I'm using samba 3.0.14a + openldap .2.27 on FreeBSD 6.0-RELEASE. I followed the "Linux Samba-OpenLDAP Howto" from IDEALX. My slapd.conf rootdn is cn=ldapmgr,ou=Managers,o=miage My smb.conf ldap admin dn is cn=sambamgr,ou=Managers,o=miage
With the ACLs from section 5 (Security considerations) of the Howto when I change a user password from windows XP the userPassword attribute is not modified so my Unix and Windows passwords are not in sync. I found that adding the following ACL to my slapd.conf resoves the issue. access to * by dn="cn=sambamgr,ou=Managers,o=miage" read I did several tests but can't figure out what are the attributes that sambamgr needs to read in order to update the userPassword attribute. Any help would be appreciated. Thierry. Here's my smb.conf [global] workgroup = MIAGE netbios name = CARIOCA passdb backend = ldapsam:ldap://localhost add machine script = /usr/local/sbin/smbldap-useradd -w '%u' domain logons = Yes os level = 35 preferred master = Yes domain master = Yes wins support = Yes ldap suffix = o=miage ldap machine suffix = ou=Computers,ou=Accounts ldap user suffix = ou=Users,ou=Accounts ldap group suffix = ou=Groups ldap admin dn = cn=sambamgr,ou=Managers,o=miage ldap ssl = no ldap passwd sync = Yes enable privileges = yes logon script = scripts\logon.bat logon path = \\%L\Profiles\%U logon drive = H: logon home = \\%L\%U log level = 2 [homes] comment = Home Directories valid users = %S read only = No browseable = No [netlogon] comment = Network Logon Service path = /samba/netlogon admin users = root guest ok = Yes browseable = No # For profiles to work, create a user directory under the path # shown. i.e., mkdir -p /samba/profiles/maryo [Profiles] comment = Roaming Profile Share path = /samba/profiles read only = No profile acls = Yes Here's my slapd.conf include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/samba.schema pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args ####################################################################### # BDB database definitions ############################################# Chan########################## database bdb suffix "o=miage" rootdn "cn=ldapmgr,ou=Managers,o=miage" rootpw {SSHA}IcqxO1Pi3TelluIAf8Gh3hIV3c7HxXhY # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/db/openldap-data # Indices to maintain index objectClass eq index cn pres,sub,eq index sn pres,sub,eq index uid pres,sub,eq index displayName pres,sub,eq index uidNumber eq index gidNumber eq index memberUid eq index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index default sub access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange,sambaPasswordHistory,sambaPwdCanChange by dn="cn=sambamgr,ou=Managers,o=miage" write by anonymous auth by * none access to attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,memberUid by dn="cn=sambamgr,ou=Managers,o=miage" write by * read access to attrs=description,telephoneNumber by dn="cn=sambamgr,ou=Managers,o=miage" write by self write by * read access to attrs=cn,sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange,sambaAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaProfilePath,description,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,sambaSID,sambaGroupType,sambaNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase by dn="cn=sambamgr,ou=Managers,o=miage" write by self read by * none access to dn.base="o=miage" by dn="cn=sambamgr,ou=Managers,o=miage" write by * none access to dn="ou=Users,ou=Accounts,o=miage" by dn="cn=sambamgr,ou=Managers,o=miage" write by * none access to dn="ou=Groups,o=miage" by dn="cn=sambamgr,ou=Managers,o=miage" write by * none access to dn="ou=Computers,ou=Accounts,o=miage" by dn="cn=sambamgr,ou=Managers,o=miage" write by * none # I tried this ACL following the output of slapd but it does not work access to attrs=sn,loginShell,structuralObjectClass,entryUUID,creatorsName,createTimestamp,entryCSN,modifiersName,modifyTimestamp by dn="cn=sambamgr,ou=Managers,o=miage" read access to * by dn="cn=sambamgr,ou=Managers,o=miage" read access to * by self write by users auth by anonymous auth by * none -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba