Hi,
I've setup Samba NT based networks with OpenLDAP database.
But to make sambas operations works fetching data to LDAP, it should have
an account on LDAP that able to write some objects, such as passwords
(when changing passwd) or object creation (when registering or joining to
directory) .The scope of this account is strong enough to any containers
on the directory, such as Admins,Groups,Users, and Computers. I think this
account is same powerfull with default admin of the LDAP.
The problems are:
1. this password string of after 'smbpasswd -w xxx ' are visible with
simple reading to secrets.tdb
2. this account is dangerous enough to LDAP administration because of its
powerfull to some wide objects, (able change other attributes)
3. so how to make this LDAP secure (with access list on slapd conf?)or at
the samba conf?
Below are parts of my conf's. Is it secure enough?
.....
passdb backend = ldapsam:ldap://10.126.13.88:389/
ldap suffix = dc=ta,dc=its-sby,dc=edu
ldap machine suffix = ou=AJK-ITS,ou=Computers
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap admin dn = "cn=common,dc=ta,dc=its-sby,dc=edu"
ldap passwd sync = yes
ldap delete dn = yes
ldap filter = (&(uid=%u)(objectclass=sambaSamAccount))
...
access lists:
access to dn.subtree="ou=AJK-ITS,ou=Computers,dc=ta,dc=its-sby,dc=edu"
by dn="cn=common,dc=ta,dc=its-sby,dc=edu" write
by
dn="uid=domainadminajkits,ou=Admins,dc=ta,dc=its-sby,dc=edu" write
by dn="cn=admin,dc=ta,dc=its-sby,dc=edu" write
by * none
access to dn.subtree="ou=AJK-WIN,ou=Computers,dc=ta,dc=its-sby,dc=edu"
by dn="cn=common,dc=ta,dc=its-sby,dc=edu" write
by
dn="uid=domainadminajkwin,ou=Admins,dc=ta,dc=its-sby,dc=edu" write
by dn="cn=admin,dc=ta,dc=its-sby,dc=edu" write
by * none
access to dn.subtree="ou=Users,dc=ta,dc=its-sby,dc=edu"
attrs=userPassword,sambaNTPassword,sambaAcctFlags,sambaLMPassword,sambaPwdLastSet,sambaPwdCanChange,entryCSN,modifiersName,modifyTimestamp
by dn="cn=admin,dc=ta,dc=its-sby,dc=edu" write
by dn="cn=common,dc=ta,dc=its-sby,dc=edu" write
by anonymous auth
by self write
by * none
access to dn.subtree="ou=Computers,dc=ta,dc=its-sby,dc=edu"
attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdCanChange,entryCSN,modifiersName,modifyTimestamp
by dn="cn=admin,dc=ta,dc=its-sby,dc=edu" write
by dn="cn=common,dc=ta,dc=its-sby,dc=edu" write
by anonymous auth
by self write
by * none
Hi friends, I?m running a Samba 3.0.0 in a production server with Redhat. I?m trying to migrate my users and machine accounts to LDAP, I used pdbedit but it imports only the sambaSamAccount attributes and I want to import the posixAccount attributes too. How can I do that? Thank?s Bruno Pereti.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tried the migration scripts in /usr/share/samba3/scripts ? smbldap-migrate-accounts.pl smbldap-migrate-groups.pl Bruno Gimenes Pereti wrote: | Hi friends, | | I?m running a Samba 3.0.0 in a production server with Redhat. I?m trying to | migrate my users and machine accounts to LDAP, I used pdbedit but it imports | only the sambaSamAccount attributes and I want to import the posixAccount | attributes too. | How can I do that? | | Thank?s | | Bruno Pereti. | - -- - ----------------------------------------------------------------- | I can be reached on the following messenger services: | |---------------------------------------------------------------| | MSN: j_c_llings@hotmail.com AIM: WyteLi0n ICQ: 123291844 | |---------------------------------------------------------------| | Y!: j_c_llings Jabber: jcllings@nureality.com | - ----------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-nr1 (Windows XP) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFADeBX57L0B7uXm9oRAnYNAJ9DnUIfuliuZdm2aIcj6dXADXqnzQCfaFpR kYGOCtU4DgJb0ycvQ/OOpec=Kxqh -----END PGP SIGNATURE-----
Hi Jim,
Thank you for the answer.
I spent my afternoon yesterday trying to make it work but I couldn?t find
what I must do. My first problem is that I don?t know what should be the
input to the script. The script expect the input in a format I don?t know:
while (<>) {
my ($login, $rid, $lmpwd, $ntpwd, $gecos, $homedir, $b) = split(/:/, $_);
I know the input should be the output of pwdump, but I can?t use it. I read
in the net that it?s the same format of smbpasswd but my smbpasswd is not
like this. Should I create a new file mixing smbpasswd and /etc/passwd? What
is the best way?
The other problem is that I pass a lot of information to smbldap-useradd.pl
script when creating a user:
smbldap-useradd.pl -a -d /home/alunos/<username> -s /bin/false -c
"<Name>" \
-m -k /home/alunos/template -B 1 -C "\\\\toshiba\\<username>" -D
"U:" \
-E "alunos.bat" -F "\\\\toshiba\\profiles\\template"
<username> -P
How can I pass this information to smbldap-migrate-account.pl?
Thanks again.
Bruno Pereti.
>
> Tried the migration scripts in /usr/share/samba3/scripts ?
>
> smbldap-migrate-accounts.pl
> smbldap-migrate-groups.pl
>
> Bruno Gimenes Pereti wrote:
> | Hi friends,
> |
> | I?m running a Samba 3.0.0 in a production server with Redhat. I?m
> trying to
> | migrate my users and machine accounts to LDAP, I used pdbedit but it
> imports
> | only the sambaSamAccount attributes and I want to import the
posixAccount> | attributes too.
> | How can I do that?
> |
> | Thank?s
> |
> | Bruno Pereti.