samba - Jul 2004 - Researching Improved safety 4 Samba/LDAP

Some more research for my howto at
http://mandrake.vmlinuz.ca/bin/view/Main/SambaThreeDomainController

Some folks have let me know that it is a bad thing to have your samba
server access the database as the root dn. All well and good but how do
I fix this?  I have the default acls listed below which look pretty good
but don't I need a special user or something?  It would help if I
understood these acls better but while using regular expressions is good
for compatibility it obfuscates (at least for me) the text quite a bit.

 From what I see below, it seems as if all I have to do is join the
server box to the domain and then change the bind dn to controllername$
in various and sundry places.  This doesn't seem right though because I
know that we need a userid and password stored in secrets.tdb. I can
store controllername$ but the password for machine accounts is generated
by the script and nobody knows what it is. I could change it using
smbldap-passwd but I'm not so sure this is a good idea.

I have seen examples of databases that had "hooks" i.e. accounts meant
for accessing parts of the directory.  These accounts were located just
off the root though instead of in People as displayed below by the
uid=root setting.

Your thoughts? Links? A bone? Anything? ;-)
> access to dn="(.+,)?,ou=.+,(dc=.+,?)+$$"
> 
attrs=lmPassword,ntPassword,sambaLMPassword,sambaNTPassword,userPassword
>         by self write
>         by dn="uid=root,ou=People,$2" write
>         by group="cn=Domain Controllers,ou=Group,$2" write
>         by anonymous auth
>         by * none
>
> # ACL allowing samba domain controllers to add user accounts
> access to dn="^(.*,)?ou=People,(dc=.+,?)+$$"
>         attrs=entry,children,posixAccount,sambaAccount,sambaSamAccount
>         by dn="uid=root,ou=People,$2" write
>         by group="cn=Domain Controllers,ou=Group,$2" write
>         by * read
>
> # allow users to modify their own "address book" entries:
> access to dn="(.+,)+ou=People,(dc.+,?)+$$"
>         attrs=inetOrgPerson,mail
>         by self write
>         by dn="uid=root,ou=People,$2" write
>         by group="cn=Domain Controllers,ou=Group,$2" write
>         by * read
>
> # Allow samba domain controllers to create groups and group mappings
> access to dn="^(.*,)?ou=Group,(dc=.+,?)+$$"
>         attrs=entry,children,posixGroup,sambaGroupMapping
>         by dn="uid=root,ou=People,$2" write
>         by group="cn=Domain Controllers,ou=Group,$2" write
>         by * read
>
  > # Allow samba to create idmap entries (not well
tested)
> access to dn="^(.*,)?ou=Idmap,(dc=.+,?)+$$"
>         attrs=entry,children,sambaIdmapEntry
>         by group="cn=Domain Controllers,ou=Group,$2" write
>         by * read
-- 

-----------------------------------------------------------------
| I can be reached on the following Instant Messenger services: |
|---------------------------------------------------------------|
| MSN: j_c_llings@hotmail.com  AIM: WyteLi0n  ICQ: 123291844 	|
|---------------------------------------------------------------|
| Y!: j_c_llings               Jabber: jcllings@njs.netlab.cz	|
-----------------------------------------------------------------