[Samba] Re: Authenticateing DC's on an ldap backend... nobody knows how?
My bad - I forgot to add 'write': access to dn.subtree="dc=j9starr,dc=net" by group/posixGroup/memberUid="cn=Domain Controllers,ou=Group,dc=j9starr,dc=net" write by * read Yes, I noticed but I had compensated. This should work according to OpenLDAP's faq-o-matic. Perhaps this is a genuine bug. Of course, it may be a doc bug rather than a software bug. -- - | I can be reached on the following Instant Messenger services: | |---| | MSN: [EMAIL PROTECTED] AIM: WyteLi0n ICQ: 123291844 | |---| | Y!: j_c_llings Jabber: [EMAIL PROTECTED]| - -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Authenticateing DC's on an ldap backend... nobody knows how?
Jim C. wrote: access to dn.subtree="dc=j9starr,dc=net" by group/posixGroup/memberUid="cn=Domain Controllers,ou=Group,dc=j9starr,dc=net" by * read I pulled that info from faq-o-matic just a minute ago. No dice. See below. access to dn.subtree="dc=j9starr,dc=net" by group/posixGroup/memberUid="cn=Domain Controllers,ou=Group,dc=j9starr,dc=net" by * read # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile /var/run/ldap/slapd.pid argsfile/var/run/ldap/slapd.args modulepath /usr/lib/openldap "slapd.conf" 154L, 5397C written [EMAIL PROTECTED] 0 openldap]$ slapd -t /etc/openldap/slapd.conf: line 47: group "cn=Domain Controllers,ou=Group,dc=j9starr,dc=net": inappropriate syntax: 1.3.6.1.4.1.1466.115.121.1.26 My bad - I forgot to add 'write': access to dn.subtree="dc=j9starr,dc=net" by group/posixGroup/memberUid="cn=Domain Controllers,ou=Group,dc=j9starr,dc=net" write by * read Igor -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Authenticateing DC's on an ldap backend... nobody knows how?
access to dn.subtree="dc=j9starr,dc=net" by group/posixGroup/memberUid="cn=Domain Controllers,ou=Group,dc=j9starr,dc=net" by * read I pulled that info from faq-o-matic just a minute ago. No dice. See below. access to dn.subtree="dc=j9starr,dc=net" by group/posixGroup/memberUid="cn=Domain Controllers,ou=Group,dc=j9starr,dc=net" by * read # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile /var/run/ldap/slapd.pid argsfile/var/run/ldap/slapd.args modulepath /usr/lib/openldap "slapd.conf" 154L, 5397C written [EMAIL PROTECTED] 0 openldap]$ slapd -t /etc/openldap/slapd.conf: line 47: group "cn=Domain Controllers,ou=Group,dc=j9starr,dc=net": inappropriate syntax: 1.3.6.1.4.1.1466.115.121.1.26 There has to be a way to do this. I just can't imagine OpenLDAP being so lame that it can't. Jim C. -- - | I can be reached on the following Instant Messenger services: | |---| | MSN: [EMAIL PROTECTED] AIM: WyteLi0n ICQ: 123291844 | |---| | Y!: j_c_llings Jabber: [EMAIL PROTECTED]| - -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Authenticateing DC's on an ldap backend... nobody knows how?
Jim C. wrote: Mine: [EMAIL PROTECTED] 0 root]$ smbldap-groupshow 'Domain Controllers' dn: cn=Domain Controllers,ou=Group,dc=j9starr,dc=net objectClass: posixGroup,sambaGroupMapping cn: Domain Controllers sambaGroupType: 2 sambaSID: S-1-5-21-2147030705-2499090161-3119200592-516 gidNumber: 516 displayName: Domain Controllers memberUid: cn=enigma,ou=Hosts,dc=j9starr,dc=net His: dn: cn=Domain Controllers,ou=Group,dc=ranger,dc=dnsalias,dc=com objectClass: groupOfNames objectClass: top cn: Domain Controllers member: cn=kiowa.ranger.dnsalias.com,ou=Hosts,dc=ranger,dc=dnsalias,dc=com member: cn=comanche.ranger.dnsalias.com,ou=Hosts,dc=ranger,dc=dnsalias,dc=com Now I don't know how slapd deals with groups but if it specifically needs groupOfNames, then I may have a problem. I'll see if I can manipulate the structure to include groupOfNames. Who knows, I might be able to do it without redunancy. No, slapd doesn't know (by default) how to work with posixGroups. Note that memberUid of the posixGroup usually contain uids of the posixAccount objects. To let slapd work with just 'group=' it should be either groupOfNames or groupOfUniqueNames object. You can however trick slapd into working with posixGroup (I don't know if this the right move though)... There's additional parameters to the _who_ part of the access statement. Try something like that (just for fun of it): access to dn.subtree="dc=j9starr,dc=net" by group/posixGroup/memberUid="cn=Domain Controllers,ou=Group,dc=j9starr,dc=net" by * read Good luck, Igor -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Authenticateing DC's on an ldap backend... nobody knows how?
Can you reccomend appropriate log levels for slapd/smbd? I've always ... statement like: access to dn.subtree="dc=j9starr,dc=net" by group="cnReplicator,ou=Group,dc=j9starr,dc=net" by * read doesn't work, adding regexp to it won't help to resolve this problem. Did you check that it works without group with a simple 'by dn='? Ok, sorry... I've got in a lecture mood. It's just too confusing to see what exactly you do and what kind of problems you encounter. Actually, I think I am on to something. Putting the ACL's under a microscope lead to the revelation of some differences in group structure from what I am using and those previously reccomended by Buchan Milne. Mine: [EMAIL PROTECTED] 0 root]$ smbldap-groupshow 'Domain Controllers' dn: cn=Domain Controllers,ou=Group,dc=j9starr,dc=net objectClass: posixGroup,sambaGroupMapping cn: Domain Controllers sambaGroupType: 2 sambaSID: S-1-5-21-2147030705-2499090161-3119200592-516 gidNumber: 516 displayName: Domain Controllers memberUid: cn=enigma,ou=Hosts,dc=j9starr,dc=net His: dn: cn=Domain Controllers,ou=Group,dc=ranger,dc=dnsalias,dc=com objectClass: groupOfNames objectClass: top cn: Domain Controllers member: cn=kiowa.ranger.dnsalias.com,ou=Hosts,dc=ranger,dc=dnsalias,dc=com member: cn=comanche.ranger.dnsalias.com,ou=Hosts,dc=ranger,dc=dnsalias,dc=com Now I don't know how slapd deals with groups but if it specifically needs groupOfNames, then I may have a problem. I'll see if I can manipulate the structure to include groupOfNames. Who knows, I might be able to do it without redunancy. Jim C. -- - | I can be reached on the following Instant Messenger services: | |---| | MSN: [EMAIL PROTECTED] AIM: WyteLi0n ICQ: 123291844 | |---| | Y!: j_c_llings Jabber: [EMAIL PROTECTED]| - -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Authenticateing DC's on an ldap backend... nobody knows how?
Jim C. wrote: Can you reccomend appropriate log levels for slapd/smbd? I've always had trouble with them which may explain a lot. The easiest way with the logs is to do it step by step, increasing volume of information on each step until you can say: "That's enough!" With practice you'll get the feeling with what level to start next time. So, first without any 'log level' check if there's any error messages in the log. Since you are not able to login there's definitely at least something there. Then, since you have trouble with calls to ldap I would select 'log level=5' since this is the level smbldap_search prints its arguments at, but feel free to try anything between 1-4 too - maybe your intuition will guide you better with lesser volume of extra information. Commenting out things which you've added is also good approach, but if you ask me - I prefer gradual approach - first try something simple, see if it works and them move on adding regular expressions all over the place. It's much easier to see difference in your logic and in logic of LDAP/Samba/or any other program on some simple things. If simple statement like: access to dn.subtree="dc=j9starr,dc=net" by group="cnReplicator,ou=Group,dc=j9starr,dc=net" by * read doesn't work, adding regexp to it won't help to resolve this problem. Did you check that it works without group with a simple 'by dn='? Ok, sorry... I've got in a lecture mood. It's just too confusing to see what exactly you do and what kind of problems you encounter. Cheers, Igor -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Authenticateing DC's on an ldap backend... nobody knows how?
access to dn.regex="^([^,]*,)?ou=[^,]+,(dc=[^,]+(,dc=[^,]+)*)$" attrs=lmPassword,ntPassword,sambaLMPassword,sambaNTPassword,userPassword by self write by dn.exact,expand="uid=Administrator,ou=People,$2" write by group="cn=Domain\ Controllers,ou=Group,$2" write by group="cn=Replicator,ou=Group,$2" write by anonymous auth by * none Using commenting, I've narrowed it down to the first line above. I also turned off all acls to test and see if Samba would be begin to function properly with group authentication. This did not work and would seem to indicate that there is another problem contained in Samba itself or the config. I prefer to address the acl issue first. Unfortunately, I've not had much practice with regular expressions. Jim C. -- - | I can be reached on the following Instant Messenger services: | |---| | MSN: [EMAIL PROTECTED] AIM: WyteLi0n ICQ: 123291844 | |---| | Y!: j_c_llings Jabber: [EMAIL PROTECTED]| - -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Authenticateing DC's on an ldap backend... nobody knows how?
Drat! Escapeing the space in "Domain Controllers" doesn't seem to help after all. Whoops! Missed part of those acls that had scrolled off the top of my ... by users read by anonymous read Jim C. -- - | I can be reached on the following Instant Messenger services: | |---| | MSN: [EMAIL PROTECTED] AIM: WyteLi0n ICQ: 123291844 | |---| | Y!: j_c_llings Jabber: [EMAIL PROTECTED]| - -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Authenticateing DC's on an ldap backend... nobody knows how?
Whoops! Missed part of those acls that had scrolled off the top of my screen. The full slapd.access.conf listing is as follows: # This is a good place to put slapd access-control directives # The Administrator DIT should be accessible to all clients access to dn.exact="" by * read # Generic ACLs # These ACLs should work well for any domain-based (ie dc=,dc=) suffix, # but need adjustment and testing for any other suffix # Note that these ACLs allow anonymouse read access to most non-password # attributes, you may want to prevent leakage of this information by # removing the "by anonymous read" lines # Protect passwords, using a regex so we can have generic accounts with # write access # Openldap will not authenticate against non-userPassword attributes # but we would have to duplicate most rules ... access to dn.regex="^([^,]*,)?ou=[^,]+,(dc=[^,]+(,dc=[^,]+)*)$" attrs=lmPassword,ntPassword,sambaLMPassword,sambaNTPassword,userPassword by self write by dn.exact,expand="uid=Administrator,ou=People,$2" write by group="cn=Domain\ Controllers,ou=Group,$2" write by group="cn=Replicator,ou=Group,$2" write by anonymous auth by * none # ACL allowing samba domain controllers to add user accounts access to dn.regex="^([^,]+,)?ou=People,(dc=[^,]+(,dc=[^,]+)*)$" attrs=entry,children,posixAccount,sambaAccount,inetOrgperson,sambaSamAccount by dn.exact,expand="uid=Administrator,ou=People,$2" write by group="cn=Domain\ Controllers,ou=Group,$2" write by group="cn=Replicator,ou=Group,$2" write by users read by anonymous read # allow users to modify their own "address book" entries: access to dn.regex="([^,]+,)?ou=People,(dc=[^,]+(,dc=[^,]+)*)$" attrs=inetOrgPerson,mail by self write by dn.exact,expand="uid=Administrator,ou=People,$2" write by group="cn=Domain\ Controllers,ou=Group,$2" write by group="cn=Replicator,ou=Group,$2" write by users read # Allow samba domain controllers to create groups and group mappings access to dn.regex="^([^,]+,)?ou=Group,(dc=[^,]+(,dc=[^,]+)*)$" attrs=entry,children,posixGroup,sambaGroupMapping by dn.exact,expand="uid=Administrator,ou=People,$2" write by group="cn=Domain\ Controllers,ou=Group,$2" write by group="cn=Replicator,ou=Group,$2" write by users read by anonymous read # Allow samba domain controllers to create machine accounts access to dn.regex="^([^,]+,)?ou=Hosts,(dc=[^,]+(,dc=[^,]+)*)$" attrs=entry,children,posixAccount,inetOrgperson,sambaSamAccount by dn.exact,expand="uid=Administrator,ou=People,$2" write by group="cn=Domain\ Controllers,ou=Group,$2" write by group="cn=Replicator,ou=Group,$2" write by users read by anonymous read # Allow samba to create idmap entries access to dn.regex="^([^,]+,)?ou=Idmap,(dc=[^,]+(,dc=[^,]+)*)$" attrs=entry,children,sambaIdmapEntry by dn.exact,expand="uid=Administrator,ou=People,$2" write by group="cn=Domain\ Controllers,ou=Group,$2" write by group="cn=Replicator,ou=Group,$2" write by users read by anonymous read # Allow users in the domain to add entries to the "global address book": access to dn.regex="^([^,],)?ou=Contacts,(dc=[^,]+(,dc=[^,]+)*)$" attrs=children,entry,inetOrgPerson by dn="uid=[^,]+,ou=People,$2" write by group="cn=Replicator,ou=Group,$2" write by users read by anonymous read -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Authenticateing DC's on an ldap backend... nobody knows how?
If I knew what it had to do with devfs, I would have been alot farther ... Mandrake. In order to write a HOWTO for this, I need to have as similar a setup as possible. ...which goes back into me not yet having mentioned that which has already been tried. :-/ What was tried previously was adding ... appropriate log levels for slapd/smbd? I've always had trouble with them which may explain a lot. OK, I've made some discoveries which may point to the LDAP acls I've been using. 1. smbldap scripts cannot create a user account when authenticateing as host. 2. smbldap scripts cannot read password information unless space in "Domain Controllers" is escaped. Here are my acls. They are the new regex based ones provided by Mandrake. I could use some tips on testing them. What should I be looking for in the logs? The entry in slapd.conf reads like this: # Define global ACLs to disable default read access. include /etc/openldap/slapd.access.conf # Provide write access to replicators, and cover access to any other # attributes (default anonymous read access may be undesirable) access to dn.subtree="dc=j9starr,dc=net" by group="cn=Replicator,ou=Group,dc=j9starr,dc=net" by users read by anonymous read Entries in slapd.access.conf looks like this: # Generic ACLs # These ACLs should work well for any domain-based (ie dc=,dc=) suffix, # but need adjustment and testing for any other suffix # Note that these ACLs allow anonymouse read access to most non-password # attributes, you may want to prevent leakage of this information by # removing the "by anonymous read" lines # Protect passwords, using a regex so we can have generic accounts with # write access # Openldap will not authenticate against non-userPassword attributes # but we would have to duplicate most rules ... access to dn.regex="^([^,]*,)?ou=[^,]+,(dc=[^,]+(,dc=[^,]+)*)$" attrs=lmPassword,ntPassword,sambaLMPassword,sambaNTPassword,userPassword by self write by dn.exact,expand="uid=Administrator,ou=People,$2" write by group="cn=Domain\ Controllers,ou=Group,$2" write by group="cn=Replicator,ou=Group,$2" write by anonymous auth by * none # ACL allowing samba domain controllers to add user accounts access to dn.regex="^([^,]+,)?ou=People,(dc=[^,]+(,dc=[^,]+)*)$" attrs=entry,children,posixAccount,sambaAccount,inetOrgperson,sambaSamAccount by dn.exact,expand="uid=Administrator,ou=People,$2" write by group="cn=Domain\ Controllers,ou=Group,$2" write by group="cn=Replicator,ou=Group,$2" write by users read by anonymous read # allow users to modify their own "address book" entries: access to dn.regex="([^,]+,)?ou=People,(dc=[^,]+(,dc=[^,]+)*)$" attrs=inetOrgPerson,mail by self write by dn.exact,expand="uid=Administrator,ou=People,$2" write by group="cn=Domain\ Controllers,ou=Group,$2" write by group="cn=Replicator,ou=Group,$2" write by users read by anonymous read # Allow samba domain controllers to create groups and group mappings access to dn.regex="^([^,]+,)?ou=Group,(dc=[^,]+(,dc=[^,]+)*)$" attrs=entry,children,posixGroup,sambaGroupMapping by dn.exact,expand="uid=Administrator,ou=People,$2" write by group="cn=Domain\ Controllers,ou=Group,$2" write by group="cn=Replicator,ou=Group,$2" write by users read by anonymous read # Allow samba domain controllers to create machine accounts access to dn.regex="^([^,]+,)?ou=Hosts,(dc=[^,]+(,dc=[^,]+)*)$" attrs=entry,children,posixAccount,inetOrgperson,sambaSamAccount by dn.exact,expand="uid=Administrator,ou=People,$2" write by group="cn=Domain\ Controllers,ou=Group,$2" write by group="cn=Replicator,ou=Group,$2" write by users read by anonymous read # Allow samba to create idmap entries access to dn.regex="^([^,]+,)?ou=Idmap,(dc=[^,]+(,dc=[^,]+)*)$" attrs=entry,children,sambaIdmapEntry by dn.exact,expand="uid=Administrator,ou=People,$2" write by group="cn=Domain\ Controllers,ou=Group,$2" write by group="cn=Replicator,ou=Group,$2" write by users read by anonymous read # Allow users in the domain to add entries to the "global address book": access to dn.regex="^([^,],)?ou=Contacts,(dc=[^,]+(,dc=[^,]+)*)$" attrs=children,entry,inetOrgPerson by dn="uid=[^,]+,ou=People,$2" write by group="cn=Replicator,ou=Group,$2" write by users read by anonymous read -- - | I can be reached on the following Instant Messenger services: | |---| | MSN: [EMAIL PROTECTED] AIM: WyteLi0n ICQ: 123291844 | |---| | Y!: j_c_llings Jabber: [EMAIL PROTECTED]| -
[Samba] Re: Authenticateing DC's on an ldap backend... nobody knows how?
Folks have been telling me that it is best for one's Domain Controller ... know the security implications so I would rather avoid it. I still don't know what you have tried, and what it has to do with devfs (shouldn't you be moving away from it to udev?!) But here's what I would do: If I knew what it had to do with devfs, I would have been alot farther along by now. What I can tell you is that after makeing a few of the necesary changes, the initscript that starts devfs will no longer complete on startup. That is the only thing that is wrong that I can find, I just don't understand it. devfs is the system that is used by Mandrake. In order to write a HOWTO for this, I need to have as similar a setup as possible. # Create your hashed password: % slappasswd ... # It's that simple! ;o) Hope it helps, Every little bit does. Thank you. :-) ...which goes back into me not yet having mentioned that which has already been tried. :-/ What was tried previously was adding simpleSecurityObject to the domain controller's host entry and then adding the dn of the host entry as a member attribute of the "Domain Controller"'s group. This worked for the smbldap scripts but not for the controller itself. I could not log any users in. I'll try again and see if I can get you some errors from the logs. Can you reccomend appropriate log levels for slapd/smbd? I've always had trouble with them which may explain a lot. Jim C. -- - | I can be reached on the following Instant Messenger services: | |---| | MSN: [EMAIL PROTECTED] AIM: WyteLi0n ICQ: 123291844 | |---| | Y!: j_c_llings Jabber: [EMAIL PROTECTED]| - -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Authenticateing DC's on an ldap backend... nobody knows how?
Jim C. wrote: Folks have been telling me that it is best for one's Domain Controller if it has it's own dn for accessing the ldap server rather than using the ldap server's root dn. One of the issues is scalability. If you have several balancing domain controllers, how do you know which one has made changes to the database? They will all show up in the logs as the root dn unless you have it set up otherwise. What I've been hearing is that one does this by adding the simpleSecurityObject to a host record so that it now has a password. Then you include the dn of that host record as a member of the group 'Domain Controllers' and set up the LDAP ACLs so that this group has access. I can't get it to work to save my life. For one thing, when I set it up I frequently have problems with devfsd on startup. Basically it simply never completes so the startup process hangs. If I comment out the line below in /etc/devfsd.conf then devfsd will start but I don't know the security implications so I would rather avoid it. I still don't know what you have tried, and what it has to do with devfs (shouldn't you be moving away from it to udev?!) But here's what I would do: # Create your hashed password: % slappasswd New password: Re-enter new password: {SSHA} # Create your Samba admin DN: % ldapadd -W -D Enter LDAP Password: dn: cn=dadmin,dc=yourdomain,dc=com objectClass: simpleSecurityObject objectClass: organizationalRole cn: dadmin userPassword: {SSHA} ^D # Verify that you can login with it by looking at yourself: % ldapsearch -W -D cn=dadmin,dc=yourdomain,dc=com -s base -b "cn=dadmin,dc=yourdomain,dc=com" Enter LDAP Password: dn: cn=dadmin,dc=yourdomain,dc=com objectClass: simpleSecurityObject objectClass: organizationalRole cn: dadmin userPassword: > # Verfiy that you don't have access to password fields yet. # Don't worry if you have - it's just a security breach. # You'll fix it in the next steps. % ldapsearch -W -D cn=dadmin,dc=yourdomain,dc=com -s base -b "uid=user,ou=People,dc=yourdomain,dc=com" Enter LDAP Password: dn: uid=user,ou=People,dc=yourdomain,dc=com" uid: user cn: Simple User objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount objectClass: sambaSamAccount shadowLastChange: 11740 shadowMax: 9 shadowWarning: 7 loginShell: /bin/zsh uidNumber: 1000 gidNumber: 1000 homeDirectory: /home/user gecos: Simple User,,, sambaSID: -3000 sambaPrimaryGroupSID: -3001 displayName: Simple User,,, sambaPasswordHistory: sambaAcctFlags: [U ] sambaKickoffTime: 0 sambaLogonHours: FF sambaPwdCanChange: 1095895480 sambaPwdMustChange: 1097709880 sambaPwdLastSet: 1095895480 # Add the following lines for your 'backend' in your slapd.conf # Those a special lines for LM and NT password and restricted # write access to trees written in your smb.conf as ldap suffixes. # If you already have records for those fields you'll just need # to add 'by dn='cn=dadmin,dc=yourdomain,dc=com" write' to them. # read man slapd.access for details access to attrs=SambaLMPassword,SambaNTPassword by dn="cn=dadmin,dc=yourdomain,dc=com" write by self write by * none access to dn.subtree="ou=People,dc=yourdomain,dc=com" by dn="cn=dadmin,dc=yourdomain,dc=com" write by * read access to dn.subtree="ou=Group,dc=yourdomain,dc=com" by dn="cn=dadmin,dc=yourdomain,dc=com" write by * read access to dn.subtree="ou=Computers,dc=yourdomain,dc=com" by dn="cn=dadmin,dc=yourdomain,dc=com" write by * read # Restart slapd and see if your "cn=dadmin,dc=yourdomain,dc=com" # can see now LM and NT password fields of # "cn=user,ou=People,dc=yourdomain,dc=com" by repeating the last # search # You can also check that "cn=dadmin,dc=yourdomain,dc=com" has write # access by changing something: % ldapmodify -W -D "cn=dadmin,dc=yourdomain,dc=com" Enter LDAP Password: dn: cn=user,ou=People,dc=yourdomain,dc=com changetype: modify replace: gecos gecos: Not that Simple User ^D # Now edit your smb.conf to change 'ldap admin dn': ldap admin dn = cn=dadmin,dc=yourdomain,dc=com # Update password Samba uses with this DN: % smbpasswd -w # Restart Samba and it will use this new none Root DN # After that you can start playing with LDAP groups. # By I'm not that familiar with them. I suspect that # you will need to change your access line # 'by dn='cn=dadmin,dc=yourdomain,dc=com" write' # for all access statements to the following: by group="cn=Domain Controllers,dc=yourdomain,dc=com" write # Then add this group to LDAP with your Admin DN in its member field: % ldapadd -W -D Enter LDAP Password: dn: cn=Domain Controllers,dc=yourdomain,dc=com objectClass: groupOfNames cn: Domain Controllers member: cn=dadmin,dc=yourdomain,dc=com ^D # Restart slapd and check that you still have access to # LM and NT passwords and can change fi
[Samba] Re: Authenticateing DC's on an ldap backend... nobody knows how?
I can answer most questions. There are no secrets, just some things that you could help to better document - if you feel so inclined. Precisely what I intend. On the other hand, most of us a rather busy people and give our ... down. Well, I've been bashing at this issue for quite some time. Several months off and on, actually. Now I'm unemployed again (my contract ended) and I would like to update the Mandrake Samba 3 HOWTO with a more proper dn for accessing the database. Due to my personal poverty though, I will not be hiring anyone. Here is what I wrote to the other gentleman who responded. Somehow it did not get posted: OK, let me take another shot. Folks have been telling me that it is best for one's Domain Controller if it has it's own dn for accessing the ldap server rather than using the ldap server's root dn. One of the issues is scalability. If you have several balancing domain controllers, how do you know which one has made changes to the database? They will all show up in the logs as the root dn unless you have it set up otherwise. What I've been hearing is that one does this by adding the simpleSecurityObject to a host record so that it now has a password. Then you include the dn of that host record as a member of the group 'Domain Controllers' and set up the LDAP ACLs so that this group has access. I can't get it to work to save my life. For one thing, when I set it up I frequently have problems with devfsd on startup. Basically it simply never completes so the startup process hangs. If I comment out the line below in /etc/devfsd.conf then devfsd will start but I don't know the security implications so I would rather avoid it. Jim C. P.S. As always, Mr. Terpstra, your personal attention is greatly appreciated. Really, I just can't express how much since learning things like Samba might someday be a way out of my own desperately poor personal circumstances. THANK YOU. :-) -- - | I can be reached on the following Instant Messenger services: | |---| | MSN: [EMAIL PROTECTED] AIM: WyteLi0n ICQ: 123291844 | |---| | Y!: j_c_llings Jabber: [EMAIL PROTECTED] | - -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Authenticateing DC's on an ldap backend... nobody knows how?
Paul Gienger wrote: Jim C. wrote: Doesn't anyone here know how to authenticate hosts in the group 'Domain Controllers' such that you don't have to set 'ldap admin dn' to the ldap server's root dn? What's the big deal? Why is this such a secret? Everytime I ask about it I get dead silence. It doesn't seem to matter what list I am on either. Well if that's the way you're asking the question it's probably because no one can understand what you're talking about and they are too busy answering well formed quesions to ask for clarification. I also do not understand what "authenticate hosts into the group 'Domain Controllers'" means. Answering this question will answer what fields you would need to update to do it and then in its turn it will answer what 'access' string you need to add to your LDAP configuration for your non root dn to have 'write' access to those fields. Igor -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba