samba - Jun 2011 - Needs to run smbldap-useradd as non-root user

Hello,

The abstract is :
How to run smbldap-useradd (and others) with a non-root user, knowing 
that giving Samba privileges to the user's account is enough.

Now are details :
My setup is FreeBSD-8, samba35, nss_ldap, smbldap-tools... And NO pam_ldap.
I am creating a webservice which must run smbldap-tools scripts. 
Everything is running on a FreeBSD-8, and running fine by root. However, 
my webservices won't have root access, so I logged in with a non-root 
user (#su - testwww) who is in the LDAP directory (added through 
smbldap-useradd -a) and tried smbldap-tools scripts. Here is my issue :

     # smbldap-useradd -a userLambda

fails with the following message :

     "Error: modifications require authentication at 
/usr/local/lib/perl5/site_perl/5.12.3/smbldap_tools.pm line 1200."

OpenLDAP logs :

     Jun 28 08:59:53 openldap slapd[1220]: conn=1098 fd=31 ACCEPT from 
IP=10.1.5.90:24971 (IP=10.1.5.91:389)
     Jun 28 08:59:53 openldap slapd[1220]: conn=1098 op=0 SRCH 
base="dc=my-domain,dc=com" scope=2 deref=2 
filter="(&(objectClass=posixAccount)(uid=userlambda))"
     Jun 28 08:59:53 openldap slapd[1220]: conn=1098 op=0 SEARCH RESULT 
tag=101 err=0 nentries=0 text     Jun 28 08:59:53 openldap slapd[1220]:
conn=1098 op=1 SRCH
base="sambaDomainName=MYDOMAIN,dc=my-domain,dc=com" scope=0 deref=2 
filter="(objectClass=sambaUnixIdPool)"
     Jun 28 08:59:53 openldap slapd[1220]: conn=1098 op=1 SEARCH RESULT 
tag=101 err=0 nentries=1 text     Jun 28 08:59:53 openldap slapd[1220]:
conn=1098 op=2 MOD
dn="sambaDomainName=MYDOMAIN,dc=my-domain,dc=com"
     Jun 28 08:59:53 openldap slapd[1220]: conn=1098 op=2 MOD attr=uidNumber
     Jun 28 08:59:53 openldap slapd[1220]: conn=1098 op=2 RESULT tag=103 
err=8 text=modifications require authentication
     Jun 28 08:59:53 openldap slapd[1220]: conn=1098 fd=31 closed 
(connection lost)

Immediately we see it doesn't BIND (since it says "require 
authentication"). I tested with the user :

     # smbldap-passwd

which works fine... and BIND with its name ("testwww") :

     Jun 28 11:49:29 openldap slapd[1220]: conn=1178 fd=18 ACCEPT from 
IP=10.1.5.90:21258 (IP=10.1.5.91:389)
     Jun 28 11:49:29 openldap slapd[1220]: conn=1178 op=0 BIND 
dn="uid=testwww,ou=Users,dc=my-domain,dc=com" method=128
     Jun 28 11:49:29 openldap slapd[1220]: conn=1178 op=0 BIND 
dn="uid=testwww,ou=Users,dc=my-domain,dc=com" mech=SIMPLE ssf=0
     Jun 28 11:49:29 openldap slapd[1220]: conn=1178 op=0 RESULT tag=97 
err=0 text     [...]

Then I thought I had to gives testwww samba rights to add users, so I 
added testwww my administrators group which has the following rights :

     BUILTIN\Administrators
     SeMachineAccountPrivilege
     SeTakeOwnershipPrivilege
     SeBackupPrivilege
     SeRestorePrivilege
     SeRemoteShutdownPrivilege
     SePrintOperatorPrivilege
     SeAddUsersPrivilege
     SeDiskOperatorPrivilege

Restarted samba, but no way, it still not BIND.

Finally, I started thinking I need pam_ldap, but since I can log in with 
LDAP users and they can BIND with smbldap-passwd, I really doubt it is 
what it misses. To prevent some questions : non-root user can see LDAP 
accounts & group (# getent passwd/group).

Thank you by advance for helping me !

Nathan

On 28 June 2011 14:02, Nathan Mahu <nmahu at cyanide-studio.com>
wrote:
> Hello,
>
> The abstract is :
> How to run smbldap-useradd (and others) with a non-root user, knowing that
> giving Samba privileges to the user's account is enough.
>
> Now are details :
> My setup is FreeBSD-8, samba35, nss_ldap, smbldap-tools... And NO pam_ldap.
> I am creating a webservice which must run smbldap-tools scripts. Everything
> is running on a FreeBSD-8, and running fine by root. However, my
webservices
> won't have root access, so I logged in with a non-root user (#su -
testwww)
> who is in the LDAP directory (added through smbldap-useradd -a) and tried
> smbldap-tools scripts. Here is my issue :
>
> ? ?# smbldap-useradd -a userLambda
>
> fails with the following message :
>
> ? ?"Error: modifications require authentication at
> /usr/local/lib/perl5/site_perl/5.12.3/smbldap_tools.pm line 1200."
>
> OpenLDAP logs :
>
> ? ?Jun 28 08:59:53 openldap slapd[1220]: conn=1098 fd=31 ACCEPT from
> IP=10.1.5.90:24971 (IP=10.1.5.91:389)
> ? ?Jun 28 08:59:53 openldap slapd[1220]: conn=1098 op=0 SRCH
> base="dc=my-domain,dc=com" scope=2 deref=2
> filter="(&(objectClass=posixAccount)(uid=userlambda))"
> ? ?Jun 28 08:59:53 openldap slapd[1220]: conn=1098 op=0 SEARCH RESULT
> tag=101 err=0 nentries=0 text> ? ?Jun 28 08:59:53 openldap slapd[1220]:
conn=1098 op=1 SRCH
> base="sambaDomainName=MYDOMAIN,dc=my-domain,dc=com" scope=0
deref=2
> filter="(objectClass=sambaUnixIdPool)"
> ? ?Jun 28 08:59:53 openldap slapd[1220]: conn=1098 op=1 SEARCH RESULT
> tag=101 err=0 nentries=1 text> ? ?Jun 28 08:59:53 openldap slapd[1220]:
conn=1098 op=2 MOD
> dn="sambaDomainName=MYDOMAIN,dc=my-domain,dc=com"
> ? ?Jun 28 08:59:53 openldap slapd[1220]: conn=1098 op=2 MOD attr=uidNumber
> ? ?Jun 28 08:59:53 openldap slapd[1220]: conn=1098 op=2 RESULT tag=103
err=8
> text=modifications require authentication
> ? ?Jun 28 08:59:53 openldap slapd[1220]: conn=1098 fd=31 closed (connection
> lost)
>
> Immediately we see it doesn't BIND (since it says "require
authentication").
> I tested with the user :
I'm no expert so please consider this as me thinking out loud. Do you
have a ACL in the slapd.conf that allows testwww to modify the tree? I
would have thought that you would have required a stanza for that if
you want testwww to modify other elements of the tree.

HTH,
Dermot.

Le 28/06/2011 23:32, Natxo Asenjo a ?crit :
> On Tue, Jun 28, 2011 at 5:29 PM, Nathan Mahu<nmahu at
cyanide-studio.com>  wrote:
>
>> Finally, is smbldap-tools really intended to be used by non-root
users...?
> you could use sudo ...
>
Well, I choosed this, it worked... Thank for your help.