Hello,
The abstract is :
How to run smbldap-useradd (and others) with a non-root user, knowing
that giving Samba privileges to the user's account is enough.
Now are details :
My setup is FreeBSD-8, samba35, nss_ldap, smbldap-tools... And NO pam_ldap.
I am creating a webservice which must run smbldap-tools scripts.
Everything is running on a FreeBSD-8, and running fine by root. However,
my webservices won't have root access, so I logged in with a non-root
user (#su - testwww) who is in the LDAP directory (added through
smbldap-useradd -a) and tried smbldap-tools scripts. Here is my issue :
# smbldap-useradd -a userLambda
fails with the following message :
"Error: modifications require authentication at
/usr/local/lib/perl5/site_perl/5.12.3/smbldap_tools.pm line 1200."
OpenLDAP logs :
Jun 28 08:59:53 openldap slapd[1220]: conn=1098 fd=31 ACCEPT from
IP=10.1.5.90:24971 (IP=10.1.5.91:389)
Jun 28 08:59:53 openldap slapd[1220]: conn=1098 op=0 SRCH
base="dc=my-domain,dc=com" scope=2 deref=2
filter="(&(objectClass=posixAccount)(uid=userlambda))"
Jun 28 08:59:53 openldap slapd[1220]: conn=1098 op=0 SEARCH RESULT
tag=101 err=0 nentries=0 text Jun 28 08:59:53 openldap slapd[1220]:
conn=1098 op=1 SRCH
base="sambaDomainName=MYDOMAIN,dc=my-domain,dc=com" scope=0 deref=2
filter="(objectClass=sambaUnixIdPool)"
Jun 28 08:59:53 openldap slapd[1220]: conn=1098 op=1 SEARCH RESULT
tag=101 err=0 nentries=1 text Jun 28 08:59:53 openldap slapd[1220]:
conn=1098 op=2 MOD
dn="sambaDomainName=MYDOMAIN,dc=my-domain,dc=com"
Jun 28 08:59:53 openldap slapd[1220]: conn=1098 op=2 MOD attr=uidNumber
Jun 28 08:59:53 openldap slapd[1220]: conn=1098 op=2 RESULT tag=103
err=8 text=modifications require authentication
Jun 28 08:59:53 openldap slapd[1220]: conn=1098 fd=31 closed
(connection lost)
Immediately we see it doesn't BIND (since it says "require
authentication"). I tested with the user :
# smbldap-passwd
which works fine... and BIND with its name ("testwww") :
Jun 28 11:49:29 openldap slapd[1220]: conn=1178 fd=18 ACCEPT from
IP=10.1.5.90:21258 (IP=10.1.5.91:389)
Jun 28 11:49:29 openldap slapd[1220]: conn=1178 op=0 BIND
dn="uid=testwww,ou=Users,dc=my-domain,dc=com" method=128
Jun 28 11:49:29 openldap slapd[1220]: conn=1178 op=0 BIND
dn="uid=testwww,ou=Users,dc=my-domain,dc=com" mech=SIMPLE ssf=0
Jun 28 11:49:29 openldap slapd[1220]: conn=1178 op=0 RESULT tag=97
err=0 text [...]
Then I thought I had to gives testwww samba rights to add users, so I
added testwww my administrators group which has the following rights :
BUILTIN\Administrators
SeMachineAccountPrivilege
SeTakeOwnershipPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeRemoteShutdownPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeDiskOperatorPrivilege
Restarted samba, but no way, it still not BIND.
Finally, I started thinking I need pam_ldap, but since I can log in with
LDAP users and they can BIND with smbldap-passwd, I really doubt it is
what it misses. To prevent some questions : non-root user can see LDAP
accounts & group (# getent passwd/group).
Thank you by advance for helping me !
Nathan