[Samba] Samba4 LDAP ACLs - access to POSIX attributes from a non-admin account

[Rob McCorkell]

In our current testing environment, we are using nslcd to get user and 
group information from the Samba4 LDAP server, using the last part of 
objectSid as uidNumber. The configuration is designed to pull down 
unixHomeDirectory and loginShell if they exist, but they default to 
standard values if they do not. nslcd on each machine binds to LDAP 
using a dedicated user account, nslcd-service, and the entire setup 
works pretty well.

But now we have run into a problem - although both POSIX attributes 
exists on a particular user (ismith in this case) they cannot be read by 
the machine using nslcd-service to bind to the LDAP directory. After 
further testing, we found that binding as Administrator makes the 
attributes show up - in fact adding nslcd-service to 'Domain Admins' 
group also lets it see those attributes. Unfortunately both of these 
options are a huge security risk - any server that becomes compromised 
can effectively take control of the Samba4 domain and server, and in 
turn take out the rest of the network.

It seems strange that all normal attributes are perfectly readable by 
any user, while the manually added POSIX attributes are not. I do not 
know enough about AD configuration to figure out where the ACLs are 
stored for this, and documentation has been scarce to say the least. 
Thus I have come to this mailing list for guidance.

An alternative strategy would be to enable anonymous binding on the LDAP 
server, but the (slightly less scarce) documentation shows that to do 
that requires each entry be specifically set to allow this, which seems 
to be more hassle than it is worth. Any help on this would also be 
greatly appreciated.

Thanks,
Rob