Re: [Samba] PDC + LDAP, cannot access LDAP when not root (SOLVED)
This is a discussion on Re: [Samba] PDC + LDAP, cannot access LDAP when not root (SOLVED) within the Samba forums, part of the Networking and Network Related category; On Tue, 2005-09-27 at 16:34 -0400, David Clymer wrote: > I'm using Debian Sarge, Samba (3....
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
09-29-2005
|
|||
|
|||
Re: [Samba] PDC + LDAP, cannot access LDAP when not root (SOLVED)
On Tue, 2005-09-27 at 16:34 -0400, David Clymer wrote: > I'm using Debian Sarge, Samba (3.1.14a) with the ldapsam backend, and > OpenLDAP (2.2.23). > > When attempting to join an Windows XP+SP2 computer (BILLGATES) to my > domain (WORKGROUP), using the Administrator account, I am told by > windows: 'Access denied.' > > The logs (attached) seem to indicate that the user Administrator is > being authenticated (which would have? to use LDAP), but when It goes to > add the computer to the domain, it fails. Apparently because samba is > unable to access LDAP: > > smbldap_open: cannot access LDAP when not root.. > > nobody and Administrator are the only users on the domain. > > An interesting phenomenon that I've observed (perhaps it is related?): > > testbox:/etc/samba# pdbedit -L > Administrator:998:Administrator > nobody:65534:nobody > testbox:/etc/samba# net -U Administrator rpc group members 'Domain Computers' > Password: > WORKGROUP\BILLGATES$ > testbox:/etc/samba# net -U Administrator rpc group members 'Domain Admins' > Password: > WORKGROUP\Administrator > testbox:/etc/samba# net -U Administrator rpc group members 'Administrators' > Password: > [2005/09/27 16:05:11, 0] rpc_client/cli_pipe.c:rpc_api_pipe(435) > cli_pipe: return critical error. Error was Call timed out: server did not respond after 10000 milliseconds > Couldn't list alias members > > I don't understand why Administrators group listing fails, while the > others don't. > > Google searches yielded a bunch of similar problems for early versions > of samba 3.0, related to modification of user groups. However that bug > was supposedly fixed, and I've seen no reports of it occuring in later > versions. There are no open bugs, that I could find, related to this on > bugzilla.samba.org. > > Is there any type of (mis)configuration that could result in the same > sort of symptom? > > attached is my smb.conf, smbldap.conf, and my samba log output (debug > level=4) > > I would be very grateful for any ideas, FMs to R, magic wands, etc. that > anyone might have to offer. > The FM to (re)R was the smb.conf man page ;o) The solution: add this to smb.conf: enable privileges = yes This allows you to grant special privileges to users (see man smb.conf for more detail) reload the samba config: $ smbcontrol smbd reload-config and grant the necessary rights to Administrator: $ net -U Administrator rpc rights list SeMachineAccountPrivilege Add machines to domain SePrintOperatorPrivilege Manage printers SeAddUsersPrivilege Add users and groups to the domain SeRemoteShutdownPrivilege Force shutdown from a remote system SeDiskOperatorPrivilege Manage disk shares $ net -U Administrator rpc rights list Administrator $ net -U Administrator rpc rights grant Administrator SeMachineAccountPrivilege Successfully granted rights. Now one can add machines to the domain. Better yet, the administrator account does _not_ have to have a uid of 0! -davidc -- Under-Achievers Anonymous has an 11-step program. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba 
|
Linear Mode
