[Samba] Samba+LDAP: Minimal permissions for sambaLMPassword/sambaNTPassword attributes?

Dave Ewart davee at ceu.ox.ac.uk
Tue Jul 31 07:23:41 MDT 2012

On Tuesday, 31.07.2012 at 12:11 +0200, Arokux B. wrote:

> what are the minimum permissions for the attributes
> sambaLMPassword/sambaNTPassword for the the LDAP administrator account
> so that Samba is just enabled to use it for authentication with
> ldapsam backend.
> It seems like auth is not enough, is this true?!

Unlike a direct LDAP bind for a user when one can be sufficient with
just detecting a successful bind, Samba needs to be able to compare the
stored sambaLMPassword/sambaNTPassword hashes with the hash provided by
the client.  That requires 'read' access at a minimum.  (For password
changes via this avenue, I believe you'd need 'write', although I'm less
certain about that: might depend on the password change mechanism being


Dave Ewart
davee at ceu.ox.ac.uk
Computing Manager, Cancer Epidemiology Unit
University of Oxford / Cancer Research UK
N 51.7516, W 1.2152
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 190 bytes
Desc: Digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20120731/5d8dc417/attachment.pgp>

More information about the samba mailing list