Some more research for my howto at
http://mandrake.vmlinuz.ca/bin/view/Main/SambaThreeDomainController
Some folks have let me know that it is a bad thing to have your samba
server access the database as the root dn. All well and good but how do
I fix this? I have the default acls listed below which look pretty good
but don't I need a special user or something? It would help if I
understood these acls better but while using regular expressions is good
for compatibility it obfuscates (at least for me) the text quite a bit.
From what I see below, it seems as if all I have to do is join the
server box to the domain and then change the bind dn to controllername$
in various and sundry places. This doesn't seem right though because I
know that we need a userid and password stored in secrets.tdb. I can
store controllername$ but the password for machine accounts is generated
by the script and nobody knows what it is. I could change it using
smbldap-passwd but I'm not so sure this is a good idea.
I have seen examples of databases that had "hooks" i.e. accounts meant
for accessing parts of the directory. These accounts were located just
off the root though instead of in People as displayed below by the
uid=root setting.
Your thoughts? Links? A bone? Anything? ;-)
access to dn="(.+,)?,ou=.+,(dc=.+,?)+$$"
attrs=lmPassword,ntPassword,sambaLMPassword,sambaNTPassword,userPassword
by self write
by dn="uid=root,ou=People,$2" write
by group="cn=Domain Controllers,ou=Group,$2" write
by anonymous auth
by * none
# ACL allowing samba domain controllers to add user accounts
access to dn="^(.*,)?ou=People,(dc=.+,?)+$$"
attrs=entry,children,posixAccount,sambaAccount,sambaSamAccount
by dn="uid=root,ou=People,$2" write
by group="cn=Domain Controllers,ou=Group,$2" write
by * read
# allow users to modify their own "address book" entries:
access to dn="(.+,)+ou=People,(dc.+,?)+$$"
attrs=inetOrgPerson,mail
by self write
by dn="uid=root,ou=People,$2" write
by group="cn=Domain Controllers,ou=Group,$2" write
by * read
# Allow samba domain controllers to create groups and group mappings
access to dn="^(.*,)?ou=Group,(dc=.+,?)+$$"
attrs=entry,children,posixGroup,sambaGroupMapping
by dn="uid=root,ou=People,$2" write
by group="cn=Domain Controllers,ou=Group,$2" write
by * read
> # Allow samba to create idmap entries (not well tested)
access to dn="^(.*,)?ou=Idmap,(dc=.+,?)+$$"
attrs=entry,children,sambaIdmapEntry
by group="cn=Domain Controllers,ou=Group,$2" write
by * read
--
-----------------------------------------------------------------
| I can be reached on the following Instant Messenger services: |
|---------------------------------------------------------------|
| MSN: [EMAIL PROTECTED] AIM: WyteLi0n ICQ: 123291844 |
|---------------------------------------------------------------|
| Y!: j_c_llings Jabber: [EMAIL PROTECTED] |
-----------------------------------------------------------------
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
