(objectClass=sambaGroupMapping)(|(displayName=domain >users)(cn=domain users)))" >Feb 1 11:37:30 cygnus_new slapd[30055]: conn=310691 op=62 SRCH >attr=gidNumber sambaSID sambaGroupType sambaSIDList description >displayName cn objectClass >Feb 1 11:37:30 cygnus_new slapd[30055]: conn=310691 op=62 ENTRY >dn="cn=Domain Users,ou=Group,dc=u4eatech,dc=com" >Feb 1 11:37:30 cygnus_new slapd[30055]: conn=310691 op=62 SEARCH >RESULT tag=101 err=0 nentries=1 text>Feb 1 11:37:30 cygnus_new slapd[8490]: conn=310691 op=63 SRCH >base="ou=Group,dc=u4eatech,dc=com" scope=2 deref=0 >filter="(&(objectClass=sambaGroupMapping)(sambaSID=s-1-5-21-204 >4582568-1589646193-1504741369-513))" >Feb 1 11:37:30 cygnus_new slapd[8490]: conn=310691 op=63 SRCH >attr=gidNumber sambaSID sambaGroupType sambaSIDList description >displayName cn objectClass >Feb 1 11:37:30 cygnus_new slapd[8490]: conn=310691 op=63 ENTRY >dn="cn=Domain Users,ou=Group,dc=u4eatech,dc=com" >Feb 1 11:37:30 cygnus_new slapd[8490]: conn=310691 op=63 >SEARCH RESULT >tag=101 err=0 nentries=1 text>Feb 1 11:37:30 cygnus_new slapd[26454]: conn=310772 op=2 UNBIND >Feb 1 11:37:30 cygnus_new slapd[26454]: conn=310772 fd=30 closed >Feb 1 11:37:30 cygnus_new slapd[12571]: conn=310793 fd=30 ACCEPT from >IP=172.30.1.22:59861 (IP=0.0.0.0:389) >Feb 1 11:37:30 cygnus_new slapd[16367]: conn=310793 op=0 BIND >dn="cn=manager,dc=u4eatech,dc=com" method=128 >Feb 1 11:37:30 cygnus_new slapd[16367]: conn=310793 op=0 BIND >dn="cn=manager,dc=u4eatech,dc=com" mech=SIMPLE ssf=0 >Feb 1 11:37:30 cygnus_new slapd[16367]: conn=310793 op=0 >RESULT tag=97 >err=0 text>Feb 1 11:37:30 cygnus_new slapd[2070]: conn=310793 op=1 SRCH >base="ou=Group,dc=u4eatech,dc=com" scope=1 deref=0 >filter="(&(objectClass=posixGroup)(gidNumber=513))" >Feb 1 11:37:30 cygnus_new slapd[2070]: conn=310793 op=1 SRCH attr=cn >userPassword memberUid uniqueMember gidNumber >Feb 1 11:37:30 cygnus_new slapd[2070]: conn=310793 op=1 ENTRY >dn="cn=Domain Users,ou=Group,dc=u4eatech,dc=com" >Feb 1 11:37:30 cygnus_new slapd[2070]: conn=310793 op=1 SEARCH RESULT >tag=101 err=0 nentries=1 text>Feb 1 11:37:30 cygnus_new slapd[2069]: conn=310691 op=64 SRCH >base="ou=Group,dc=u4eatech,dc=com" scope=2 deref=0 >filter="(&(objectClass=sambaGroupMapping)(sambaSID=s-1-5-21-204 >4582568-1589646193-1504741369-513))" >Feb 1 11:37:30 cygnus_new slapd[2069]: conn=310691 op=64 SRCH >attr=gidNumber sambaSID sambaGroupType sambaSIDList description >displayName cn objectClass >Feb 1 11:37:30 cygnus_new slapd[2069]: conn=310691 op=64 ENTRY >dn="cn=Domain Users,ou=Group,dc=u4eatech,dc=com" >Feb 1 11:37:30 cygnus_new slapd[2069]: conn=310691 op=64 >SEARCH RESULT >tag=101 err=0 nentries=1 text>Feb 1 11:37:30 cygnus_new slapd[12628]: conn=310793 op=2 UNBIND > > > > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/listinfo/samba >
> check the rights on > > libnss-ldap > libpam-ldap > set it to 644I've checked; they were already fine. The problem I'm having seems to be the same as: https://bugzilla.samba.org/show_bug.cgi?id=3047 I've upgraded the version of Samba to 3.0.20b and confirmed that the new version does indeed have the patch listed in the bug report applied, which it does. Unfortunately the problem persists.
>> check the rights on >> >> libnss-ldap >> libpam-ldap >> set it to 644 > > I've upgraded the version of Samba to 3.0.20b and confirmed that the > new version does indeed have the patch listed in the bug report > applied, which it does. Unfortunately the problem persists.My mistake - While the problem does persist, the error message from User Manager is different. It reads: "The following error occurred changing the properties of the global group Domain Users: The user name could not be found." Level 10 log at: http://www.u4eatech.com/samba_log.txt
Andreas Fladischer
2006-Feb-02 12:34 UTC
[Samba] smbldap_open: cannot access LDAP when not root
hi! my new samba server is running as pdc with samba3.0.21b and ldap.everythink worked well but one thing will not work. i would like to add a group or a user with the windowstool usermanager; if i try to add a new group, it tells me "access denied". the logfile show the following: [2006/02/02 12:56:20, 0] lib/smbldap.c:smbldap_open(922) smbldap_open: cannot access LDAP when not root.. i searched a while in the internet but didn't find a solution! i hope someone can help me! thanks in advance andreas
adrian sender
2006-Feb-03 14:09 UTC
[Samba] smbldap_open: cannot access LDAP when not root
Hi Andreas, If you are wanting to use srvtools.exe you need to logon to the domain as user root; then you have the permissions to modify. Adrian.>From: Andreas Fladischer <andreas.fladischer@ecofinance.com> >To: samba@lists.samba.org >Subject: [Samba] smbldap_open: cannot access LDAP when not root >Date: Thu, 02 Feb 2006 13:09:37 +0100 >hi! > >my new samba server is running as pdc with samba3.0.21b and ldap.everythink >worked well but one thing will not work. i would like to add a group or a >user with the windowstool usermanager; if i try to add a new group, it >tells me "access denied". the logfile show the following: > >[2006/02/02 12:56:20, 0] lib/smbldap.c:smbldap_open(922) > smbldap_open: cannot access LDAP when not root.. > >i searched a while in the internet but didn't find a solution! > >i hope someone can help me! > >thanks in advance > >andreas >
Gerald (Jerry) Carter
2006-Feb-03 15:15 UTC
[Samba] smbldap_open: cannot access LDAP when not root
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 adrian sender wrote:> Hi Andreas, > > If you are wanting to use srvtools.exe you need to logon to the domain > as user root; then you have the permissions to modify.Better to assign privileges. cheers, jerry -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFD43OqIR7qMdg1EfYRAqHvAJ0fpNj4s8sN1GhhBFGfwPsG4fRtFQCfeCtY spBKg7w73sWTeC87uTmOugo=cBuV -----END PGP SIGNATURE-----