[Samba] Re: OpenLDAP and SAMBA

paul kölle paul at subsignal.org
Tue Nov 15 11:44:09 GMT 2005

Miguel Lopez wrote:
> access to *
> by self write
> by dn="cn=Administrador,dc=NT,dc=DPT,dc=ES" write
> by * read
> access to attr=sambaLMPassword,sambaNTPassword
> by dn="cn=Administrador,dc=BECARIOS,dc=DPT,dc=ES" write
> by * none
> access to attr=userpassword
> by self write
> by * read
You need to fix those ACLs, they are evaluated "in order". The first
match wins. Your first rule gives read access to everyone to all
attributes, including sambaLMPassword, sambaNTPassword and userPassword.
Put the password restrictions on top of your ACL list.


BTW: WRT the logon problem, you can narrow things down by viewing samba
and ldap log files to see if the correct object is looked up in the
directory and if the correct attributes are returned. "loglevel 128"
will give you logs of ACL evaluation for ldap (yes, they are confusing
at first).

More information about the samba mailing list