[Samba] Re: Authenticateing DC's on an ldap backend... nobody knows how?

Jim C. jcllings at javahop.com
Wed Sep 29 17:08:43 GMT 2004


> If I knew what it had to do with devfs, I would have been alot farther 
...
> Mandrake.  In order to write a HOWTO for this, I need to have as similar 
> a setup as possible.
> ...which goes back into me not yet having mentioned that which has 
> already been tried. :-/  What was tried previously was adding 
...
> appropriate log levels for slapd/smbd?  I've always had trouble with 
> them which may explain a lot.

OK, I've made some discoveries which may point to the LDAP acls I've 
been using.

1. smbldap scripts cannot create a user account when authenticateing as 
host.
2. smbldap scripts cannot read password information unless space in 
"Domain Controllers" is escaped.

Here are my acls.  They are the new regex based ones provided by 
Mandrake. I could use some tips on testing them.  What should I be 
looking for in the logs?

The entry in slapd.conf reads like this:
> # Define global ACLs to disable default read access.
> include         /etc/openldap/slapd.access.conf
> # Provide write access to replicators, and cover access to any other
> # attributes (default anonymous read access may be undesirable)
> access to dn.subtree="dc=j9starr,dc=net"
>         by group="cn=Replicator,ou=Group,dc=j9starr,dc=net"
>         by users read
>         by anonymous read

Entries in slapd.access.conf looks like this:

> # Generic ACLs
> # These ACLs should work well for any domain-based (ie dc=,dc=) suffix,
> # but need adjustment and testing for any other suffix
> # Note that these ACLs allow anonymouse read access to most non-password
> # attributes, you may want to prevent leakage of this information by
> # removing the "by anonymous read" lines
> 
> # Protect passwords, using a regex so we can have generic accounts with
> # write access
> # Openldap will not authenticate against non-userPassword attributes
> # but we would have to duplicate most rules ...
> access to dn.regex="^([^,]*,)?ou=[^,]+,(dc=[^,]+(,dc=[^,]+)*)$"
>         attrs=lmPassword,ntPassword,sambaLMPassword,sambaNTPassword,userPassword
>         by self write
>         by dn.exact,expand="uid=Administrator,ou=People,$2" write
>         by group="cn=Domain\ Controllers,ou=Group,$2" write
>         by group="cn=Replicator,ou=Group,$2" write
>         by anonymous auth
>         by * none
> 
> # ACL allowing samba domain controllers to add user accounts
> access to dn.regex="^([^,]+,)?ou=People,(dc=[^,]+(,dc=[^,]+)*)$"
>         attrs=entry,children,posixAccount,sambaAccount,inetOrgperson,sambaSamAccount
>         by dn.exact,expand="uid=Administrator,ou=People,$2" write
>         by group="cn=Domain\ Controllers,ou=Group,$2" write
>         by group="cn=Replicator,ou=Group,$2" write
>         by users read
>         by anonymous read
> 
> # allow users to modify their own "address book" entries:
> access to dn.regex="([^,]+,)?ou=People,(dc=[^,]+(,dc=[^,]+)*)$"
>         attrs=inetOrgPerson,mail
>         by self write
>         by dn.exact,expand="uid=Administrator,ou=People,$2" write
>         by group="cn=Domain\ Controllers,ou=Group,$2" write
>         by group="cn=Replicator,ou=Group,$2" write
>         by users read
>         by anonymous read
> 
> # Allow samba domain controllers to create groups and group mappings
> access to dn.regex="^([^,]+,)?ou=Group,(dc=[^,]+(,dc=[^,]+)*)$"
>         attrs=entry,children,posixGroup,sambaGroupMapping
>         by dn.exact,expand="uid=Administrator,ou=People,$2" write
>         by group="cn=Domain\ Controllers,ou=Group,$2" write
>         by group="cn=Replicator,ou=Group,$2" write
>         by users read
>         by anonymous read
> 
> # Allow samba domain controllers to create machine accounts
> access to dn.regex="^([^,]+,)?ou=Hosts,(dc=[^,]+(,dc=[^,]+)*)$"
>         attrs=entry,children,posixAccount,inetOrgperson,sambaSamAccount
>         by dn.exact,expand="uid=Administrator,ou=People,$2" write
>         by group="cn=Domain\ Controllers,ou=Group,$2" write
>         by group="cn=Replicator,ou=Group,$2" write
>         by users read
>         by anonymous read
> 
> # Allow samba to create idmap entries
> access to dn.regex="^([^,]+,)?ou=Idmap,(dc=[^,]+(,dc=[^,]+)*)$"
>         attrs=entry,children,sambaIdmapEntry
>         by dn.exact,expand="uid=Administrator,ou=People,$2" write
>         by group="cn=Domain\ Controllers,ou=Group,$2" write
>         by group="cn=Replicator,ou=Group,$2" write
>         by users read
>         by anonymous read
> 
> # Allow users in the domain to add entries to the "global address book":
> access to dn.regex="^([^,],)?ou=Contacts,(dc=[^,]+(,dc=[^,]+)*)$"
>        attrs=children,entry,inetOrgPerson
>         by dn="uid=[^,]+,ou=People,$2" write
>         by group="cn=Replicator,ou=Group,$2" write
>         by users read
>         by anonymous read


-- 

-----------------------------------------------------------------
| I can be reached on the following Instant Messenger services: |
|---------------------------------------------------------------|
| MSN: j_c_llings at hotmail.com  AIM: WyteLi0n  ICQ: 123291844 	|
|---------------------------------------------------------------|
| Y!: j_c_llings               Jabber: jcllings at njs.netlab.cz	|
-----------------------------------------------------------------



More information about the samba mailing list