Why would the add machine script fail? Here's a quick overview of my setup:
All Kerberos authenticated admin users (user/admin) have write to the entire directory The Samba admin user has write to the relevant samba branches All Kerberos authenticated non-admin users have read access to non-sensitve portions of the directory. There are three users that could be involved in this process: leggett : A normal user (inetOrgPerson, posizUser, sambaSamAccount) who is a Domain Admin. Does not have write access to the directory. Password stored in Kerberos, sambaNTPassword stored in LDAP. samba_server : An LDAP user (person, uidObject) who has write access to the directory. Password stored in LDAP. sambaNTPassword not in LDAP as user isn't a sambaSamAccount root: A local unix user who has an entry in LDAP (person, sambaSamAccount). Does not have write access to the directory. Password is kept locally, sambaNTPassword kept in LDAP. Password and sambaNTPassword are not the same. So let me make sure I have all this straight on how it all works. legget, a Domain Admin, uses the SeMachineAccountPrivilege to add the machine to the Samba domain. In this process smbd queries LDAP as samba_server to see if the machine account is already created. If it's not, smbd changes to root and call the script in the "add machine script" directive. That script should be responsible for changing to a user or gaining Kerberos credentials to write to the directory. Is that about right? On Mon, 2005-05-30 at 21:05 -0500, Gerald (Jerry) Carter wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Ti Leggett wrote: > > > So, here's my new question (I'm full of em): Are LDAP actions > > done as the Samab ldap admin dn or the user doing the > > action? It appears the latter is the case. > > All LDAP actions from smbd are done as the ldap admin dn, but > the add machine script should be called under root if the user > has the SeMachineAccountPrivilege. > > > > > > > > cheers, jerry > ===================================================================== > Alleviating the pain of Windows(tm) ------- http://www.samba.org > GnuPG Key ----- http://www.plainjoe.org/gpg_public.asc > "I never saved anything for the swim back." Ethan Hawk in Gattaca > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.5 (GNU/Linux) > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org > > iD8DBQFCm8ZvIR7qMdg1EfYRAi/zAJ9h6Bzhz5algsAA6hB4O+vyl+sP3gCgu4hP > wxOm2UkvC6BXHCpwwtmcxNk= > =AFm2 > -----END PGP SIGNATURE----- > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
