[Samba] Samba+LDAP: Minimal permissions for sambaLMPassword/sambaNTPassword attributes?
Dave Ewart
davee at ceu.ox.ac.uk
Tue Jul 31 07:23:41 MDT 2012
On Tuesday, 31.07.2012 at 12:11 +0200, Arokux B. wrote:
> what are the minimum permissions for the attributes
> sambaLMPassword/sambaNTPassword for the the LDAP administrator account
> so that Samba is just enabled to use it for authentication with
> ldapsam backend.
>
> It seems like auth is not enough, is this true?!
Unlike a direct LDAP bind for a user when one can be sufficient with
just detecting a successful bind, Samba needs to be able to compare the
stored sambaLMPassword/sambaNTPassword hashes with the hash provided by
the client. That requires 'read' access at a minimum. (For password
changes via this avenue, I believe you'd need 'write', although I'm less
certain about that: might depend on the password change mechanism being
used.)
Dave.
--
Dave Ewart
davee at ceu.ox.ac.uk
Computing Manager, Cancer Epidemiology Unit
University of Oxford / Cancer Research UK
N 51.7516, W 1.2152
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 190 bytes
Desc: Digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20120731/5d8dc417/attachment.pgp>
More information about the samba
mailing list