[Samba] password sync and ldap acls
Thierry Lacoste
lacoste at univ-paris12.fr
Thu Jun 1 21:23:26 GMT 2006
I'm using samba 3.0.14a + openldap .2.27 on FreeBSD 6.0-RELEASE.
I followed the "Linux Samba-OpenLDAP Howto" from IDEALX.
My slapd.conf rootdn is cn=ldapmgr,ou=Managers,o=miage
My smb.conf ldap admin dn is cn=sambamgr,ou=Managers,o=miage
With the ACLs from section 5 (Security considerations) of the Howto
when I change a user password from windows XP the userPassword
attribute is not modified so my Unix and Windows passwords are
not in sync.
I found that adding the following ACL to my slapd.conf resoves the issue.
access to *
by dn="cn=sambamgr,ou=Managers,o=miage" read
I did several tests but can't figure out what are the attributes that
sambamgr needs to read in order to update the userPassword attribute.
Any help would be appreciated.
Thierry.
Here's my smb.conf
[global]
workgroup = MIAGE
netbios name = CARIOCA
passdb backend = ldapsam:ldap://localhost
add machine script = /usr/local/sbin/smbldap-useradd -w '%u'
domain logons = Yes
os level = 35
preferred master = Yes
domain master = Yes
wins support = Yes
ldap suffix = o=miage
ldap machine suffix = ou=Computers,ou=Accounts
ldap user suffix = ou=Users,ou=Accounts
ldap group suffix = ou=Groups
ldap admin dn = cn=sambamgr,ou=Managers,o=miage
ldap ssl = no
ldap passwd sync = Yes
enable privileges = yes
logon script = scripts\logon.bat
logon path = \\%L\Profiles\%U
logon drive = H:
logon home = \\%L\%U
log level = 2
[homes]
comment = Home Directories
valid users = %S
read only = No
browseable = No
[netlogon]
comment = Network Logon Service
path = /samba/netlogon
admin users = root
guest ok = Yes
browseable = No
# For profiles to work, create a user directory under the path
# shown. i.e., mkdir -p /samba/profiles/maryo
[Profiles]
comment = Roaming Profile Share
path = /samba/profiles
read only = No
profile acls = Yes
Here's my slapd.conf
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/samba.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
#######################################################################
# BDB database definitions
############################################# Chan##########################
database bdb
suffix "o=miage"
rootdn "cn=ldapmgr,ou=Managers,o=miage"
rootpw {SSHA}IcqxO1Pi3TelluIAf8Gh3hIV3c7HxXhY
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/db/openldap-data
# Indices to maintain
index objectClass eq
index cn pres,sub,eq
index sn pres,sub,eq
index uid pres,sub,eq
index displayName pres,sub,eq
index uidNumber eq
index gidNumber eq
index memberUid eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub
access to
attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange,sambaPasswordHistory,sambaPwdCanChange
by dn="cn=sambamgr,ou=Managers,o=miage" write
by anonymous auth
by * none
access to
attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,memberUid
by dn="cn=sambamgr,ou=Managers,o=miage" write
by * read
access to attrs=description,telephoneNumber
by dn="cn=sambamgr,ou=Managers,o=miage" write
by self write
by * read
access to
attrs=cn,sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange,sambaAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaProfilePath,description,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,sambaSID,sambaGroupType,sambaNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase
by dn="cn=sambamgr,ou=Managers,o=miage" write
by self read
by * none
access to dn.base="o=miage"
by dn="cn=sambamgr,ou=Managers,o=miage" write
by * none
access to dn="ou=Users,ou=Accounts,o=miage"
by dn="cn=sambamgr,ou=Managers,o=miage" write
by * none
access to dn="ou=Groups,o=miage"
by dn="cn=sambamgr,ou=Managers,o=miage" write
by * none
access to dn="ou=Computers,ou=Accounts,o=miage"
by dn="cn=sambamgr,ou=Managers,o=miage" write
by * none
# I tried this ACL following the output of slapd but it does not work
access to
attrs=sn,loginShell,structuralObjectClass,entryUUID,creatorsName,createTimestamp,entryCSN,modifiersName,modifyTimestamp
by dn="cn=sambamgr,ou=Managers,o=miage" read
access to *
by dn="cn=sambamgr,ou=Managers,o=miage" read
access to *
by self write
by users auth
by anonymous auth
by * none
More information about the samba
mailing list