[Samba] samba + slave OpenLdap (read-only)

Andrew Bartlett abartlet at samba.org
Fri Jul 18 02:36:09 GMT 2008

On Thu, 2008-07-03 at 16:04 -0400, Charlie wrote:
> On Thu, Jul 3, 2008 at 2:54 PM, Charlie <medievalist at gmail.com> wrote:
> >
> > The most common problem I see with busted referrals is when someone
> > sets up a program (such as samba) to use the local replica's
> > rootdn/rootpw as defined in /etc/slapd.conf (which allows bypassing
> > ACLs and whatnot) but does not define that dn and password to have
> > appropriate access on the master server.  If the admindn that samba is
> > using does not have the ability to write the master slapd, it won't
> > matter if it has unrestricted access to the slave.
> Whoops, replying to myself here.  I have been privately warned that
> allowing multiple samba servers unlimited write access to one's LDAP
> database can cause creation of duplicate entries for single entities
> (such as machine trust accounts).  Which leads to the dreaded
> "multiple LDAP objects returned" error in the logs if you have samba
> BDCs.

If they do, then it is a bug in your configuration. 

> I do not recommend that any daemon have totally unrestricted write
> access to one's LDAP directory.  I do not recommend that any entity
> (other than a trusted human being) use the master slapd's
> rootdn/rootpw for anything.
> http://www.openldap.org/faq/index.cgi?_highlightWords=rootdn&file=761
> In my systems, the samba rootdn has the ability to write all
> samba-only LDAP attributes but does not have the ability to create
> POSIX accounts or anything else unrelated to samba.  Machine trust
> accounts have the ability to modify their own passwords, because I am
> not sure when they bind as the samba admindn and when they bind with
> their own credentials.

They never bind with their own credentials.  Clients in NT4-emulated
domains do not know about LDAP, so all access is via Samba, and all
access via Samba is with the Samba credentials. 

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20080718/ae15913b/attachment.bin

More information about the samba mailing list