Forum Linux.général OpenLDAP et SAMBA | Insufficient access at /usr/sbin/smbldap-passwd

Posté par  .
Étiquettes :
0
19
oct.
2007
Bonjour à tous,

j'essaie de configurer un serveur SAMBA dont les utilisateurs sont géré par un annuaire LDAP (en l'occurrence OpenLDAP).
j'utilise:
- openSuse 10.3
- OpenLDAP 2.3.37
- smbldap-tools 0.9.4-3
- nss_ldap 257.2-2
- pam_ldap 184-49

j'ai fait une première configuration dans laquelle j'accédais à l'annuaire avec le compte Root DN. Avec cette config, tout fonctionnait à merveille. Pour des raisons évidentes de sécurité je souhaite faire une autre config dans laquelle j'utilise un compte cn=samba,ou=DSA,dc=effata,dc=ch pour les accès SAMBA à l'annuaire, et un autre compte cn=smbldap-tools,ou=DSA,dc=effata,dc=ch pour l'accès des scripts smbldap-tools à l'annuaire.

Je rencontre un problème lorsque j'exécute le script smbldap-populate dont le résultat est ci-dessous:


smbldap-populate
Populating LDAP directory for domain EFFATA.CH (S-1-5-21-918170500-1583366388-3599232829)
(using builtin directory structure)

entry dc=effata,dc=ch already exist.
entry ou=Users,dc=effata,dc=ch already exist.
entry ou=Groups,dc=effata,dc=ch already exist.
entry ou=Computers,dc=effata,dc=ch already exist.
entry ou=Idmap,dc=effata,dc=ch already exist.
entry uid=root,ou=Users,dc=effata,dc=ch already exist.
entry uid=nobody,ou=Users,dc=effata,dc=ch already exist.
entry cn=Domain Admins,ou=Groups,dc=effata,dc=ch already exist.
entry cn=Domain Users,ou=Groups,dc=effata,dc=ch already exist.
entry cn=Domain Guests,ou=Groups,dc=effata,dc=ch already exist.
entry cn=Domain Computers,ou=Groups,dc=effata,dc=ch already exist.
entry cn=Administrators,ou=Groups,dc=effata,dc=ch already exist.
entry cn=Account Operators,ou=Groups,dc=effata,dc=ch already exist.
entry cn=Print Operators,ou=Groups,dc=effata,dc=ch already exist.
entry cn=Backup Operators,ou=Groups,dc=effata,dc=ch already exist.
entry cn=Replicators,ou=Groups,dc=effata,dc=ch already exist.
entry sambaDomainName=EFFATA.CH,dc=effata,dc=ch already exist. Updating it...

Please provide a password for the domain root:
Changing UNIX and samba passwords for root
New password:
Retype new password:
Failed to modify UNIX password: Insufficient access at /usr/sbin/smbldap-passwd line 285,


Il semblerait donc que l'utilisateur cn=smbldap-tools,ou=DSA,dc=effata,dc=ch ne puisse modifier les mots de passes UNIX.
J'ai suivis scrupuleusement le tutoriel "The Linux Samba-OpenLDAP Howto (Revision : 20060710)". J'ai donc le fichier de configuration slapd.conf ci-dessous:


# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/yast.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba3.schema
# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org

pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args

# Load dynamic backend modules:
modulepath /usr/lib/openldap/modules
# moduleload back_ldap.la
# moduleload back_meta.la
# moduleload back_monitor.la
# moduleload back_perl.la

# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access to user password
# Allow anonymous users to authenticate
# Allow read access to everything else
# Directives needed to implement policy:

# any users can authenticate and change his password
access to attrs=userPassword,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaPwdMustChange
by dn="cn=samba,ou=DSA,dc=effata,dc=ch" write
by dn="cn=smbldap-tools,ou=DSA,dc=effata,dc=ch" write
by dn="cn=nssldap,ou=DSA,dc=effata,dc=ch" write
by self write
by anonymous auth
by * none

# some attributes need to be readable anonymously so that "id user" can answer correctly
access to attrs=objectClass,entry,homeDirectory,uid,uidNumber,gidNumber,memberUid
by dn="cn=samba,ou=DSA,dc=effata,dc=ch" write
by dn="cn=smbldap-tools,ou=DSA,dc=effata,dc=ch" write
by * read

# somme attributes can be writable by users them selves
access to attrs=description,telephoneNumber,roomNumber,homePhone,loginShell,gecos,cn,sn,givenname
by dn="cn=samba,ou=DSA,dc=effata,dc=ch" write
by dn="cn=smbldap-tools,ou=DSA,dc=effata,dc=ch" write
by self write
by * read

# some attributes need to be writable for samba
access to attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange,sambaPwdMustChange,sambaAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaProfilePath,description,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,sambaMungedDial,sambaBadPasswordCount,sambaBadPasswordTime,sambaPasswordHistory,sambaLogonHours,sambaSID,sambaSIDList,sambaTrustFlags,sambaGroupType,sambaNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase,sambaShareName,sambaOptionName,sambaBoolOption,sambaIntegerOption,sambaStringOption,sambaStringListoption
by dn="cn=samba,ou=DSA,dc=effata,dc=ch" write
by dn="cn=smbldap-tools,ou=DSA,dc=effata,dc=ch" write
by self read
by * none

# samba need to be able to create the samba domain account
access to dn.base="dc=effata,dc=ch"
by dn="cn=samba,ou=DSA,dc=effata,dc=ch" write
by dn="cn=smbldap-tools,ou=DSA,dc=effata,dc=ch" write
by * none

# samba need to be able to create new users accounts
access to dn="ou=Users,dc=effata,dc=ch"
by dn="cn=samba,ou=DSA,dc=effata,dc=ch" write
by dn="cn=smbldap-tools,ou=DSA,dc=effata,dc=ch" write
by * none

# samba need to be able to create new groups accounts
access to dn="ou=Groups,dc=effata,dc=ch"
by dn="cn=samba,ou=DSA,dc=effata,dc=ch" write
by dn="cn=smbldap-tools,ou=DSA,dc=effata,dc=ch" write
by * none

# samba need to be able to create new computers accounts
access to dn="ou=Computers,dc=effata,dc=ch"
by dn="cn=samba,ou=DSA,dc=effata,dc=ch" write
by dn="cn=smbldap-tools,ou=DSA,dc=effata,dc=ch" write
by * none

# this can be omitted but we let it stay because there could be other
# branches in the directory
access to *
by self read
by * none

# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

#######################################################################
# BDB database definitions
#######################################################################

loglevel 4095
database bdb
suffix "dc=effata,dc=ch"
rootdn "cn=Manager,dc=effata,dc=ch"
rootpw "{ssha}********"
directory /var/lib/ldap/
checkpoint 1024 5
cachesize 10000
index objectClass,uidNumber,gidNumber eq
index member,mail eq,pres
index cn,displayname,uid,sn,givenname sub,eq,pres
index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq


Comme vous pouvez le constater, j'ai activé les logs du serveur LDAP afin d'en savoir un peu plus sur l'erreur. Voici un extrait qui me parraissait intéressant:


conn=7 op=4 MOD dn="uid=root,ou=Users,dc=effata,dc=ch"
Oct 19 02:34:16 server slapd[18723]: conn=7 op=4 MOD attr=userPassword shadowLastChange shadowMax
Oct 19 02:34:16 server slapd[18723]: bdb_dn2entry("uid=root,ou=users,dc=effata,dc=ch")
Oct 19 02:34:16 server slapd[18723]: bdb_modify: uid=root,ou=Users,dc=effata,dc=ch
Oct 19 02:34:16 server slapd[18723]: bdb_dn2entry("uid=root,ou=users,dc=effata,dc=ch")
Oct 19 02:34:16 server slapd[18723]: bdb_modify_internal: 0x00000006: uid=root,ou=Users,dc=effata,dc=ch
Oct 19 02:34:16 server slapd[18723]: => access_allowed: delete access to "uid=root,ou=Users,dc=effata,dc=ch" "userPassword" requested
Oct 19 02:34:16 server slapd[18723]: => acl_get: [1] attr userPassword
Oct 19 02:34:16 server slapd[18723]: access_allowed: no res from state (userPassword)
Oct 19 02:34:16 server slapd[18723]: => acl_mask: access to entry "uid=root,ou=Users,dc=effata,dc=ch", attr "userPassword" requested
Oct 19 02:34:16 server slapd[18723]: => acl_mask: to all values by "cn=smbldap-tools,ou=dsa,dc=effata,dc=ch", (=0)
Oct 19 02:34:16 server slapd[18723]: <= check a_dn_pat: cn=samba,ou=dsa,dc=effata,dc=ch
Oct 19 02:34:16 server slapd[18723]: <= check a_dn_pat: cn=smbldap-tools,ou=dsa,dc=effata,dc=ch
Oct 19 02:34:16 server slapd[18723]: <= acl_mask: [2] applying write(=wrscxd) (stop)
Oct 19 02:34:16 server slapd[18723]: <= acl_mask: [2] mask: write(=wrscxd)
Oct 19 02:34:16 server slapd[18723]: => access_allowed: delete access granted by write(=wrscxd)
Oct 19 02:34:16 server slapd[18723]: => access_allowed: delete access to "uid=root,ou=Users,dc=effata,dc=ch" "shadowLastChange" requested
Oct 19 02:34:16 server slapd[18723]: => dn: [5] dc=effata,dc=ch
Oct 19 02:34:16 server slapd[18723]: => dn: [6] ou=users,dc=effata,dc=ch
Oct 19 02:34:16 server slapd[18723]: => dn: [7] ou=groups,dc=effata,dc=ch
Oct 19 02:34:16 server slapd[18723]: => dn: [8] ou=computers,dc=effata,dc=ch
Oct 19 02:34:16 server slapd[18723]: => acl_get: [9] attr shadowLastChange
Oct 19 02:34:16 server slapd[18723]: access_allowed: no res from state (shadowLastChange)
Oct 19 02:34:16 server slapd[18723]: => acl_mask: access to entry "uid=root,ou=Users,dc=effata,dc=ch", attr "shadowLastChange" requested
Oct 19 02:34:16 server slapd[18723]: => acl_mask: to all values by "cn=smbldap-tools,ou=dsa,dc=effata,dc=ch", (=0)
Oct 19 02:34:16 server slapd[18723]: <= check a_dn_pat: self
Oct 19 02:34:16 server slapd[18723]: <= check a_dn_pat: *
Oct 19 02:34:16 server slapd[18723]: <= acl_mask: [2] applying none(=0) (stop)
Oct 19 02:34:16 server slapd[18723]: <= acl_mask: [2] mask: none(=0)
Oct 19 02:34:16 server slapd[18723]: => access_allowed: delete access denied by none(=0)
Oct 19 02:34:16 server slapd[18723]: bdb_modify: modify failed (50)
Oct 19 02:34:16 server slapd[18723]: send_ldap_result: conn=7 op=4 p=3
Oct 19 02:34:16 server slapd[18723]: send_ldap_result: err=50 matched="" text=""
Oct 19 02:34:16 server slapd[18723]: send_ldap_response: msgid=5 tag=103 err=50
Oct 19 02:34:16 server slapd[18723]: conn=7 op=4 RESULT tag=103 err=50 text=
Oct 19 02:34:16 server slapd[18723]: daemon: activity on 1 descriptor
Oct 19 02:34:16 server slapd[18723]: daemon: activity on:
Oct 19 02:34:16 server slapd[18723]: 22r


"access_allowed: delete access denied by none(=0)" ceci singifie que le script ne s'est pas authentifié en tant que cn=smbldap-tools,ou=DSA,dc=effata,dc=ch ?
J'ai un peu de peine à interpréter ce fichier log.... si quelqu'un peut m'aider...

Merci d'avance !

Suivre le flux des commentaires

Note : les commentaires appartiennent à celles et ceux qui les ont postés. Nous n’en sommes pas responsables.