[Samba] samba + slave OpenLdap (read-only)
Andrew Bartlett
abartlet at samba.org
Fri Jul 18 02:36:09 GMT 2008
On Thu, 2008-07-03 at 16:04 -0400, Charlie wrote:
> On Thu, Jul 3, 2008 at 2:54 PM, Charlie <medievalist at gmail.com> wrote:
> >
> > The most common problem I see with busted referrals is when someone
> > sets up a program (such as samba) to use the local replica's
> > rootdn/rootpw as defined in /etc/slapd.conf (which allows bypassing
> > ACLs and whatnot) but does not define that dn and password to have
> > appropriate access on the master server. If the admindn that samba is
> > using does not have the ability to write the master slapd, it won't
> > matter if it has unrestricted access to the slave.
>
> Whoops, replying to myself here. I have been privately warned that
> allowing multiple samba servers unlimited write access to one's LDAP
> database can cause creation of duplicate entries for single entities
> (such as machine trust accounts). Which leads to the dreaded
> "multiple LDAP objects returned" error in the logs if you have samba
> BDCs.
If they do, then it is a bug in your configuration.
> I do not recommend that any daemon have totally unrestricted write
> access to one's LDAP directory. I do not recommend that any entity
> (other than a trusted human being) use the master slapd's
> rootdn/rootpw for anything.
>
> http://www.openldap.org/faq/index.cgi?_highlightWords=rootdn&file=761
>
> In my systems, the samba rootdn has the ability to write all
> samba-only LDAP attributes but does not have the ability to create
> POSIX accounts or anything else unrelated to samba. Machine trust
> accounts have the ability to modify their own passwords, because I am
> not sure when they bind as the samba admindn and when they bind with
> their own credentials.
They never bind with their own credentials. Clients in NT4-emulated
domains do not know about LDAP, so all access is via Samba, and all
access via Samba is with the Samba credentials.
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20080718/ae15913b/attachment.bin
More information about the samba
mailing list