samba - Feb 2006 - smbldap_open: cannot access LDAP when not root

I'm using Samba 3.0.14a as a PDC with an LDAP backend.

I am having trouble using the Windows "User Manager for Domains" tool.

As an example, I shall be looking at the "Domain Users" group.
Whenever
I try modifying anybody's group membership, I get the error message:

  "The following error occurred changing the properties of the global 
group Domain Users:

The group name could not be found."

I am running User Manager as a user with Domain Admin privileges.  
Domain Admins have been granted every available right using the net rpc 
rights command.  Samba is definitely doing an LDAP search for the group 
and is getting sensible results (logs below).  The research I've done 
suggests this may be a known issue, but generally with older versions 
of Samba.

Samba logs show a point which I'll mention here:

[2006/02/01 11:33:46, 0] lib/smbldap.c:smbldap_open(882)
  smbldap_open: cannot access LDAP when not root..



The LDAP entry for the Domain Users group shows:

# Domain Users, Group, u4eatech.com
dn: cn=Domain Users,ou=Group,dc=u4eatech,dc=com
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 513
cn: Domain Users
description: Netbios Domain Users
sambaSID: S-1-5-21-2044582568-1589646193-1504741369-513
sambaGroupType: 2
displayName: Domain Users


Domain Admin privs:

elli ~ # net rpc -U jamesc rights list "U4EATECH\Domain Admins"
Password:
SeMachineAccountPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeRemoteShutdownPrivilege
SeDiskOperatorPrivilege


In the Samba logs, I see the following error:


  smbldap_open: cannot access LDAP when not root..
[2006/02/01 11:33:46, 0] lib/smbldap.c:smbldap_open(882)
  smbldap_open: cannot access LDAP when not root..
[2006/02/01 11:33:47, 0] lib/smbldap.c:smbldap_open(882)
  smbldap_open: cannot access LDAP when not root..
[2006/02/01 11:33:48, 0] lib/smbldap.c:smbldap_open(882)
  smbldap_open: cannot access LDAP when not root..
[2006/02/01 11:33:49, 0] lib/smbldap.c:smbldap_open(882)
  smbldap_open: cannot access LDAP when not root..
[2006/02/01 11:33:50, 0] lib/smbldap.c:smbldap_open(882)
  smbldap_open: cannot access LDAP when not root..
[2006/02/01 11:33:51, 0] lib/smbldap.c:smbldap_open(882)
  smbldap_open: cannot access LDAP when not root..
[2006/02/01 11:33:52, 0] lib/smbldap.c:smbldap_open(882)
  smbldap_open: cannot access LDAP when not root..
[2006/02/01 11:33:53, 0] lib/smbldap.c:smbldap_open(882)
  smbldap_open: cannot access LDAP when not root..
[2006/02/01 11:33:54, 0] lib/smbldap.c:smbldap_open(882)
  smbldap_open: cannot access LDAP when not root..
[2006/02/01 11:33:55, 0] lib/smbldap.c:smbldap_open(882)
  smbldap_open: cannot access LDAP when not root..
[2006/02/01 11:33:56, 0] lib/smbldap.c:smbldap_open(882)
  smbldap_open: cannot access LDAP when not root..
[2006/02/01 11:33:57, 0] lib/smbldap.c:smbldap_open(882)
  smbldap_open: cannot access LDAP when not root..
[2006/02/01 11:33:58, 0] lib/smbldap.c:smbldap_open(882)
  smbldap_open: cannot access LDAP when not root..
[2006/02/01 11:33:59, 0] lib/smbldap.c:smbldap_open(882)
  smbldap_open: cannot access LDAP when not root..
[2006/02/01 11:34:00, 0] lib/smbldap.c:smbldap_open(882)
  smbldap_open: cannot access LDAP when not root..
[2006/02/01 11:34:00, 0] passdb/pdb_ldap.c:ldapsam_search_one_group(1971)
  ldapsam_search_one_group: Problem during the LDAP search: LDAP error: 
  (Timed out)


LDAP Logs:


Feb  1 11:37:30 cygnus_new slapd[30055]: conn=310691 op=62 SRCH 
base="ou=Group,dc=u4eatech,dc=com" scope=2 deref=0 
filter="(&(objectClass=sambaGroupMapping)(|(displayName=domain 
users)(cn=domain users)))"
Feb  1 11:37:30 cygnus_new slapd[30055]: conn=310691 op=62 SRCH 
attr=gidNumber sambaSID sambaGroupType sambaSIDList description 
displayName cn objectClass
Feb  1 11:37:30 cygnus_new slapd[30055]: conn=310691 op=62 ENTRY 
dn="cn=Domain Users,ou=Group,dc=u4eatech,dc=com"
Feb  1 11:37:30 cygnus_new slapd[30055]: conn=310691 op=62 SEARCH 
RESULT tag=101 err=0 nentries=1 textFeb  1 11:37:30 cygnus_new slapd[8490]:
conn=310691 op=63 SRCH
base="ou=Group,dc=u4eatech,dc=com" scope=2 deref=0 
filter="(&(objectClass=sambaGroupMapping)(sambaSID=s-1-5-21-2044582568-1589646193-1504741369-513))"
Feb  1 11:37:30 cygnus_new slapd[8490]: conn=310691 op=63 SRCH 
attr=gidNumber sambaSID sambaGroupType sambaSIDList description 
displayName cn objectClass
Feb  1 11:37:30 cygnus_new slapd[8490]: conn=310691 op=63 ENTRY 
dn="cn=Domain Users,ou=Group,dc=u4eatech,dc=com"
Feb  1 11:37:30 cygnus_new slapd[8490]: conn=310691 op=63 SEARCH RESULT 
tag=101 err=0 nentries=1 textFeb  1 11:37:30 cygnus_new slapd[26454]:
conn=310772 op=2 UNBIND
Feb  1 11:37:30 cygnus_new slapd[26454]: conn=310772 fd=30 closed
Feb  1 11:37:30 cygnus_new slapd[12571]: conn=310793 fd=30 ACCEPT from 
IP=172.30.1.22:59861 (IP=0.0.0.0:389)
Feb  1 11:37:30 cygnus_new slapd[16367]: conn=310793 op=0 BIND 
dn="cn=manager,dc=u4eatech,dc=com" method=128
Feb  1 11:37:30 cygnus_new slapd[16367]: conn=310793 op=0 BIND 
dn="cn=manager,dc=u4eatech,dc=com" mech=SIMPLE ssf=0
Feb  1 11:37:30 cygnus_new slapd[16367]: conn=310793 op=0 RESULT tag=97 
err=0 textFeb  1 11:37:30 cygnus_new slapd[2070]: conn=310793 op=1 SRCH 
base="ou=Group,dc=u4eatech,dc=com" scope=1 deref=0 
filter="(&(objectClass=posixGroup)(gidNumber=513))"
Feb  1 11:37:30 cygnus_new slapd[2070]: conn=310793 op=1 SRCH attr=cn 
userPassword memberUid uniqueMember gidNumber
Feb  1 11:37:30 cygnus_new slapd[2070]: conn=310793 op=1 ENTRY 
dn="cn=Domain Users,ou=Group,dc=u4eatech,dc=com"
Feb  1 11:37:30 cygnus_new slapd[2070]: conn=310793 op=1 SEARCH RESULT 
tag=101 err=0 nentries=1 textFeb  1 11:37:30 cygnus_new slapd[2069]: conn=310691
op=64 SRCH
base="ou=Group,dc=u4eatech,dc=com" scope=2 deref=0 
filter="(&(objectClass=sambaGroupMapping)(sambaSID=s-1-5-21-2044582568-1589646193-1504741369-513))"
Feb  1 11:37:30 cygnus_new slapd[2069]: conn=310691 op=64 SRCH 
attr=gidNumber sambaSID sambaGroupType sambaSIDList description 
displayName cn objectClass
Feb  1 11:37:30 cygnus_new slapd[2069]: conn=310691 op=64 ENTRY 
dn="cn=Domain Users,ou=Group,dc=u4eatech,dc=com"
Feb  1 11:37:30 cygnus_new slapd[2069]: conn=310691 op=64 SEARCH RESULT 
tag=101 err=0 nentries=1 textFeb  1 11:37:30 cygnus_new slapd[12628]:
conn=310793 op=2 UNBIND

check the rights on 

libnss-ldap
libpam-ldap

set it to 644

Louis

 
>-----Oorspronkelijk bericht-----
>Van: samba-bounces+louis=van-belle.nl@lists.samba.org 
>[mailto:samba-bounces+louis=van-belle.nl@lists.samba.org] 
>Namens James Cort
>Verzonden: woensdag 1 februari 2006 13:07
>Aan: samba@lists.samba.org
>Onderwerp: [Samba] smbldap_open: cannot access LDAP when not root
>
>I'm using Samba 3.0.14a as a PDC with an LDAP backend.
>
>I am having trouble using the Windows "User Manager for Domains"
tool.
>
>As an example, I shall be looking at the "Domain Users" group. 
>Whenever 
>I try modifying anybody's group membership, I get the error message:
>
>  "The following error occurred changing the properties of the global 
>group Domain Users:
>
>The group name could not be found."
>
>I am running User Manager as a user with Domain Admin privileges.  
>Domain Admins have been granted every available right using 
>the net rpc 
>rights command.  Samba is definitely doing an LDAP search for 
>the group 
>and is getting sensible results (logs below).  The research I've done 
>suggests this may be a known issue, but generally with older versions 
>of Samba.
>
>Samba logs show a point which I'll mention here:
>
>[2006/02/01 11:33:46, 0] lib/smbldap.c:smbldap_open(882)
>  smbldap_open: cannot access LDAP when not root..
>
>
>
>The LDAP entry for the Domain Users group shows:
>
># Domain Users, Group, u4eatech.com
>dn: cn=Domain Users,ou=Group,dc=u4eatech,dc=com
>objectClass: posixGroup
>objectClass: sambaGroupMapping
>gidNumber: 513
>cn: Domain Users
>description: Netbios Domain Users
>sambaSID: S-1-5-21-2044582568-1589646193-1504741369-513
>sambaGroupType: 2
>displayName: Domain Users
>
>
>Domain Admin privs:
>
>elli ~ # net rpc -U jamesc rights list "U4EATECH\Domain Admins"
>Password:
>SeMachineAccountPrivilege
>SePrintOperatorPrivilege
>SeAddUsersPrivilege
>SeRemoteShutdownPrivilege
>SeDiskOperatorPrivilege
>
>
>In the Samba logs, I see the following error:
>
>
>  smbldap_open: cannot access LDAP when not root..
>[2006/02/01 11:33:46, 0] lib/smbldap.c:smbldap_open(882)
>  smbldap_open: cannot access LDAP when not root..
>[2006/02/01 11:33:47, 0] lib/smbldap.c:smbldap_open(882)
>  smbldap_open: cannot access LDAP when not root..
>[2006/02/01 11:33:48, 0] lib/smbldap.c:smbldap_open(882)
>  smbldap_open: cannot access LDAP when not root..
>[2006/02/01 11:33:49, 0] lib/smbldap.c:smbldap_open(882)
>  smbldap_open: cannot access LDAP when not root..
>[2006/02/01 11:33:50, 0] lib/smbldap.c:smbldap_open(882)
>  smbldap_open: cannot access LDAP when not root..
>[2006/02/01 11:33:51, 0] lib/smbldap.c:smbldap_open(882)
>  smbldap_open: cannot access LDAP when not root..
>[2006/02/01 11:33:52, 0] lib/smbldap.c:smbldap_open(882)
>  smbldap_open: cannot access LDAP when not root..
>[2006/02/01 11:33:53, 0] lib/smbldap.c:smbldap_open(882)
>  smbldap_open: cannot access LDAP when not root..
>[2006/02/01 11:33:54, 0] lib/smbldap.c:smbldap_open(882)
>  smbldap_open: cannot access LDAP when not root..
>[2006/02/01 11:33:55, 0] lib/smbldap.c:smbldap_open(882)
>  smbldap_open: cannot access LDAP when not root..
>[2006/02/01 11:33:56, 0] lib/smbldap.c:smbldap_open(882)
>  smbldap_open: cannot access LDAP when not root..
>[2006/02/01 11:33:57, 0] lib/smbldap.c:smbldap_open(882)
>  smbldap_open: cannot access LDAP when not root..
>[2006/02/01 11:33:58, 0] lib/smbldap.c:smbldap_open(882)
>  smbldap_open: cannot access LDAP when not root..
>[2006/02/01 11:33:59, 0] lib/smbldap.c:smbldap_open(882)
>  smbldap_open: cannot access LDAP when not root..
>[2006/02/01 11:34:00, 0] lib/smbldap.c:smbldap_open(882)
>  smbldap_open: cannot access LDAP when not root..
>[2006/02/01 11:34:00, 0] 
>passdb/pdb_ldap.c:ldapsam_search_one_group(1971)
>  ldapsam_search_one_group: Problem during the LDAP search: 
>LDAP error: 
>  (Timed out)
>
>
>LDAP Logs:
>
>
>Feb  1 11:37:30 cygnus_new slapd[30055]: conn=310691 op=62 SRCH 
>base="ou=Group,dc=u4eatech,dc=com" scope=2 deref=0 
>filter="(&(objectClass=sambaGroupMapping)(|(displayName=domain 
>users)(cn=domain users)))"
>Feb  1 11:37:30 cygnus_new slapd[30055]: conn=310691 op=62 SRCH 
>attr=gidNumber sambaSID sambaGroupType sambaSIDList description 
>displayName cn objectClass
>Feb  1 11:37:30 cygnus_new slapd[30055]: conn=310691 op=62 ENTRY 
>dn="cn=Domain Users,ou=Group,dc=u4eatech,dc=com"
>Feb  1 11:37:30 cygnus_new slapd[30055]: conn=310691 op=62 SEARCH 
>RESULT tag=101 err=0 nentries=1 text>Feb  1 11:37:30 cygnus_new
slapd[8490]: conn=310691 op=63 SRCH
>base="ou=Group,dc=u4eatech,dc=com" scope=2 deref=0 
>filter="(&(objectClass=sambaGroupMapping)(sambaSID=s-1-5-21-204
>4582568-1589646193-1504741369-513))"
>Feb  1 11:37:30 cygnus_new slapd[8490]: conn=310691 op=63 SRCH 
>attr=gidNumber sambaSID sambaGroupType sambaSIDList description 
>displayName cn objectClass
>Feb  1 11:37:30 cygnus_new slapd[8490]: conn=310691 op=63 ENTRY 
>dn="cn=Domain Users,ou=Group,dc=u4eatech,dc=com"
>Feb  1 11:37:30 cygnus_new slapd[8490]: conn=310691 op=63 
>SEARCH RESULT 
>tag=101 err=0 nentries=1 text>Feb  1 11:37:30 cygnus_new slapd[26454]:
conn=310772 op=2 UNBIND
>Feb  1 11:37:30 cygnus_new slapd[26454]: conn=310772 fd=30 closed
>Feb  1 11:37:30 cygnus_new slapd[12571]: conn=310793 fd=30 ACCEPT from 
>IP=172.30.1.22:59861 (IP=0.0.0.0:389)
>Feb  1 11:37:30 cygnus_new slapd[16367]: conn=310793 op=0 BIND 
>dn="cn=manager,dc=u4eatech,dc=com" method=128
>Feb  1 11:37:30 cygnus_new slapd[16367]: conn=310793 op=0 BIND 
>dn="cn=manager,dc=u4eatech,dc=com" mech=SIMPLE ssf=0
>Feb  1 11:37:30 cygnus_new slapd[16367]: conn=310793 op=0 
>RESULT tag=97 
>err=0 text>Feb  1 11:37:30 cygnus_new slapd[2070]: conn=310793 op=1 SRCH 
>base="ou=Group,dc=u4eatech,dc=com" scope=1 deref=0 
>filter="(&(objectClass=posixGroup)(gidNumber=513))"
>Feb  1 11:37:30 cygnus_new slapd[2070]: conn=310793 op=1 SRCH attr=cn 
>userPassword memberUid uniqueMember gidNumber
>Feb  1 11:37:30 cygnus_new slapd[2070]: conn=310793 op=1 ENTRY 
>dn="cn=Domain Users,ou=Group,dc=u4eatech,dc=com"
>Feb  1 11:37:30 cygnus_new slapd[2070]: conn=310793 op=1 SEARCH RESULT 
>tag=101 err=0 nentries=1 text>Feb  1 11:37:30 cygnus_new slapd[2069]:
conn=310691 op=64 SRCH
>base="ou=Group,dc=u4eatech,dc=com" scope=2 deref=0 
>filter="(&(objectClass=sambaGroupMapping)(sambaSID=s-1-5-21-204
>4582568-1589646193-1504741369-513))"
>Feb  1 11:37:30 cygnus_new slapd[2069]: conn=310691 op=64 SRCH 
>attr=gidNumber sambaSID sambaGroupType sambaSIDList description 
>displayName cn objectClass
>Feb  1 11:37:30 cygnus_new slapd[2069]: conn=310691 op=64 ENTRY 
>dn="cn=Domain Users,ou=Group,dc=u4eatech,dc=com"
>Feb  1 11:37:30 cygnus_new slapd[2069]: conn=310691 op=64 
>SEARCH RESULT 
>tag=101 err=0 nentries=1 text>Feb  1 11:37:30 cygnus_new slapd[12628]:
conn=310793 op=2 UNBIND
>
>
>
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/listinfo/samba
>

> check the rights on
>
> libnss-ldap
> libpam-ldap
> set it to 644
I've checked; they were already fine.


The problem I'm having seems to be the same as:

https://bugzilla.samba.org/show_bug.cgi?id=3047


I've upgraded the version of Samba to 3.0.20b and confirmed that the 
new version does indeed have the patch listed in the bug report 
applied, which it does.  Unfortunately the problem persists.

>> check the rights on
>>
>> libnss-ldap
>> libpam-ldap
>> set it to 644
>
> I've upgraded the version of Samba to 3.0.20b and confirmed that the 
> new version does indeed have the patch listed in the bug report 
> applied, which it does.  Unfortunately the problem persists.

My mistake -  While the problem does persist, the error message from 
User Manager is different.  It reads:


"The following error occurred changing the properties of the global 
group Domain Users:

The user name could not be found."

Level 10 log at:

http://www.u4eatech.com/samba_log.txt

hi!

my new samba server is running as pdc with samba3.0.21b and 
ldap.everythink worked well but one thing will not work. i would like to 
add a group or a user with the windowstool usermanager; if i try to add 
a new group, it tells me "access denied". the logfile show the
following:

[2006/02/02 12:56:20, 0] lib/smbldap.c:smbldap_open(922)
  smbldap_open: cannot access LDAP when not root..

i searched a while in the internet but didn't find a solution!

i hope someone can help me!

thanks in advance

andreas

Hi Andreas,

If you are wanting to use srvtools.exe you need to logon to the domain as 
user root; then you have the permissions to modify.

Adrian.

>From: Andreas Fladischer <andreas.fladischer@ecofinance.com>
>To: samba@lists.samba.org
>Subject: [Samba] smbldap_open: cannot access LDAP when not root
>Date: Thu, 02 Feb 2006 13:09:37 +0100
>hi!
>
>my new samba server is running as pdc with samba3.0.21b and ldap.everythink 
>worked well but one thing will not work. i would like to add a group or a 
>user with the windowstool usermanager; if i try to add a new group, it 
>tells me "access denied". the logfile show the following:
>
>[2006/02/02 12:56:20, 0] lib/smbldap.c:smbldap_open(922)
>  smbldap_open: cannot access LDAP when not root..
>
>i searched a while in the internet but didn't find a solution!
>
>i hope someone can help me!
>
>thanks in advance
>
>andreas
>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

adrian sender wrote:
> Hi Andreas,
> 
> If you are wanting to use srvtools.exe you need to logon to the domain
> as user root; then you have the permissions to modify.
Better to assign privileges.




cheers, jerry

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFD43OqIR7qMdg1EfYRAqHvAJ0fpNj4s8sN1GhhBFGfwPsG4fRtFQCfeCtY
spBKg7w73sWTeC87uTmOugo=cBuV
-----END PGP SIGNATURE-----