Hi, I've setup Samba NT based networks with OpenLDAP database. But to make sambas operations works fetching data to LDAP, it should have an account on LDAP that able to write some objects, such as passwords (when changing passwd) or object creation (when registering or joining to directory) .The scope of this account is strong enough to any containers on the directory, such as Admins,Groups,Users, and Computers. I think this account is same powerfull with default admin of the LDAP.
The problems are: 1. this password string of after 'smbpasswd -w xxx ' are visible with simple reading to secrets.tdb 2. this account is dangerous enough to LDAP administration because of its powerfull to some wide objects, (able change other attributes) 3. so how to make this LDAP secure (with access list on slapd conf?)or at the samba conf? Below are parts of my conf's. Is it secure enough? ..... passdb backend = ldapsam:ldap://10.126.13.88:389/ ldap suffix = dc=ta,dc=its-sby,dc=edu ldap machine suffix = ou=AJK-ITS,ou=Computers ldap user suffix = ou=Users ldap group suffix = ou=Groups ldap admin dn = "cn=common,dc=ta,dc=its-sby,dc=edu" ldap passwd sync = yes ldap delete dn = yes ldap filter = (&(uid=%u)(objectclass=sambaSamAccount)) ... access lists: access to dn.subtree="ou=AJK-ITS,ou=Computers,dc=ta,dc=its-sby,dc=edu" by dn="cn=common,dc=ta,dc=its-sby,dc=edu" write by dn="uid=domainadminajkits,ou=Admins,dc=ta,dc=its-sby,dc=edu" write by dn="cn=admin,dc=ta,dc=its-sby,dc=edu" write by * none access to dn.subtree="ou=AJK-WIN,ou=Computers,dc=ta,dc=its-sby,dc=edu" by dn="cn=common,dc=ta,dc=its-sby,dc=edu" write by dn="uid=domainadminajkwin,ou=Admins,dc=ta,dc=its-sby,dc=edu" write by dn="cn=admin,dc=ta,dc=its-sby,dc=edu" write by * none access to dn.subtree="ou=Users,dc=ta,dc=its-sby,dc=edu" attrs=userPassword,sambaNTPassword,sambaAcctFlags,sambaLMPassword,sambaPwdLastSet,sambaPwdCanChange,entryCSN,modifiersName,modifyTimestamp by dn="cn=admin,dc=ta,dc=its-sby,dc=edu" write by dn="cn=common,dc=ta,dc=its-sby,dc=edu" write by anonymous auth by self write by * none access to dn.subtree="ou=Computers,dc=ta,dc=its-sby,dc=edu" attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdCanChange,entryCSN,modifiersName,modifyTimestamp by dn="cn=admin,dc=ta,dc=its-sby,dc=edu" write by dn="cn=common,dc=ta,dc=its-sby,dc=edu" write by anonymous auth by self write by * none -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
