[Samba] samba + slave OpenLdap (read-only)

Andrew Bartlett abartlet at samba.org
Fri Jul 18 02:36:09 GMT 2008 

On Thu, 2008-07-03 at 16:04 -0400, Charlie wrote:
> On Thu, Jul 3, 2008 at 2:54 PM, Charlie <medievalist at gmail.com> wrote:
> >
> > The most common problem I see with busted referrals is when someone
> > sets up a program (such as samba) to use the local replica's
> > rootdn/rootpw as defined in /etc/slapd.conf (which allows bypassing
> > ACLs and whatnot) but does not define that dn and password to have
> > appropriate access on the master server.  If the admindn that samba is
> > using does not have the ability to write the master slapd, it won't
> > matter if it has unrestricted access to the slave.
> 
> Whoops, replying to myself here.  I have been privately warned that
> allowing multiple samba servers unlimited write access to one's LDAP
> database can cause creation of duplicate entries for single entities
> (such as machine trust accounts).  Which leads to the dreaded
> "multiple LDAP objects returned" error in the logs if you have samba
> BDCs.

If they do, then it is a bug in your configuration. 

> I do not recommend that any daemon have totally unrestricted write
> access to one's LDAP directory.  I do not recommend that any entity
> (other than a trusted human being) use the master slapd's
> rootdn/rootpw for anything.
> 
> http://www.openldap.org/faq/index.cgi?_highlightWords=rootdn&file=761
> 
> In my systems, the samba rootdn has the ability to write all
> samba-only LDAP attributes but does not have the ability to create
> POSIX accounts or anything else unrelated to samba.  Machine trust
> accounts have the ability to modify their own passwords, because I am
> not sure when they bind as the samba admindn and when they bind with
> their own credentials.

They never bind with their own credentials.  Clients in NT4-emulated
domains do not know about LDAP, so all access is via Samba, and all
access via Samba is with the Samba credentials. 

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20080718/ae15913b/attachment.bin

More information about the samba mailing list