[Samba] samba + slave OpenLdap (read-only) - Samba

This is a discussion on [Samba] samba + slave OpenLdap (read-only) - Samba ; Hello, I'm trying to config samba to use a openldap replica (slave) base. Every thing is working, except when I try to join a machine to a domain. Samba try to write some attributes in openldap, but this database (slave) ...

+ Reply to Thread
Results 1 to 16 of 16

Thread: [Samba] samba + slave OpenLdap (read-only)

  1. [Samba] samba + slave OpenLdap (read-only)

    Hello,

    I'm trying to config samba to use a openldap replica (slave) base.

    Every thing is working, except when I try to join a machine to a domain.

    Samba try to write some attributes in openldap, but this database (slave) is
    read-only, so this operation fails.

    Openldap can return a REFERRAL when a client (samba) try to do a
    modification on a slave database and this already is happening.

    But samba can't understand this referral return by the slave openldap.

    I saw in the man that this is possible and samba should understand this by
    default.

    This is correct ? Or I should change something in smb.conf?

    I'm using samba 3.0.24 (Debian Etch).

    Regards,

    Joćo Alfredo
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba


  2. RE: [Samba] samba + slave OpenLdap (read-only)

    i suggest setting up ldap syncrepl
    if needed you can use it in multi master mode.

    ( im running also etch, with pdc and bdc + 1 ldap master and 4 slaves. )

    Louis


    >-----Oorspronkelijk bericht-----
    >Van: samba-bounces+belle=bazuin.nl@lists.samba.org
    >[mailto:samba-bounces+belle=bazuin.nl@lists.samba.org] Namens jakjr
    >Verzonden: woensdag 2 juli 2008 15:08
    >Aan: samba@lists.samba.org
    >Onderwerp: [Samba] samba + slave OpenLdap (read-only)
    >
    >Hello,
    >
    >I'm trying to config samba to use a openldap replica (slave) base.
    >
    >Every thing is working, except when I try to join a machine to
    >a domain.
    >
    >Samba try to write some attributes in openldap, but this
    >database (slave) is
    >read-only, so this operation fails.
    >
    >Openldap can return a REFERRAL when a client (samba) try to do a
    >modification on a slave database and this already is happening.
    >
    >But samba can't understand this referral return by the slave openldap.
    >
    >I saw in the man that this is possible and samba should
    >understand this by
    >default.
    >
    >This is correct ? Or I should change something in smb.conf?
    >
    >I'm using samba 3.0.24 (Debian Etch).
    >
    >Regards,
    >
    >Joćo Alfredo
    >--
    >To unsubscribe from this list go to the following URL and read the
    >instructions: https://lists.samba.org/mailman/listinfo/samba
    >


    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba


  3. Re: [Samba] samba + slave OpenLdap (read-only)

    On Wed, Jul 02, 2008 at 10:08:19AM -0300, jakjr wrote:
    > Hello,
    >
    > I'm trying to config samba to use a openldap replica (slave) base.
    >
    > Every thing is working, except when I try to join a machine to a domain.
    >
    > Samba try to write some attributes in openldap, but this database (slave)is
    > read-only, so this operation fails.
    >
    > Openldap can return a REFERRAL when a client (samba) try to do a
    > modification on a slave database and this already is happening.
    >
    > But samba can't understand this referral return by the slave openldap.


    Hmmm. I've got this running in many customer installations.
    The fact that we do referrals is one reason why the "ldap
    replication sleep" parameter exist at all. What is the exact
    failure you're seeing?

    Volker

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.5 (GNU/Linux)

    iD8DBQFIa4NhUzqjrWwMRl0RAvl/AKCMXlXuk/re14aEmJa9HuYmwBPC+ACfapiH
    wx7jx2CSnCwjcA5yIKE+eiA=
    =CuIq
    -----END PGP SIGNATURE-----


  4. Re: [Samba] samba + slave OpenLdap (read-only)

    Hey,

    When I try to join a new machine on a domain, it's simple fail.

    I already set the "ldap replication sleep" to a higher value, but this do
    not work.

    I'm using synrepl on ldap (refreshAndPersist) and this is working. Including
    the referral return if the updateref config on slapd.conf.

    Thanks

    On Wed, Jul 2, 2008 at 10:32 AM, Volker Lendecke
    wrote:

    > On Wed, Jul 02, 2008 at 10:08:19AM -0300, jakjr wrote:
    > > Hello,
    > >
    > > I'm trying to config samba to use a openldap replica (slave) base.
    > >
    > > Every thing is working, except when I try to join a machine to a domain.
    > >
    > > Samba try to write some attributes in openldap, but this database (slave)

    > is
    > > read-only, so this operation fails.
    > >
    > > Openldap can return a REFERRAL when a client (samba) try to do a
    > > modification on a slave database and this already is happening.
    > >
    > > But samba can't understand this referral return by the slave openldap.

    >
    > Hmmm. I've got this running in many customer installations.
    > The fact that we do referrals is one reason why the "ldap
    > replication sleep" parameter exist at all. What is the exact
    > failure you're seeing?
    >
    > Volker
    >

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba


  5. Re: [Samba] samba + slave OpenLdap (read-only)

    jakjr schrieb:
    > Hey,
    >
    > When I try to join a new machine on a domain, it's simple fail.
    >
    > I already set the "ldap replication sleep" to a higher value, but this do
    > not work.
    >
    > I'm using synrepl on ldap (refreshAndPersist) and this is working. Including
    > the referral return if the updateref config on slapd.conf.


    What do you use to add new accounts?

    smbldap-tools can be configured to use different LDAP servers (master
    and slave).


    --
    Tomasz Chmielewski
    http://wpkg.org
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba


  6. Re: [Samba] samba + slave OpenLdap (read-only)

    I'm using a thitd-party software to create the accounts in the ldap.

    But the problem is when I try to include this machine (the entry of this
    machine already exist in ldap) in my samab domain using a ldap-replica
    (read-only).

    Samba try to modify some atributes in the slave (read-only), the slave
    return a referral and samba is not following the referral to the master ldap
    (when the samba has right to modify this atributes).

    Thanks.

    On Wed, Jul 2, 2008 at 11:29 AM, Tomasz Chmielewski wrote:

    > jakjr schrieb:
    >
    >> Hey,
    >>
    >> When I try to join a new machine on a domain, it's simple fail.
    >>
    >> I already set the "ldap replication sleep" to a higher value, but this do
    >> not work.
    >>
    >> I'm using synrepl on ldap (refreshAndPersist) and this is working.
    >> Including
    >> the referral return if the updateref config on slapd.conf.
    >>

    >
    > What do you use to add new accounts?
    >
    > smbldap-tools can be configured to use different LDAP servers (master and
    > slave).
    >
    >
    > --
    > Tomasz Chmielewski
    > http://wpkg.org
    >

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba


  7. Re: [Samba] samba + slave OpenLdap (read-only)

    jakjr schrieb:
    > I'm using a thitd-party software to create the accounts in the ldap.
    >
    > But the problem is when I try to include this machine (the entry of this
    > machine already exist in ldap) in my samab domain using a ldap-replica
    > (read-only).
    >
    > Samba try to modify some atributes in the slave (read-only), the slave
    > return a referral and samba is not following the referral to the master ldap
    > (when the samba has right to modify this atributes).


    Is it Samba that really creates the accounts?

    Can you paste your smb.conf?


    --
    Tomasz Chmielewski
    http://wpkg.org

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba


  8. Re: [Samba] samba + slave OpenLdap (read-only)

    No. Samba does not create any account in ldap (users or machines).

    This accounts are created by another software, like (phpSambaAdmin).

    smb.conf:
    [global]
    workgroup = caresl
    netbios name = scaresmb03
    ldap admin dn = uid=smb--admin,dc******
    ldap suffix = ou=test,dc=*****
    ldap passwd sync = No
    passdb backend = ldapsam:ldap://10.1*****
    dns proxy = No
    name resolve order = wins bcast
    server string =
    unix charset = iso8859-1
    ldap timeout = 45
    enable privileges = Yes
    admin users = @smb-administrators
    veto files = /.Trash-%U/
    oplocks = No
    level 2 oplocks = No
    time server = Yes
    kernel oplocks = No
    preferred master = Yes
    local master = Yes
    domain master = Yes
    os level = 65
    ldap replication sleep = 5000

    domain logons = Yes
    wins support = Yes
    logon drive = u
    logon path =
    logon home = \\\%U$
    logon script = %U.bat

    #### Debugging/Accounting ####

    log level = 10


    Log from ldap when trying include a machine to domain:
    Jul 2 11:44:18 starget slapd[19617]: conn=10 op=30 ENTRY
    dn="uid=vmtest11201$,ou=test,********"
    Jul 2 11:44:18 starget slapd[19617]: conn=10 op=30 SEARCH RESULT tag=101
    err=0 nentries=1 text=
    Jul 2 11:44:18 starget slapd[19617]: conn=10 op=31 MOD
    dn="uid=vmtest11201$,ou=*****"
    Jul 2 11:44:18 starget slapd[19617]: conn=10 op=31 MOD
    attr=sambaPwdCanChange sambaPwdCanChange sambaNTPassword sambaNTPassword
    sambaPwdLastSet sambaPwdLastSet
    Jul 2 11:44:18 starget slapd[19617]: conn=10 op=31 RESULT tag=103 err=10text=

    This error code from ldap means that ldap return a referral to samba.

    Samba should follow this referral until the master ldap.

    Some many thanks.

    Joćo Alfredo

    On Wed, Jul 2, 2008 at 11:44 AM, Tomasz Chmielewski wrote:

    > jakjr schrieb:
    >
    >> I'm using a thitd-party software to create the accounts in the ldap.
    >>
    >> But the problem is when I try to include this machine (the entry of this
    >> machine already exist in ldap) in my samab domain using a ldap-replica
    >> (read-only).
    >>
    >> Samba try to modify some atributes in the slave (read-only), the slave
    >> return a referral and samba is not following the referral to the master
    >> ldap
    >> (when the samba has right to modify this atributes).
    >>

    >
    > Is it Samba that really creates the accounts?
    >
    > Can you paste your smb.conf?
    >
    >
    >
    > --
    > Tomasz Chmielewski
    > http://wpkg.org
    >
    >

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba


  9. Re: [Samba] samba + slave OpenLdap (read-only)

    Hey,

    Here another log:

    Samba try to change some atributes, like sambaNTPassword (gree)
    and ldap return an error (red) and a referral for the mastes ldap. But samba
    do not follow this referral.

    Why samba try to change this atributes ??

    Thanks.

    [2008/07/02 16:36:32, 10] lib/smbldap.c:smbldap_make_mod(520)
    smbldap_make_mod: deleting attribute |sambaNTPassword| values
    |4619D0EB563CB8FAE84FF83A11AB50A4|
    [2008/07/02 16:36:32, 10] lib/smbldap.c:smbldap_make_mod(529)
    smbldap_make_mod: adding attribute |sambaNTPassword| value
    |3F320F8E58CD749B1A6A9333A9E77E02|
    [2008/07/02 16:36:32, 11] passdb/pdb_get_set.cdb_get_init_flags(217)
    element 34: SET
    [2008/07/02 16:36:32, 11] passdb/pdb_get_set.cdb_get_init_flags(217)
    element 21: SET
    [2008/07/02 16:36:32, 11] passdb/pdb_get_set.cdb_get_init_flags(222)
    element 21: CHANGED
    [2008/07/02 16:36:32, 10] lib/smbldap.c:smbldap_make_mod(520)
    smbldap_make_mod: deleting attribute |sambaPwdLastSet| values |2147483647|
    [2008/07/02 16:36:32, 10] lib/smbldap.c:smbldap_make_mod(529)
    smbldap_make_mod: adding attribute |sambaPwdLastSet| value |1215027392|
    [2008/07/02 16:36:32, 11] passdb/pdb_get_set.cdb_get_init_flags(217)
    element 27: SET
    [2008/07/02 16:36:32, 11] passdb/pdb_get_set.cdb_get_init_flags(217)
    element 20: SET
    [2008/07/02 16:36:32, 11] passdb/pdb_get_set.cdb_get_init_flags(217)
    element 29: SET
    [2008/07/02 16:36:32, 5] lib/smbldap.c:smbldap_modify(1363)
    smbldap_modify: dn => [uid=vmcelepar11201$,ou=TEST,dc********]
    [2008/07/02 16:36:32, 11] lib/smbldap.c:smbldap_open(1043)
    smbldap_open: already connected to the LDAP server
    [2008/07/02 16:36:32, 10] lib/smbldap.c:smbldap_modify(1377)
    Failed to modify dn: uid=vmcelepar11201$,ou=TEST,dc=**********, error:
    Referral ()
    [2008/07/02 16:36:32, 11] passdb/pdb_get_set.cdb_set_init_flags(425)
    element 35 -> now CHANGED


    On Wed, Jul 2, 2008 at 11:51 AM, jakjr wrote:

    > No. Samba does not create any account in ldap (users or machines).
    >
    > This accounts are created by another software, like (phpSambaAdmin).
    >
    > smb.conf:
    > [global]
    > workgroup = caresl
    > netbios name = scaresmb03
    > ldap admin dn = uid=smb--admin,dc******
    > ldap suffix = ou=test,dc=*****
    > ldap passwd sync = No
    > passdb backend = ldapsam:ldap://10.1*****
    > dns proxy = No
    > name resolve order = wins bcast
    > server string =
    > unix charset = iso8859-1
    > ldap timeout = 45
    > enable privileges = Yes
    > admin users = @smb-administrators
    > veto files = /.Trash-%U/
    > oplocks = No
    > level 2 oplocks = No
    > time server = Yes
    > kernel oplocks = No
    > preferred master = Yes
    > local master = Yes
    > domain master = Yes
    > os level = 65
    > ldap replication sleep = 5000
    >
    > domain logons = Yes
    > wins support = Yes
    > logon drive = u
    > logon path =
    > logon home = \\\%U$
    > logon script = %U.bat
    >
    > #### Debugging/Accounting ####
    >
    > log level = 10
    >
    >
    > Log from ldap when trying include a machine to domain:
    > Jul 2 11:44:18 starget slapd[19617]: conn=10 op=30 ENTRY
    > dn="uid=vmtest11201$,ou=test,********"
    > Jul 2 11:44:18 starget slapd[19617]: conn=10 op=30 SEARCH RESULT tag=101
    > err=0 nentries=1 text=
    > Jul 2 11:44:18 starget slapd[19617]: conn=10 op=31 MOD
    > dn="uid=vmtest11201$,ou=*****"
    > Jul 2 11:44:18 starget slapd[19617]: conn=10 op=31 MOD
    > attr=sambaPwdCanChange sambaPwdCanChange sambaNTPassword sambaNTPassword
    > sambaPwdLastSet sambaPwdLastSet
    > Jul 2 11:44:18 starget slapd[19617]: conn=10 op=31 RESULT tag=103 err=10text=
    >
    > This error code from ldap means that ldap return a referral to samba.
    >
    > Samba should follow this referral until the master ldap.
    >
    > Some many thanks.
    >
    > Joćo Alfredo
    >
    >
    > On Wed, Jul 2, 2008 at 11:44 AM, Tomasz Chmielewski
    > wrote:
    >
    >> jakjr schrieb:
    >>
    >>> I'm using a thitd-party software to create the accounts in the ldap.
    >>>
    >>> But the problem is when I try to include this machine (the entry of this
    >>> machine already exist in ldap) in my samab domain using a ldap-replica
    >>> (read-only).
    >>>
    >>> Samba try to modify some atributes in the slave (read-only), the slave
    >>> return a referral and samba is not following the referral to the master
    >>> ldap
    >>> (when the samba has right to modify this atributes).
    >>>

    >>
    >> Is it Samba that really creates the accounts?
    >>
    >> Can you paste your smb.conf?
    >>
    >>
    >>
    >> --
    >> Tomasz Chmielewski
    >> http://wpkg.org
    >>
    >>

    >

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba


  10. Re: [Samba] samba + slave OpenLdap (read-only)

    On Wed, Jul 02, 2008 at 04:47:42PM -0300, jakjr wrote:
    > Hey,
    >
    > Here another log:
    >
    > Samba try to change some atributes, like sambaNTPassword (gree)
    > and ldap return an error (red) and a referral for the mastes ldap. But samba
    > do not follow this referral.
    >
    > Why samba try to change this atributes ??


    Because the machine vmcelepar11201 tried to change its
    password. A sniff of the LDAP traffic might help a bit
    towards finding the failure to follow the referral. But
    please beware that this traffic contains password
    equivalents or even passwords.

    Volker

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.5 (GNU/Linux)

    iD8DBQFIa/SUUzqjrWwMRl0RAtdDAJ4i33G+80BxyqiI9Hd4A2vxaxc2SQCf aoEb
    pBg3gkTFz+tw36AeKOv759o=
    =faO7
    -----END PGP SIGNATURE-----


  11. Re: [Samba] samba + slave OpenLdap (read-only)

    I looked at samba code and I found this:


    while (another_ldap_try(ldap_state, &rc, &attempts, endtime))
    {
    rc = ldap_modify_s(ldap_state->ldap_struct, utf8_dn, attrs);
    if (rc != LDAP_SUCCESS)
    {
    char *ld_error = NULL;
    int ld_errno;

    ldap_get_option(ldap_state->ldap_struct,
    LDAP_OPT_ERROR_NUMBER, &ld_errno);

    ldap_get_option(ldap_state->ldap_struct,
    LDAP_OPT_ERROR_STRING, &ld_error);

    DEBUG(10, ("Failed to modify dn: %s, error: %d (%s)
    "
    "(%s)\n", dn, ld_errno,
    ldap_err2string(rc),
    ld_error ? ld_error : "unknown"));
    SAFE_FREE(ld_error);

    if (ld_errno == LDAP_SERVER_DOWN)
    {
    ldap_unbind(ldap_state->ldap_struct);
    ldap_state->ldap_struct = NULL;
    }
    }
    }

    Samba does NOT follow the referral return by openldap server. At least in
    this situation (join machines).

    Samba only will try another server, if the first one is DOWN.

    In my option, it should try another server if any error occur during any
    ldap operation.

    So many thanks.

    Joćo Alfredo

    On Wed, Jul 2, 2008 at 6:35 PM, Volker Lendecke
    wrote:

    > On Wed, Jul 02, 2008 at 04:47:42PM -0300, jakjr wrote:
    > > Hey,
    > >
    > > Here another log:
    > >
    > > Samba try to change some atributes, like sambaNTPassword (gree)
    > > and ldap return an error (red) and a referral for the mastes ldap. But

    > samba
    > > do not follow this referral.
    > >
    > > Why samba try to change this atributes ??

    >
    > Because the machine vmcelepar11201 tried to change its
    > password. A sniff of the LDAP traffic might help a bit
    > towards finding the failure to follow the referral. But
    > please beware that this traffic contains password
    > equivalents or even passwords.
    >
    > Volker
    >

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba


  12. Re: [Samba] samba + slave OpenLdap (read-only)

    On Thu, Jul 03, 2008 at 10:05:07AM -0300, jakjr wrote:
    > I looked at samba code and I found this:


    Can you send sample code how this should be done. AFAIK the
    LDAP libs should take care of this. That's the whole point
    of having the rebind_proc stuff around.

    Volker

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.5 (GNU/Linux)

    iD8DBQFIbNAyUzqjrWwMRl0RAslpAJ9sbJAi+La6suWzztLjza vd3PV0agCfYUp8
    jh2LgWtnrr8tggl81rgfsw4=
    =PPBF
    -----END PGP SIGNATURE-----


  13. Re: [Samba] samba + slave OpenLdap (read-only)

    Yes! rebind_proc should be call if the error return by openldap was
    "Referral".

    I'm not a developer and can't help much with this. Sorry.

    Joćo Alfredo

    On Thu, Jul 3, 2008 at 10:12 AM, Volker Lendecke
    wrote:

    > On Thu, Jul 03, 2008 at 10:05:07AM -0300, jakjr wrote:
    > > I looked at samba code and I found this:

    >
    > Can you send sample code how this should be done. AFAIK the
    > LDAP libs should take care of this. That's the whole point
    > of having the rebind_proc stuff around.
    >
    > Volker
    >

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba


  14. Re: [Samba] samba + slave OpenLdap (read-only)

    On Thu, Jul 03, 2008 at 10:18:58AM -0300, jakjr wrote:
    > Yes! rebind_proc should be call if the error return by openldap was
    > "Referral".


    Then if you don't provide the sniff I have asked for the
    developers can not be of much help.

    Please also check your /etc/ldap.conf (or so) for the
    setting of REFERRAL. It must be set to yes which is the
    default.

    Volker

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.5 (GNU/Linux)

    iD8DBQFIbNOOUzqjrWwMRl0RAk77AKCRJ7yGfGiXtdMxd2QjUn kjHXyH0wCggg1Y
    9UYZnc1lTuBjBgrz4Clm/g0=
    =eN4F
    -----END PGP SIGNATURE-----


  15. Re: [Samba] samba + slave OpenLdap (read-only)

    On Thu, Jul 3, 2008 at 9:12 AM, Volker Lendecke
    wrote:
    >
    > Can you send sample code how this should be done. AFAIK the
    > LDAP libs should take care of this. That's the whole point
    > of having the rebind_proc stuff around.


    I believe that the OpenLDAP libraries have been able to chase
    referrals and failovers and deal with heavily paged search results for
    many years now. In the case of searching, programmers must use the
    API correctly (in other words, don't ignore just it when the libs
    return a "more results pending" flag) but in the case of referrals
    LDAP_OPT_REFERRALS is by default set to LDAP_OPT_ON, so it should be
    reasonably transparent to the programmer. Authoritative information
    should be easily available from the OpenLDAP.org site, so don't take
    my word for it!

    The most common problem I see with busted referrals is when someone
    sets up a program (such as samba) to use the local replica's
    rootdn/rootpw as defined in /etc/slapd.conf (which allows bypassing
    ACLs and whatnot) but does not define that dn and password to have
    appropriate access on the master server. If the admindn that samba is
    using does not have the ability to write the master slapd, it won't
    matter if it has unrestricted access to the slave.

    --Charlie
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba


  16. Re: [Samba] samba + slave OpenLdap (read-only)

    On Thu, Jul 3, 2008 at 2:54 PM, Charlie wrote:
    >
    > The most common problem I see with busted referrals is when someone
    > sets up a program (such as samba) to use the local replica's
    > rootdn/rootpw as defined in /etc/slapd.conf (which allows bypassing
    > ACLs and whatnot) but does not define that dn and password to have
    > appropriate access on the master server. If the admindn that samba is
    > using does not have the ability to write the master slapd, it won't
    > matter if it has unrestricted access to the slave.


    Whoops, replying to myself here. I have been privately warned that
    allowing multiple samba servers unlimited write access to one's LDAP
    database can cause creation of duplicate entries for single entities
    (such as machine trust accounts). Which leads to the dreaded
    "multiple LDAP objects returned" error in the logs if you have samba
    BDCs.

    I do not recommend that any daemon have totally unrestricted write
    access to one's LDAP directory. I do not recommend that any entity
    (other than a trusted human being) use the master slapd's
    rootdn/rootpw for anything.

    http://www.openldap.org/faq/index.cg...ootdn&file=761

    In my systems, the samba rootdn has the ability to write all
    samba-only LDAP attributes but does not have the ability to create
    POSIX accounts or anything else unrelated to samba. Machine trust
    accounts have the ability to modify their own passwords, because I am
    not sure when they bind as the samba admindn and when they bind with
    their own credentials.

    I use samba to integrate proprietary desktops into standards-based
    networks, and sometimes I forget that other people are doing the
    opposite. Our POSIX accounts, including machine trusts, are created
    and deleted by human beings in accordance with the US federal
    regulations that apply to my employer. I hope no-one misinterpreted
    my previous post.

    --Charlie
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba


+ Reply to Thread