Re: RFT: samba-ldap

To: debian-edu@lists.debian.org
Subject: Re: RFT: samba-ldap
From: Eivind Trondsen <eivind.trondsen@linuxlabs.no>
Date: Sun, 25 Apr 2004 13:13:05 +0200
Message-id: <[🔎] 200404251313.06067.eivind.trondsen@linuxlabs.no>
Reply-to: eivind.trondsen@linuxlabs.no
In-reply-to: <[🔎] 2flvfjofjia.fsf@saruman.uio.no>
References: <[🔎] 20040409142940.GA5975@bzzware.org> <[🔎] 20040412084528.GA1289@bzzware.org> <[🔎] 2flvfjofjia.fsf@saruman.uio.no>

Sunday 25 April 2004 12:18, skrev Petter Reinholdtsen:
>
> I'm told that samba need to register new machines into the "domain"
> before they are given access.  I believe it is best to store such
> machine info in LDAP, as we want to handle several samba servers in a
> school.  It should be enough to register the machine once in the
> school, and it should then get access to all samba servers.
>
> But I do not the samba servers to have write access to the LDAP server
> "on their own", ie without an administrator providing his LDAP admin
> password to approve the LDAP update.  This means that the LDAP access
> password should not be part of the samba configuration stored on disk,
> but it should be provided by a LDAP admin every time a new machine is
> to be added to the "domain".

I think this will be difficult due to the way Samba works. The way I 
understand it is that Samba requires someone with administrator priveliges to 
add a machine to a domain. This will keep "everyone" from having indirect 
access to LDAP. However, it means that Samba will need to have full write 
access to the LDAP tree it uses.

> The reason for this is that it should be
> possible to outsource the administration of the LDAP server, and I
> believe it is unlikely that a third party administrating the LDAP
> server will allow LDAP write access directly from machines outside
> their control.

They will have to I think. There are some good news though;

- The LDAP account that Samba uses does not need overall write access to LDAP
- The machine accounts can be stored in a seperate tree from f.ex users
- By using ACLs we can put fine-grained limits on what the Samba LDAP account
  can do, while allowing what he must be able to do

All this is only relevant for Samba 3 though IIRC. In 2.2 a machine account is 
allmost the same as a regular user account, so the second point in my list 
won't apply.

-- 
Eivind Trondsen        Tlf: +47 23 89 71 85
LinuxLabs AS           Mob: +47 928 40 009

-------   http://www.linuxlabs.no    -------
----  Drift - Overvåkning - Rådgivning  ----

Reply to:

References:
- RFT: samba-ldap
  - From: Finn-Arne Johansen <faj@bzz.no>
- Re: RFT: samba-ldap
  - From: Finn-Arne Johansen <faj@bzz.no>
- RFT: samba-ldap
  - From: Petter Reinholdtsen <petter.reinholdtsen@usit.uio.no>

Prev by Date: Bug#245772: debian-edu-install: Updated Danish debconf translation
Next by Date: Re: RFT: samba-ldap
Previous by thread: RFT: samba-ldap
Next by thread: Re: RFT: samba-ldap
Index(es):
- Date
- Thread