Re: RFT: samba-ldap
Sunday 25 April 2004 12:18, skrev Petter Reinholdtsen:
>
> I'm told that samba need to register new machines into the "domain"
> before they are given access. I believe it is best to store such
> machine info in LDAP, as we want to handle several samba servers in a
> school. It should be enough to register the machine once in the
> school, and it should then get access to all samba servers.
>
> But I do not the samba servers to have write access to the LDAP server
> "on their own", ie without an administrator providing his LDAP admin
> password to approve the LDAP update. This means that the LDAP access
> password should not be part of the samba configuration stored on disk,
> but it should be provided by a LDAP admin every time a new machine is
> to be added to the "domain".
I think this will be difficult due to the way Samba works. The way I
understand it is that Samba requires someone with administrator priveliges to
add a machine to a domain. This will keep "everyone" from having indirect
access to LDAP. However, it means that Samba will need to have full write
access to the LDAP tree it uses.
> The reason for this is that it should be
> possible to outsource the administration of the LDAP server, and I
> believe it is unlikely that a third party administrating the LDAP
> server will allow LDAP write access directly from machines outside
> their control.
They will have to I think. There are some good news though;
- The LDAP account that Samba uses does not need overall write access to LDAP
- The machine accounts can be stored in a seperate tree from f.ex users
- By using ACLs we can put fine-grained limits on what the Samba LDAP account
can do, while allowing what he must be able to do
All this is only relevant for Samba 3 though IIRC. In 2.2 a machine account is
allmost the same as a regular user account, so the second point in my list
won't apply.
--
Eivind Trondsen Tlf: +47 23 89 71 85
LinuxLabs AS Mob: +47 928 40 009
------- http://www.linuxlabs.no -------
---- Drift - Overvåkning - Rådgivning ----
Reply to: