Fwd: [Samba] Changing LDAP password from Windows XP
Asier Baranguán
abaranguan at elpagestion.com
Tue Mar 6 08:30:39 GMT 2007
Daniel Müller escribió:
OOps! fat fingers come again! The ACL's were bad (exactly the 2nd and 3rd ACL)
This are the correct ACLS (I don't use the 'smbldap-tools' user)
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Added 'shadowLastChange' to avoid some warnings with libpam-unix2
access to
attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange,shadowLastChange
by dn="cn=samba,ou=DSA,dc=example,dc=org" write
by dn="cn=nssldap,ou=DSA,dc=example,dc=org" write
by self write
by anonymous auth
by * none
# some attributes need to be readable anonymously so that 'id user' can answer correctly
access to attrs=objectClass,entry,homeDirectory,uid,uidNumber,gidNumber,memberUid
by dn="cn=samba,ou=DSA,dc=example,dc=org" write
by * read
# Users can change some attributes of their profile
access to
attrs=description,telephoneNumber,roomNumber,homePhone,loginShell,gecos,cn,sn,givenname,mail
by dn="cn=samba,ou=DSA,dc=example,dc=org" write
by self write
by users read
by * none
# some attributes need to be writable for samba
access to
attrs=cn,sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange,sambaAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaProfilePath,description,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,sambaMungedDial,sambaBadPasswordCount,sambaBadPasswordTime,sambaPasswordHistory,sambaLogonHours,sambaSID,sambaSIDList,sambaTrustFlags,sambaGroupType,sambaNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase,sambaShareName,sambaOptionName,sambaBoolOption,sambaIntegerOption,sambaStringOption,sambaStringListoption
by dn="cn=samba,ou=DSA,dc=example,dc=org" write
by self read
by * none
# samba gestiona:
# -> Cuentas de dominio
# -> Nuevos usuarios
# -> Nuevos grupos
# -> Máquinas en el dominio
access to dn.base="dc=example,dc=org"
by dn="cn=samba,ou=DSA,dc=example,dc=org" write
by * none
access to dn="ou=Users,dc=example,dc=org"
by dn="cn=samba,ou=DSA,dc=example,dc=org" write
by * none
access to dn="ou=Groups,dc=example,dc=org"
by dn="cn=samba,ou=DSA,dc=example,dc=org" write
by * none
access to dn="ou=Computers,dc=example,dc=org"
by dn="cn=samba,ou=DSA,dc=example,dc=org" write
by * none
access to *
by * read
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
More information about the samba
mailing list