Samba experts,
Thanks to advice from this list, I am finally able to get smbpasswd to
change ldap passwords for the Samba LM/NT passwords. However, I had to
give write access to sambaPwdLastSet and sambaPwdCanChange attributes as
well. Other Samba attributes don't seem to need write access. I have
found plenty of examples with people assigning an ACL for sambaLMPassword
and sambaNTPassword, but I haven't found examples that included other
attributes such as sambaPwdLastSet and sambaPwdCanChange.
Can someone explain why these fields need write access while there is so
little documentation suggesting it (if any)? I guess I am not surprised
that they need write access as much as I am surprised there is so little
documentation suggesting it.
Tim
Tim Tyler
Network Engineer - Beloit College
tyler@beloit.edu
On Wed, 2005-01-26 at 13:12 -0600, Tim Tyler wrote:> Samba experts, > Thanks to advice from this list, I am finally able to get smbpasswd to > change ldap passwords for the Samba LM/NT passwords. However, I had to > give write access to sambaPwdLastSet and sambaPwdCanChange attributes as > well. Other Samba attributes don't seem to need write access. I have > found plenty of examples with people assigning an ACL for sambaLMPassword > and sambaNTPassword, but I haven't found examples that included other > attributes such as sambaPwdLastSet and sambaPwdCanChange. > Can someone explain why these fields need write access while there is so > little documentation suggesting it (if any)? I guess I am not surprised > that they need write access as much as I am surprised there is so little > documentation suggesting it.---- There's a lot of us 'in school' trying to use LDAP without fully understanding it and of course, there really isn't any standard way to do things. ldap admin dn really needs full read/write access to all areas that dn is to manage and any restrictions are gonna cause trouble. Generally, ACL's that restrict attributes such as sambaLMPassword and sambaNTPassword aren't for restricting activity by the ldap admin dn in smb.conf but to restrict all other access attempts. I think the general consensus is that the samba developers have their hands full with samba and learning how to implement/secure/use LDAP is pretty much the end user responsibility. Craig
On Wednesday 26 January 2005 12:12, Tim Tyler wrote:> Samba experts, > Thanks to advice from this list, I am finally able to get smbpasswd to > change ldap passwords for the Samba LM/NT passwords. However, I had to > give write access to sambaPwdLastSet and sambaPwdCanChange attributes as > well. Other Samba attributes don't seem to need write access. I have > found plenty of examples with people assigning an ACL for sambaLMPassword > and sambaNTPassword, but I haven't found examples that included other > attributes such as sambaPwdLastSet and sambaPwdCanChange. > Can someone explain why these fields need write access while there is so > little documentation suggesting it (if any)? I guess I am not surprised > that they need write access as much as I am surprised there is so little > documentation suggesting it.When you have figured all of it out, your help in improving the documentation will be much appreciated. If you have patches or specific suggestions for addition to the documentation please submit them to me, or post a bug report on http://bugzilla.samba.org and post your patches or documentation updates there. Thanks. Cheers, John T. -- John H Terpstra Samba-Team Member Phone: +1 (650) 580-8668 Author: The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556 Samba-3 by Example, ISBN: 0131472216 Hardening Linux, ISBN: 0072254971 Other books in production.