I have a user member of the Administrator group and the Domain Admin group in the ldap. I use this user to join the domain from a win2k or samba client, but my attempt fails. I found it in my logs: [2004/07/30 20:15:24, 5] lib/smbldap.c:smbldap_search(932) smbldap_search: base => [o=Lauder,c=hu], filter => [(&(sambaSID=XXXXXX-103242) (objectclass=sambaSamAccount))], scope => [2] [2004/07/30 20:15:24, 0] lib/smbldap.c:smbldap_open(820) smbldap_open: cannot access LDAP when not root.. [2004/07/30 20:15:24, 1] lib/smbldap.c:smbldap_retry_open(909) Connection to LDAP Server failed for the 1 try! [2004/07/30 20:15:24, 0] lib/smbldap.c:smbldap_search_suffix(1126) smbldap_search_suffix: Problem during the LDAP search: (Insufficient access) [2004/07/30 20:15:24, 5] rpc_parse/parse_prs.c:prs_debug(82) 000000 samr_io_r_set_userinfo [2004/07/30 20:15:24, 5] rpc_parse/parse_prs.c:prs_ntstatus(665) 0000 status: NT_STATUS_ACCESS_DENIED I think it is caused by the following code: lib/smbldap.c: static int smbldap_open(struct smbldap_state *ldap_state) { int rc; SMB_ASSERT(ldap_state); #ifndef NO_LDAP_SECURITY if (geteuid() != 0) { DEBUG(0, ("smbldap_open: cannot access LDAP when not root..\n")) ; return LDAP_INSUFFICIENT_ACCESS; } #endif This is what changed since 2.2. We defenetly need some check here, but not sure about the right way of doing it. On the other hand I can also see that at some point in the file rpc_server/srv_samr_nt.c some of the pdb_* calls are between a become_root() /unbecome_root() calls. I follwoed the code path and patched samba to be able to join my domain with normal user(non-root) so added some (un)become_root() calls in set_user_info_pw() function: static BOOL set_user_info_pw(char *pass, DOM_SID *sid) { SAM_ACCOUNT *pwd = NULL; uint32 len; pstring plaintext_buf; uint16 acct_ctrl; BOOL ret; pdb_init_sam(&pwd); become_root(); ret = pdb_getsampwsid(pwd, sid); unbecome_root(); and at the end of the function: /* update the SAMBA password */ become_root(); ret = pdb_update_sam_account(pwd); unbecome_root(); pdb_free_sam(&pwd); return ret; } Now it works, but I am not sure that the pdb_update_sam_account call should be done with this trick. I think a more general solution would be required on the smbldap_open call to check if the user is the member of the DomainAdmin group. I can find the sambe LDAP insufficient access problem in the _samr_set_userinfo2 code path as well. So adding become_root/unbecome_root to all of the pdb_* calls does not seam to be a nice solution for me. I am not sure if can relay on the fact that samba runs as root or not. I think especialy for large installations using root as the only domainadmin does not make sense. I hope my understandings are correct.
Fixed in 3.0.11 with the implementation privileges. see http://samba.org/~jerry/Samba-Rights-HOWTO
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.