[Samba] ACL's for smbpasswd to work?

[Craig White]

On Wed, 2005-01-26 at 13:12 -0600, Tim Tyler wrote:
>    Samba experts,
>      Thanks to advice from this list, I am finally able to get smbpasswd to 
> change ldap passwords for the Samba LM/NT passwords.   However, I had to 
> give write access to sambaPwdLastSet and sambaPwdCanChange attributes as 
> well.  Other Samba attributes don't seem to need write access.  I have 
> found plenty of examples with people assigning an ACL for sambaLMPassword 
> and sambaNTPassword, but I haven't found examples that included other 
> attributes such as sambaPwdLastSet and sambaPwdCanChange.
>    Can someone explain why these fields need write access while there is so 
> little documentation suggesting it (if any)?  I guess I am not surprised 
> that they need write access as much as I am surprised there is so little 
> documentation suggesting it.
----
There's a lot of us 'in school' trying to use LDAP without fully
understanding it and of course, there really isn't any standard way to
do things.

ldap admin dn really needs full read/write access to all areas that dn
is to manage and any restrictions are gonna cause trouble.

Generally, ACL's that restrict attributes such as sambaLMPassword and
sambaNTPassword aren't for restricting activity by the ldap admin dn in
smb.conf but to restrict all other access attempts.

I think the general consensus is that the samba developers have their
hands full with samba and learning how to implement/secure/use LDAP is
pretty much the end user responsibility.

Craig