[Samba] Re: OpenLDAP and SAMBA
paul kölle
paul at subsignal.org
Tue Nov 15 11:44:09 GMT 2005
Miguel Lopez wrote:
> access to *
> by self write
> by dn="cn=Administrador,dc=NT,dc=DPT,dc=ES" write
> by * read
>
>
> access to attr=sambaLMPassword,sambaNTPassword
> by dn="cn=Administrador,dc=BECARIOS,dc=DPT,dc=ES" write
> by * none
>
> access to attr=userpassword
> by self write
> by * read
>
You need to fix those ACLs, they are evaluated "in order". The first
match wins. Your first rule gives read access to everyone to all
attributes, including sambaLMPassword, sambaNTPassword and userPassword.
Put the password restrictions on top of your ACL list.
cheers
Paul
BTW: WRT the logon problem, you can narrow things down by viewing samba
and ldap log files to see if the correct object is looked up in the
directory and if the correct attributes are returned. "loglevel 128"
will give you logs of ACL evaluation for ldap (yes, they are confusing
at first).
More information about the samba
mailing list