[Samba] Re: SAMBA3 + LDAP

[mallapadi niranjan]

Hi paul

Thanks for Guiding me  .

I am creating a PDC and 2 BDC's with samba3 with LDAP,

sorry if this is silly question, since i  am new, guide me

1) what all default ACL's need to be written in slapd.conf
apart from users changing passwords . with respect to the samba 3 LDAP
schema,
i have only these OU's which come with smbldap tools
1) Domain Admins, Domain Groups, People, Groups, Computers, IDMAP,

2) I have a PDC and some other system as File server, ie i want folders in
another system as default home drive , which i want to write in Logon
script, so user to redirect to his home drive in another system, should i
install samba in that system also or should i do NFS mount ,
and i have about 500 groups and i want folders  in the files systems to be
mapped in the file server to be mapped as drives, which probably i will
write a Logon script, but the confusion is how do i go about it,
3) if i use NFS , i want nfs mount to be with ACL support so that i can use
setfacl , and getfacl's in file server

4) i want to create 2 BDC's which , is it possible to synchronize PDC-> BDC
and BDC->PDC, ie if i make any changes in BDC's will it get reflected in PDC
also

kindly guide me

Regards
Niranjan



On 12/20/05, paul kölle <paul at subsignal.org> wrote:
>
> mallapadi niranjan wrote:
> > Hi
> >
> > Thanks for Replying me . In the ACL below
> > #####################################################################
> > #access to dn.base="dc=msdpl,dc=com"
> >
> >>access to attrs=sambaLMPassword,sambaNTP
> >>
> >>assword
> >>
> >>>        by dn="uid=.*,ou=People,dc=msdpl,dc=com" write
> >>>        by dn="uid=.*,ou=Domain Admins,dc=msdpl,dc=com" read
> >>>        by * none
> >>>access to attr=userPassword
> >>>        by dn="uid=.*,ou=People,dc=msdpl,dc=com" write
> >>>        by self write
> >>>        by anonymous auth
> >>>        by * none
> >>>access to *
> >>>        by * read
> >
> >
> >
> > #######################################################################
> > in by dn="uid=.*,ou=Domain Admins,dc=msdpl,dc=com" read if i keep
> read/write
> > it's not affecting
> >
> > so i have changed my acl's
> >
> #########################################################################
> > access to dn.base="dc=msdpl,dc=com"
>
> >  attrs=sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaPwdMustChange,
>
> >  objectClass,entry,homeDirectory,uid,uidNumber,gidNumber,memberUid,description,
> >  telephoneNumber,roomNumber,homePhone,loginShell,gecos,cn,sn,givenname
> >  by dn="uid=.*,ou=People,dc=msdpl,dc=com" write
> >  by dn="uid=.*,ou=Groups,dc=msdpl,dc=com" write
> >  by dn="uid=.*,ou=Domain Admins,dc=msdpl,dc=com" write
> >  by self write
> >  by anonymous auth
> >  by * none
> that is write access to samba password hashes to everyone in the
> ou=People container again. They are basically cleartext equivalent. ACLs
> are evaluated "in order", first match rules. So to protect passwords you
> could write something like (OTOH):
>
> access to attrs=sambaLMPassword,sambaNTPassword,userPassword
> by self write
> by dn.regex="uid=[^,]+,ou=Domain Admins,dc=msdpl,dc=com" write
> by anonymous auth
> by * none
>
> access to *
> by self write
> by dn.regex="uid=[^,]+,ou=Domain Admins,dc=msdpl,dc=com" write
> by * read
>
> Note that this is NOT suitable for your environment and only serves as
> an example as you probably want to prevent users from messing with
> attributes enforcing a particular policy (like pwdMustChange). As Craig
> noted, the uid=.*,ou=Domain Admins,... part doesn't make sense. If you
> want group based access control you need the <expand> syntax. Read the
> manpage for access control (man slapd.access).
>
> cheers
> Paul
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>