Michael De Groote
2013-May-20 09:36 UTC
[Samba] [Samba4] modifying attributes: no write access to self
Hi all *Context:* I'm trying to use the s4bind scripts ( http://linuxcostablanca.blogspot.com.es/p/s4bind.html) k5start is running So far, i've succeeded in * modifying (posixifying) the built-in "Domain Users" * adding a user to this group and i can login with this user (ssh), create files that are correctly owned, etc... The user also shows up correcly in ADUC. * retrieving user and group info (for user added in AD, and not existing locally) via getent *Problem: * I'm added a new group *samba-tool group add Leerkrachten* Then i tryied posixifying the group (as i did with the builtin group "Domain Users" *s4bind upgradegroup Leerkrachten 30000* This however gives me ERR: (insufficient access rights) "LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS - <00002098: Object cn=Leerkrachten,cn=Users,DC=stp4,DC=stp,DC=internal has no write property access> <>" on DN cn=Leerkrachten,cn=Users,DC=stp4,DC=stp,DC=internal at blockbefore line 7 Modify failed after processing 0 records It seems that there is no write access to "self" (i seem to remember something from my old openldap setup that is in place on the old samba3 domain) that specified things about "access to blablable by self write". Is there something in the directory component of s4 like this too? and how to specifiy it? Is there a way to list acls on directory objects?) *Extra info* The s4bind script does the following: 1. creates a file (* /tmp/group ) *with the following content: *dn: cn=Leerkrachten,cn=Users,DC=stp4,DC=stp,DC=internal changetype: modify add: objectClass objectClass: posixGroup - add: gidNumber gidNumber: 30000* It then runs the following command * ldbmodify --url=ldap://samba4-3.stp4.stp.internal --kerberos=yes --krb5-ccache=FILE:/tmp/krb5cc_0 /tmp/group* klist shows the following: Ticket cache: FILE:/tmp/krb5cc_0 Default principal: SAMBA4-3$@STP4.STP.INTERNAL Valid starting Expires Service principal 05/20/13 09:34:48 05/20/13 19:34:48 krbtgt/STP4.STP.INTERNAL at STP4.STP.INTERNAL 05/20/13 10:37:42 05/20/13 19:34:48 ldap/samba4-3.stp4.stp.internal at STP4.STP.INTERNAL thanx in advance ! -- Michael De Groote ICT-coordinator Sint-Pietersschool Korbeek-Lo ICT-support Sancta Maria Basisschool Leuven
Michael De Groote
2013-May-20 20:32 UTC
[Samba] [Samba4] modifying attributes: no write access to self
[*update*] I've modified the sssd config to use Administrator as the default principal, and i've also done a "*kinit Administrator*"... and now i'm able to add and modify group and user attributes... seems like i need to either delegate this to a specific user or keep the "administrator does all" config One question tho: i _was_ able to create/delete users and groups and also add users to and delete them from a group... (with the DC computer account as default principal) Why then doesn't this work with the attribute stufff? (last but not least: i *really* need to look into these things called "principals" ... i honestly don't know what i'm playing with here, and i'm kinda ashamed to do so.. so next days i'll be reading up :) micahel 2013/5/20 Michael De Groote <ict at sint-pietersschool.be>> Hi all > > *Context:* > I'm trying to use the s4bind scripts ( > http://linuxcostablanca.blogspot.com.es/p/s4bind.html) > > k5start is running > > So far, i've succeeded in > * modifying (posixifying) the built-in "Domain Users" > * adding a user to this group and i can login with this user (ssh), create > files that are correctly owned, etc... The user also shows up correcly in > ADUC. > * retrieving user and group info (for user added in AD, and not existing > locally) via getent > > > *Problem: > * > I'm added a new group > *samba-tool group add Leerkrachten* > Then i tryied posixifying the group (as i did with the builtin group > "Domain Users" > *s4bind upgradegroup Leerkrachten 30000* > This however gives me > > ERR: (insufficient access rights) "LDAP error 50 > LDAP_INSUFFICIENT_ACCESS_RIGHTS - <00002098: Object > cn=Leerkrachten,cn=Users,DC=stp4,DC=stp,DC=internal has no write property > access > > <>" on DN cn=Leerkrachten,cn=Users,DC=stp4,DC=stp,DC=internal at block > before line 7 > Modify failed after processing 0 records > > It seems that there is no write access to "self" (i seem to remember > something from my old openldap setup that is in place on the old samba3 > domain) that specified things about "access to blablable by self write". Is > there something in the directory component of s4 like this too? and how to > specifiy it? Is there a way to list acls on directory objects?) > > *Extra info* > The s4bind script does the following: > 1. creates a file (* /tmp/group ) *with the following content: > *dn: cn=Leerkrachten,cn=Users,DC=stp4,DC=stp,DC=internal > changetype: modify > add: objectClass > objectClass: posixGroup > - > add: gidNumber > gidNumber: 30000* > > It then runs the following command > * ldbmodify --url=ldap://samba4-3.stp4.stp.internal --kerberos=yes > --krb5-ccache=FILE:/tmp/krb5cc_0 /tmp/group* > > klist shows the following: > > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: SAMBA4-3$@STP4.STP.INTERNAL > > Valid starting Expires Service principal > 05/20/13 09:34:48 05/20/13 19:34:48 > krbtgt/STP4.STP.INTERNAL at STP4.STP.INTERNAL > 05/20/13 10:37:42 05/20/13 19:34:48 > ldap/samba4-3.stp4.stp.internal at STP4.STP.INTERNAL > > thanx in advance ! > > > -- > Michael De Groote > ICT-coordinator Sint-Pietersschool Korbeek-Lo > ICT-support Sancta Maria Basisschool Leuven >-- Michael De Groote ICT-coordinator Sint-Pietersschool Korbeek-Lo ICT-support Sancta Maria Basisschool Leuven