This is a multi-part message in MIME format.
--------------010907060500050309030509
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Further to my previous message: I've gone over section 8.1 of
http://samba.idealx.org/smbldap-tools.en.html, which shows some working
..conf files, and put back a few things the way I'd previously had them.
The example files use Manager while I use admin is the main thing. I've
kept samba in smb.conf however. Because there is now a samba user in the
LDAP database, this seems to work now.

However, I still can't do smbpasswd -a root. I'm still getting:

semper:/etc/ldap# smbpasswd -a root
New SMB password:
Retype new SMB password:
ldapsam_modify_entry: Failed to add user dn=
uid=root,ou=Users,dc=rahim-dale,dc=org with: Insufficient access
no write access to parent
ldapsam_add_sam_account: failed to modify/add user with uid = root (dn =
uid=root,ou=Users,dc=rahim-dale,dc=org)
Failed to add entry for user root.
Failed to modify password entry for user root

I have a samba-access.conf file that is included in slapd.conf that
combines the 8.2 samba uid stuff with a shorter list from the original
howto I was following. I've attached it in case it helps.


An ldap search gives the following results:
semper:/etc/ldap# ldapsearch -D cn=admin,dc=rahim-dale,dc=org -b
dc=rahim-dale,dc=org -h 127.0.0.1 -x -W ""
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base with scope sub
# filter: (objectclass=*)
# requesting:
#

# rahim-dale.org
dn: dc=rahim-dale,dc=org

# admin, rahim-dale.org
dn: cn=admin,dc=rahim-dale,dc=org

# Users, rahim-dale.org
dn: ou=Users,dc=rahim-dale,dc=org

# Groups, rahim-dale.org
dn: ou=Groups,dc=rahim-dale,dc=org

# Computers, rahim-dale.org
dn: ou=Computers,dc=rahim-dale,dc=org

# Idmap, rahim-dale.org
dn: ou=Idmap,dc=rahim-dale,dc=org

# rahim-dale, rahim-dale.org
dn: sambaDomainName=rahim-dale,dc=rahim-dale,dc=org

# Administrator, Users, rahim-dale.org
dn: uid=Administrator,ou=Users,dc=rahim-dale,dc=org

# nobody, Users, rahim-dale.org
dn: uid=nobody,ou=Users,dc=rahim-dale,dc=org

# Domain Admins, Groups, rahim-dale.org
dn: cn=Domain Admins,ou=Groups,dc=rahim-dale,dc=org

# Domain Users, Groups, rahim-dale.org
dn: cn=Domain Users,ou=Groups,dc=rahim-dale,dc=org

# Domain Guests, Groups, rahim-dale.org
dn: cn=Domain Guests,ou=Groups,dc=rahim-dale,dc=org

# Domain Computers, Groups, rahim-dale.org
dn: cn=Domain Computers,ou=Groups,dc=rahim-dale,dc=org

# Administrators, Groups, rahim-dale.org
dn: cn=Administrators,ou=Groups,dc=rahim-dale,dc=org

# Print Operators, Groups, rahim-dale.org
dn: cn=Print Operators,ou=Groups,dc=rahim-dale,dc=org

# Backup Operators, Groups, rahim-dale.org
dn: cn=Backup Operators,ou=Groups,dc=rahim-dale,dc=org

# Replicators, Groups, rahim-dale.org
dn: cn=Replicators,ou=Groups,dc=rahim-dale,dc=org

# samba, Users, rahim-dale.org
dn: uid=samba,ou=Users,dc=rahim-dale,dc=org

# search result
search: 2
result: 0 Success

# numResponses: 19
# numEntries: 18


--------------010907060500050309030509
Content-Type: text/plain;
name="samba-access.conf"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="samba-access.conf"

# users can authenticate and change their password
access to attrs=userPassword,sambaNTPassword,sambaLMPassword ,sambaPwdLastSet,sambaPwdMustChange
by dn="uid=samba,ou=Users,dc=rahim-dale,dc=org" write
by self write
by anonymous auth
by * none
# some attributes need to be readable anonymously so that 'id user' can answer correctly
access to attrs=objectClass,entry,gecos,homeDirectory,uid,ui dNumber,gidNumber,cn,memberUid
by dn="uid=samba,ou=Users,dc=rahim-dale,dc=org" write
by * read
# somme attributes can be writable by users themselves
access to attrs=description,telephoneNumber
by dn="uid=samba,ou=Users,dc=rahim-dale,dc=org" write
by self write
by * read
# some attributes need to be writable for samba
access to attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdL astSet,sambaLogonTime,sambaLogoffTime,sambaKickoff Time,sambaPwdCanChange,sambaPwdMustChange,sambaAcc tFlags,displayName,sambaHomePath,sambaHomeDrive,sa mbaLogonScript,sambaProfilePath,description,sambaU serWorkstations,sambaPrimaryGroupSID,sambaDomainNa me,sambaSID,sambaGroupType,sambaNextRid,sambaNextG roupRid,sambaNextUserRid,sambaAlgorithmicRidBase
by dn="uid=samba,ou=Users,dc=rahim-dale,dc=org" write
by self read
by * none
# samba need to be able to create the samba domain account
access to dn.base="dc=rahim-dale,dc=org"
by dn="uid=samba,ou=Users,dc=rahim-dale,dc=org" write
by * none
# samba need to be able to create new users account
access to dn="ou=Users,dc=rahim-dale,dc=org"
by dn="uid=samba,ou=Users,dc=rahim-dale,dc=org" write
by * none
# samba need to be able to create new groups account
access to dn="ou=Groups,dc=rahim-dale,dc=org"
by dn="uid=samba,ou=Users,dc=rahim-dale,dc=org" write
by * none
# samba need to be able to create new computers account
access to dn="ou=Computers,dc=rahim-dale,dc=org"
by dn="uid=samba,ou=Users,dc=rahim-dale,dc=org" write
by * none
# this can be omitted but we leave it: there could be other branch
# in the directory
access to *
by self read
by * none

access to attrs=userPassword,sambaNTPassword,sambaLMPassword ,sambaPwdLastSet,sambaPWDMustChange
by dn="cn=admin,dc=rahim-dale,dc=org" write
by anonymous auth
by self write
by * none

access to attrs=loginShell
by dn="cn=admin,dc=rahim-dale,dc=org" write
by * none

access to attrs=description,telephoneNumber,roomNumber,homeP hone,gecos,cn,sn,givenname
by dn="cn=admin,dc=rahim-dale,dc=org" write
by self write
by * read


--------------010907060500050309030509
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
--------------010907060500050309030509--