Hi paul Thanks for Guiding me .
I am creating a PDC and 2 BDC's with samba3 with LDAP, sorry if this is silly question, since i am new, guide me 1) what all default ACL's need to be written in slapd.conf apart from users changing passwords . with respect to the samba 3 LDAP schema, i have only these OU's which come with smbldap tools 1) Domain Admins, Domain Groups, People, Groups, Computers, IDMAP, 2) I have a PDC and some other system as File server, ie i want folders in another system as default home drive , which i want to write in Logon script, so user to redirect to his home drive in another system, should i install samba in that system also or should i do NFS mount , and i have about 500 groups and i want folders in the files systems to be mapped in the file server to be mapped as drives, which probably i will write a Logon script, but the confusion is how do i go about it, 3) if i use NFS , i want nfs mount to be with ACL support so that i can use setfacl , and getfacl's in file server 4) i want to create 2 BDC's which , is it possible to synchronize PDC-> BDC and BDC->PDC, ie if i make any changes in BDC's will it get reflected in PDC also kindly guide me Regards Niranjan On 12/20/05, paul kölle <[EMAIL PROTECTED]> wrote: > > mallapadi niranjan wrote: > > Hi > > > > Thanks for Replying me . In the ACL below > > ##################################################################### > > #access to dn.base="dc=msdpl,dc=com" > > > >>access to attrs=sambaLMPassword,sambaNTP > >> > >>assword > >> > >>> by dn="uid=.*,ou=People,dc=msdpl,dc=com" write > >>> by dn="uid=.*,ou=Domain Admins,dc=msdpl,dc=com" read > >>> by * none > >>>access to attr=userPassword > >>> by dn="uid=.*,ou=People,dc=msdpl,dc=com" write > >>> by self write > >>> by anonymous auth > >>> by * none > >>>access to * > >>> by * read > > > > > > > > ####################################################################### > > in by dn="uid=.*,ou=Domain Admins,dc=msdpl,dc=com" read if i keep > read/write > > it's not affecting > > > > so i have changed my acl's > > > ######################################################################### > > access to dn.base="dc=msdpl,dc=com" > > > attrs=sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaPwdMustChange, > > > > > objectClass,entry,homeDirectory,uid,uidNumber,gidNumber,memberUid,description, > > telephoneNumber,roomNumber,homePhone,loginShell,gecos,cn,sn,givenname > > by dn="uid=.*,ou=People,dc=msdpl,dc=com" write > > by dn="uid=.*,ou=Groups,dc=msdpl,dc=com" write > > by dn="uid=.*,ou=Domain Admins,dc=msdpl,dc=com" write > > by self write > > by anonymous auth > > by * none > that is write access to samba password hashes to everyone in the > ou=People container again. They are basically cleartext equivalent. ACLs > are evaluated "in order", first match rules. So to protect passwords you > could write something like (OTOH): > > access to attrs=sambaLMPassword,sambaNTPassword,userPassword > by self write > by dn.regex="uid=[^,]+,ou=Domain Admins,dc=msdpl,dc=com" write > by anonymous auth > by * none > > access to * > by self write > by dn.regex="uid=[^,]+,ou=Domain Admins,dc=msdpl,dc=com" write > by * read > > Note that this is NOT suitable for your environment and only serves as > an example as you probably want to prevent users from messing with > attributes enforcing a particular policy (like pwdMustChange). As Craig > noted, the uid=.*,ou=Domain Admins,... part doesn't make sense. If you > want group based access control you need the <expand> syntax. Read the > manpage for access control (man slapd.access). > > cheers > Paul > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
