[Samba] password sync and ldap acls

Thierry Lacoste lacoste at univ-paris12.fr
Thu Jun 1 21:23:26 GMT 2006 

I'm using samba 3.0.14a + openldap .2.27 on FreeBSD 6.0-RELEASE.

I followed the "Linux Samba-OpenLDAP Howto" from IDEALX.
My slapd.conf rootdn is cn=ldapmgr,ou=Managers,o=miage
My smb.conf ldap admin dn is cn=sambamgr,ou=Managers,o=miage

With the ACLs from section 5 (Security considerations) of the Howto
when I change a user password from windows XP the userPassword
attribute is not modified so my Unix and Windows passwords are
not in sync.

I found that adding the following ACL to my slapd.conf resoves the issue.

access to *
      by dn="cn=sambamgr,ou=Managers,o=miage" read

I did several tests but can't figure out what are the attributes that
sambamgr needs to read in order to update the userPassword attribute.

Any help would be appreciated.

Thierry.

Here's my smb.conf
[global]
  workgroup = MIAGE
  netbios name = CARIOCA
  passdb backend = ldapsam:ldap://localhost
  add machine script = /usr/local/sbin/smbldap-useradd -w '%u'
  domain logons = Yes
  os level = 35
  preferred master = Yes
  domain master = Yes
  wins support = Yes
  ldap suffix = o=miage
  ldap machine suffix = ou=Computers,ou=Accounts
  ldap user suffix = ou=Users,ou=Accounts
  ldap group suffix = ou=Groups
  ldap admin dn = cn=sambamgr,ou=Managers,o=miage
  ldap ssl = no
  ldap passwd sync = Yes

  enable privileges = yes

  logon script = scripts\logon.bat
  logon path = \\%L\Profiles\%U
  logon drive = H:
  logon home = \\%L\%U

  log level = 2

[homes]
  comment = Home Directories
  valid users = %S
  read only = No
  browseable = No
[netlogon]
  comment = Network Logon Service
  path = /samba/netlogon
  admin users = root
  guest ok = Yes
  browseable = No
  # For profiles to work, create a user directory under the path
  # shown. i.e., mkdir -p /samba/profiles/maryo
[Profiles]
  comment = Roaming Profile Share
  path = /samba/profiles
  read only = No
  profile acls = Yes

Here's my slapd.conf
include         /usr/local/etc/openldap/schema/core.schema

include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
include         /usr/local/etc/openldap/schema/nis.schema
include         /usr/local/etc/openldap/schema/samba.schema

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

#######################################################################
# BDB database definitions
############################################# Chan##########################

database        bdb
suffix          "o=miage"
rootdn          "cn=ldapmgr,ou=Managers,o=miage"
rootpw          {SSHA}IcqxO1Pi3TelluIAf8Gh3hIV3c7HxXhY

# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory       /var/db/openldap-data
# Indices to maintain
index   objectClass     eq

index cn                      pres,sub,eq
index sn                      pres,sub,eq
index uid                     pres,sub,eq
index displayName             pres,sub,eq
index uidNumber               eq
index gidNumber               eq
index memberUid               eq
index   sambaSID              eq
index   sambaPrimaryGroupSID  eq
index   sambaDomainName       eq
index   default               sub

access to 
attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange,sambaPasswordHistory,sambaPwdCanChange
      by dn="cn=sambamgr,ou=Managers,o=miage" write
      by anonymous auth
      by * none

access to 
attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,memberUid
      by dn="cn=sambamgr,ou=Managers,o=miage" write
      by * read

access to attrs=description,telephoneNumber
      by dn="cn=sambamgr,ou=Managers,o=miage" write
      by self write
      by * read

access to 
attrs=cn,sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange,sambaAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaProfilePath,description,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,sambaSID,sambaGroupType,sambaNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase
      by dn="cn=sambamgr,ou=Managers,o=miage" write
      by self read
      by * none

access to dn.base="o=miage"
      by dn="cn=sambamgr,ou=Managers,o=miage" write
      by * none

access to dn="ou=Users,ou=Accounts,o=miage"
      by dn="cn=sambamgr,ou=Managers,o=miage" write
      by * none

access to dn="ou=Groups,o=miage"
      by dn="cn=sambamgr,ou=Managers,o=miage" write
      by * none

access to dn="ou=Computers,ou=Accounts,o=miage"
      by dn="cn=sambamgr,ou=Managers,o=miage" write
      by * none

# I tried this ACL following the output of slapd but it does not work
access to 
attrs=sn,loginShell,structuralObjectClass,entryUUID,creatorsName,createTimestamp,entryCSN,modifiersName,modifyTimestamp
      by dn="cn=sambamgr,ou=Managers,o=miage" read

access to *
      by dn="cn=sambamgr,ou=Managers,o=miage" read

access to *
        by self write
        by users auth
        by anonymous auth
        by * none

More information about the samba mailing list