[Samba] smbpasswd -w account

Widi Pradnyana zelephoeck at inf.its-sby.edu
Wed Jan 7 15:54:00 GMT 2004 

Hi,

I've setup Samba NT based networks with OpenLDAP database.
But to make sambas operations works fetching data to LDAP, it should have
an account on LDAP that able to write some objects, such as passwords
(when changing passwd) or object creation (when registering or joining to
directory) .The scope of this account is strong enough to any containers
on the directory, such as Admins,Groups,Users, and Computers. I think this
account is same powerfull with default admin of the LDAP.

The problems are:
1. this password string of after 'smbpasswd -w xxx ' are visible with
simple reading to secrets.tdb
2. this account is dangerous enough to LDAP administration because of its
powerfull to some wide objects, (able change other attributes)
3. so how to make this LDAP secure (with access list on slapd conf?)or at
the samba conf?

Below are parts of my conf's. Is it secure enough?
.....
   passdb backend = ldapsam:ldap://10.126.13.88:389/
    ldap suffix = dc=ta,dc=its-sby,dc=edu
    ldap machine suffix = ou=AJK-ITS,ou=Computers
    ldap user suffix = ou=Users
    ldap group suffix = ou=Groups
    ldap admin dn = "cn=common,dc=ta,dc=its-sby,dc=edu"
    ldap passwd sync = yes
    ldap delete dn = yes
    ldap filter = (&(uid=%u)(objectclass=sambaSamAccount))
...

access lists:


access to dn.subtree="ou=AJK-ITS,ou=Computers,dc=ta,dc=its-sby,dc=edu"
        by dn="cn=common,dc=ta,dc=its-sby,dc=edu" write
        by dn="uid=domainadminajkits,ou=Admins,dc=ta,dc=its-sby,dc=edu" write
        by dn="cn=admin,dc=ta,dc=its-sby,dc=edu" write
        by * none

access to dn.subtree="ou=AJK-WIN,ou=Computers,dc=ta,dc=its-sby,dc=edu"
        by dn="cn=common,dc=ta,dc=its-sby,dc=edu" write
        by dn="uid=domainadminajkwin,ou=Admins,dc=ta,dc=its-sby,dc=edu" write
        by dn="cn=admin,dc=ta,dc=its-sby,dc=edu" write
        by * none
access to dn.subtree="ou=Users,dc=ta,dc=its-sby,dc=edu"
attrs=userPassword,sambaNTPassword,sambaAcctFlags,sambaLMPassword,sambaPwdLastSet,sambaPwdCanChange,entryCSN,modifiersName,modifyTimestamp
        by dn="cn=admin,dc=ta,dc=its-sby,dc=edu" write
        by dn="cn=common,dc=ta,dc=its-sby,dc=edu" write
        by anonymous auth
        by self write
        by * none

access to dn.subtree="ou=Computers,dc=ta,dc=its-sby,dc=edu"
attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdCanChange,entryCSN,modifiersName,modifyTimestamp
        by dn="cn=admin,dc=ta,dc=its-sby,dc=edu" write
        by dn="cn=common,dc=ta,dc=its-sby,dc=edu" write
        by anonymous auth
        by self write
        by * none

More information about the samba mailing list