On Thu, 2008-07-03 at 16:04 -0400, Charlie wrote: > On Thu, Jul 3, 2008 at 2:54 PM, Charlie <[EMAIL PROTECTED]> wrote: > > > > The most common problem I see with busted referrals is when someone > > sets up a program (such as samba) to use the local replica's > > rootdn/rootpw as defined in /etc/slapd.conf (which allows bypassing > > ACLs and whatnot) but does not define that dn and password to have > > appropriate access on the master server. If the admindn that samba is > > using does not have the ability to write the master slapd, it won't > > matter if it has unrestricted access to the slave. > > Whoops, replying to myself here. I have been privately warned that > allowing multiple samba servers unlimited write access to one's LDAP > database can cause creation of duplicate entries for single entities > (such as machine trust accounts). Which leads to the dreaded > "multiple LDAP objects returned" error in the logs if you have samba > BDCs.
If they do, then it is a bug in your configuration. > I do not recommend that any daemon have totally unrestricted write > access to one's LDAP directory. I do not recommend that any entity > (other than a trusted human being) use the master slapd's > rootdn/rootpw for anything. > > http://www.openldap.org/faq/index.cgi?_highlightWords=rootdn&file=761 > > In my systems, the samba rootdn has the ability to write all > samba-only LDAP attributes but does not have the ability to create > POSIX accounts or anything else unrelated to samba. Machine trust > accounts have the ability to modify their own passwords, because I am > not sure when they bind as the samba admindn and when they bind with > their own credentials. They never bind with their own credentials. Clients in NT4-emulated domains do not know about LDAP, so all access is via Samba, and all access via Samba is with the Samba credentials. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc.
signature.asc
Description: This is a digitally signed message part
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
