[Samba] smbpasswd + ldap -- changing stuff it shouldn't
Brian Nelson
bnelson at cis.ysu.edu
Mon May 13 16:49:02 GMT 2002
using samba with --enable-ldapsam...
When changing a user's password with sampasswd 'username', I get this error:
failed to modify user with uid = bnelson with: Insufficient access
Insufficient 'write' privilege to the 'uid' attribute of entry
'uid=bnelson,ou=People [...]'.
Looking at a snoop of the network, it seems like smbpasswd is trying to modify
ALL of these attributes:
uid
pwdLastSet
logonTime
logoffTime
kickoffTime
pwdCanChange
pwdMustChange
displayName
cn
rid
primaryGroupID
lmPassword
ntPassword
acctFlags
Most of these I understand, but some (cn,uid,displayname,rid, and
primarygroupID) should not be being changed just to update the password.
I understand that sampasswd can be used to add users to ldap, which is ok, and
that those attributes would be added/modified then, but I dont plan to do that,
and i only want the sambaadmin account to be able to modify the samba-related
stuff (not uid or cn,etc).
My thought is this: those five attributes should be modified only in the -a
(add user) mode, and even then, ONLY if they do not allready exist (ie a
completely new/blank user). Running a -a against an allready existing posixuser
(or otherwise) should only add the samba bits and the sambaaccount objectclass,
and still not touch uid or cn, as these are often authoritatively controlled
elseware.
Also, attribs that arent different shouldnt really be re-modified. IE only
change them if the new value is different. It looks like smbpasswd pushes most
of this stuff unconditionally.
This seems to be the case with objectclass, as it only seems to attempt to add
the sambauser class if it is NOT allready there.
This is just my opinion :) Please tell me if there is some reasoning I am
missing..
-Brian
More information about the samba
mailing list