Fwd: [Samba] Changing LDAP password from Windows XP

Asier Baranguán abaranguan at elpagestion.com
Tue Mar 6 08:30:39 GMT 2007 

Daniel Müller escribió:


OOps! fat fingers come again! The ACL's were bad (exactly the 2nd and 3rd ACL)

This are the correct ACLS (I don't use the 'smbldap-tools' user)

  > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Added 'shadowLastChange' to avoid some warnings with libpam-unix2
access to
attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange,shadowLastChange
        by dn="cn=samba,ou=DSA,dc=example,dc=org" write
        by dn="cn=nssldap,ou=DSA,dc=example,dc=org" write
        by self write
        by anonymous auth
        by * none

# some attributes need to be readable anonymously so that 'id user' can answer correctly
access to attrs=objectClass,entry,homeDirectory,uid,uidNumber,gidNumber,memberUid
      by dn="cn=samba,ou=DSA,dc=example,dc=org" write
      by * read

# Users can change some attributes of their profile
access to
attrs=description,telephoneNumber,roomNumber,homePhone,loginShell,gecos,cn,sn,givenname,mail
        by dn="cn=samba,ou=DSA,dc=example,dc=org" write
        by self write
        by users read
        by * none

# some attributes need to be writable for samba
access to
attrs=cn,sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange,sambaAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaProfilePath,description,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,sambaMungedDial,sambaBadPasswordCount,sambaBadPasswordTime,sambaPasswordHistory,sambaLogonHours,sambaSID,sambaSIDList,sambaTrustFlags,sambaGroupType,sambaNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase,sambaShareName,sambaOptionName,sambaBoolOption,sambaIntegerOption,sambaStringOption,sambaStringListoption
        by dn="cn=samba,ou=DSA,dc=example,dc=org" write
        by self read
        by * none

# samba gestiona:
#     -> Cuentas de dominio
#     -> Nuevos usuarios
#     -> Nuevos grupos
#     -> Máquinas en el dominio
access to dn.base="dc=example,dc=org"
        by dn="cn=samba,ou=DSA,dc=example,dc=org" write
        by * none
access to dn="ou=Users,dc=example,dc=org"
        by dn="cn=samba,ou=DSA,dc=example,dc=org" write
        by * none
access to dn="ou=Groups,dc=example,dc=org"
        by dn="cn=samba,ou=DSA,dc=example,dc=org" write
        by * none
access to dn="ou=Computers,dc=example,dc=org"
        by dn="cn=samba,ou=DSA,dc=example,dc=org" write
        by * none

access to *
        by * read
 > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

More information about the samba mailing list