Arokux B.
2012-Jul-31 10:11 UTC
[Samba] Samba+LDAP: Minimal permissions for sambaLMPassword/sambaNTPassword attributes?
Hi, what are the minimum permissions for the attributes sambaLMPassword/sambaNTPassword for the the LDAP administrator account so that Samba is just enabled to use it for authentication with ldapsam backend. It seems like auth is not enough, is this true?! Thanks, Arokux
Dave Ewart
2012-Jul-31 13:23 UTC
[Samba] Samba+LDAP: Minimal permissions for sambaLMPassword/sambaNTPassword attributes?
On Tuesday, 31.07.2012 at 12:11 +0200, Arokux B. wrote:> what are the minimum permissions for the attributes > sambaLMPassword/sambaNTPassword for the the LDAP administrator account > so that Samba is just enabled to use it for authentication with > ldapsam backend. > > It seems like auth is not enough, is this true?!Unlike a direct LDAP bind for a user when one can be sufficient with just detecting a successful bind, Samba needs to be able to compare the stored sambaLMPassword/sambaNTPassword hashes with the hash provided by the client. That requires 'read' access at a minimum. (For password changes via this avenue, I believe you'd need 'write', although I'm less certain about that: might depend on the password change mechanism being used.) Dave. -- Dave Ewart davee at ceu.ox.ac.uk Computing Manager, Cancer Epidemiology Unit University of Oxford / Cancer Research UK N 51.7516, W 1.2152 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 190 bytes Desc: Digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20120731/5d8dc417/attachment.pgp>