Sunday 25 April 2004 12:18, skrev Petter Reinholdtsen: > > I'm told that samba need to register new machines into the "domain" > before they are given access. I believe it is best to store such > machine info in LDAP, as we want to handle several samba servers in a > school. It should be enough to register the machine once in the > school, and it should then get access to all samba servers. > > But I do not the samba servers to have write access to the LDAP server > "on their own", ie without an administrator providing his LDAP admin > password to approve the LDAP update. This means that the LDAP access > password should not be part of the samba configuration stored on disk, > but it should be provided by a LDAP admin every time a new machine is > to be added to the "domain".
I think this will be difficult due to the way Samba works. The way I understand it is that Samba requires someone with administrator priveliges to add a machine to a domain. This will keep "everyone" from having indirect access to LDAP. However, it means that Samba will need to have full write access to the LDAP tree it uses. > The reason for this is that it should be > possible to outsource the administration of the LDAP server, and I > believe it is unlikely that a third party administrating the LDAP > server will allow LDAP write access directly from machines outside > their control. They will have to I think. There are some good news though; - The LDAP account that Samba uses does not need overall write access to LDAP - The machine accounts can be stored in a seperate tree from f.ex users - By using ACLs we can put fine-grained limits on what the Samba LDAP account can do, while allowing what he must be able to do All this is only relevant for Samba 3 though IIRC. In 2.2 a machine account is allmost the same as a regular user account, so the second point in my list won't apply. -- Eivind Trondsen Tlf: +47 23 89 71 85 LinuxLabs AS Mob: +47 928 40 009 ------- http://www.linuxlabs.no ------- ---- Drift - Overv�kning - R�dgivning ----
