[*update*] I've modified the sssd config to use Administrator as the default principal, and i've also done a "*kinit Administrator*"... and now i'm able to add and modify group and user attributes... seems like i need to either delegate this to a specific user or keep the "administrator does all" config
One question tho: i _was_ able to create/delete users and groups and also add users to and delete them from a group... (with the DC computer account as default principal) Why then doesn't this work with the attribute stufff? (last but not least: i *really* need to look into these things called "principals" ... i honestly don't know what i'm playing with here, and i'm kinda ashamed to do so.. so next days i'll be reading up :) micahel 2013/5/20 Michael De Groote <[email protected]> > Hi all > > *Context:* > I'm trying to use the s4bind scripts ( > http://linuxcostablanca.blogspot.com.es/p/s4bind.html) > > k5start is running > > So far, i've succeeded in > * modifying (posixifying) the built-in "Domain Users" > * adding a user to this group and i can login with this user (ssh), create > files that are correctly owned, etc... The user also shows up correcly in > ADUC. > * retrieving user and group info (for user added in AD, and not existing > locally) via getent > > > *Problem: > * > I'm added a new group > *samba-tool group add Leerkrachten* > Then i tryied posixifying the group (as i did with the builtin group > "Domain Users" > *s4bind upgradegroup Leerkrachten 30000* > This however gives me > > ERR: (insufficient access rights) "LDAP error 50 > LDAP_INSUFFICIENT_ACCESS_RIGHTS - <00002098: Object > cn=Leerkrachten,cn=Users,DC=stp4,DC=stp,DC=internal has no write property > access > > <>" on DN cn=Leerkrachten,cn=Users,DC=stp4,DC=stp,DC=internal at block > before line 7 > Modify failed after processing 0 records > > It seems that there is no write access to "self" (i seem to remember > something from my old openldap setup that is in place on the old samba3 > domain) that specified things about "access to blablable by self write". Is > there something in the directory component of s4 like this too? and how to > specifiy it? Is there a way to list acls on directory objects?) > > *Extra info* > The s4bind script does the following: > 1. creates a file (* /tmp/group ) *with the following content: > *dn: cn=Leerkrachten,cn=Users,DC=stp4,DC=stp,DC=internal > changetype: modify > add: objectClass > objectClass: posixGroup > - > add: gidNumber > gidNumber: 30000* > > It then runs the following command > * ldbmodify --url=ldap://samba4-3.stp4.stp.internal --kerberos=yes > --krb5-ccache=FILE:/tmp/krb5cc_0 /tmp/group* > > klist shows the following: > > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: [email protected] > > Valid starting Expires Service principal > 05/20/13 09:34:48 05/20/13 19:34:48 > krbtgt/[email protected] > 05/20/13 10:37:42 05/20/13 19:34:48 > ldap/[email protected] > > thanx in advance ! > > > -- > Michael De Groote > ICT-coordinator Sint-Pietersschool Korbeek-Lo > ICT-support Sancta Maria Basisschool Leuven > -- Michael De Groote ICT-coordinator Sint-Pietersschool Korbeek-Lo ICT-support Sancta Maria Basisschool Leuven -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
