Here
we need three servers
1)
DNS Server (Running RHEL 5)
2)
Samba LDAP Server (Running RHEL 5)
3)
Windows XP (Client Machine)
[root@dns
~]# yum install bind* -y
[root@dns
~]# vim /var/named/chroot/etc/named.conf
//
//
Sample named.conf BIND DNS server 'named' configuration file
//
for the Red Hat BIND distribution.
//
//
See the BIND Administrator's Reference Manual (ARM) for details, in:
//
file:///usr/share/doc/bind-*/arm/Bv9ARM.html
//
Also see the BIND Configuration GUI : /usr/bin/system-config-bind and
//
its manual.
//
options
{
// Those options should be used carefully because they disable port
// randomization
// query-source port
53;
// query-source-v6 port 53;
// Put files that named is allowed to write in the data/ directory:
directory "/var/named"; // the default
dump-file
"data/cache_dump.db";
statistics-file
"data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";
};
logging
{
/*
If you want to enable debugging, eg. using the 'rndc trace' command,
*
named will try to write the 'named.run' file in the $directory (/var/named).
*
By default, SELinux policy does not allow named to modify the /var/named
directory,
*
so put the default debug log file in data/ :
*/
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
//
//
All BIND 9 zones are in a "view", which allow different zones to be
served
//
to different types of client addresses, and for options to be set for groups
//
of zones.
//
//
By default, if named.conf contains no "view" clauses, all zones are
in the
//
"default" view, which matches all clients.
//
//
If named.conf contains any "view" clause, then all zones MUST be in a
view;
//
so it is recommended to start off using views to avoid having to restructure
//
your configuration files in the future.
//
include "/etc/named.rfc1912.zones";
// all views must contain the root hints zone:
include "/etc/named.root.hints";
// include "named.rfc1912.zones";
// you should not serve your rfc1912 names to non-localhost clients.
// These are your "authoritative" internal zones, and would probably
// also be included in the "localhost_resolver" view above :
zone "aiamibd.com" IN {
type master;
file "aiamibd.com.fz";
};
zone "1.168.192.in-addr.arpa" IN {
type master;
file "aiamibd.com.rz";
};
[root@dns
~]# cd /var/named/chroot/var/named
[root@dns
named]# cp /usr/share/doc/bind-9.3.6/sample/var/named/localdomain.zone ./aiamibd.com.fz
[root@dns
named]# cp /usr/share/doc/bind-9.3.6/sample/var/named/named.local ./aiamibd.com.rz
[root@dns
named]# chown root.named aiamibd*
[root@dns
named]# vim aiamibd.com.fz
$TTL
86400
@
IN SOA dns.aiamibd.com. dnsadmin.aiamibd.com. (
2111201101 ; serial (d. adams)
3H
; refresh
15M
; retry
1W
; expiry
1D
)
; minimum
@
IN
NS
dns.aiamibd.com.
dns
IN
A
192.168.1.1
www
IN CNAME dns
sambaldap
IN
A
192.168.1.2
winxp
IN
A
192.168.1.3
_ldap._tcp.aiamibd.com.
SRV 0 0 389 sambaldap.aiamibd.com.
_ldap._tcp.dc._msdcs.aiamibd.com.
SRV 0 0 389 sambaldap.aiamibd.com.
[root@dns
named]# vim aiamibd.com.fz
$TTL
86400
@
IN SOA dns.aiamibd.com. dnsadmin.aiamibd.com. (
2111201101 ; serial (d. adams)
3H
; refresh
15M
; retry
1W
; expiry
1D
)
; minimum
IN
NS
dns.aiamibd.com.
1
IN
PTR
dns
2
IN
PTR
sambaldap
3
IN
PTR
winxp
[root@dns
named]# service named start
[root@dns
named]# chkconfig named on
[root@dns
~]# nslookup dns.aiamibd.com
Server:
192.168.1.1
Address:
192.168.1.1#53
Name:
dns.aiamibd.com
Address:
192.168.1.1
[root@dns
~]# nslookup
>
192.168.1.3
Server:
192.168.1.1
Address:
192.168.1.1#53
3.1.168.192.in-addr.arpa
name = winxp.1.168.192.in-addr.arpa.
>
sambaldap.aiamibd.com
Server:
192.168.1.1
Address:
192.168.1.1#53
Name:
sambaldap.aiamibd.com
Address:
192.168.1.2
>
www.aiamibd.com
Server:
192.168.1.1
Address:
192.168.1.1#53
www.aiamibd.com
canonical name = dns.aiamibd.com.
Name:
dns.aiamibd.com
Address:
192.168.1.1
>
exit
[root@sambaldap
~]# yum install openldap* compat-db python-ldap php-ldap ldapjdk nss_ldap samba
samba-common samba-client perl-Crypt-SmbHash perl-Digest-SHA1 perl-Jcode
perl-Unicode-Map perl-Unicode-Map8 perl-Unicode-MapUTF8 perl-Unicode-String
smbldap-tools -y
[root@sambaldap
~]# vim /etc/openldap/schema/samba.schema
#######################################################################
##
Attributes used by Samba 3.0 schema ##
#######################################################################
##
##
Password hashes
##
attributetype
( 1.3.6.1.4.1.7165.2.1.24 NAME 'sambaLMPassword'
DESC 'LanManager Password'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )
attributetype
( 1.3.6.1.4.1.7165.2.1.25 NAME 'sambaNTPassword'
DESC 'MD4 hash of the unicode password'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )
##
##
Account flags in string format ([UWDX ])
##
attributetype
( 1.3.6.1.4.1.7165.2.1.26 NAME 'sambaAcctFlags'
DESC 'Account Flags'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16} SINGLE-VALUE )
##
##
Password timestamps & policies
##
attributetype
( 1.3.6.1.4.1.7165.2.1.27 NAME 'sambaPwdLastSet'
DESC 'Timestamp of the last password update'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype
( 1.3.6.1.4.1.7165.2.1.28 NAME 'sambaPwdCanChange'
DESC 'Timestamp of when the user is allowed to update the password'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype
( 1.3.6.1.4.1.7165.2.1.29 NAME 'sambaPwdMustChange'
DESC 'Timestamp of when the password will expire'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype
( 1.3.6.1.4.1.7165.2.1.30 NAME 'sambaLogonTime'
DESC 'Timestamp of last logon'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype
( 1.3.6.1.4.1.7165.2.1.31 NAME 'sambaLogoffTime'
DESC 'Timestamp of last logoff'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype
( 1.3.6.1.4.1.7165.2.1.32 NAME 'sambaKickoffTime'
DESC 'Timestamp of when the user will be logged off automatically'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype
( 1.3.6.1.4.1.7165.2.1.48 NAME 'sambaBadPasswordCount'
DESC 'Bad password attempt count'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype
( 1.3.6.1.4.1.7165.2.1.49 NAME 'sambaBadPasswordTime'
DESC 'Time of the last bad password attempt'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype
( 1.3.6.1.4.1.7165.2.1.55 NAME 'sambaLogonHours'
DESC 'Logon Hours'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{42} SINGLE-VALUE )
##
##
string settings
##
attributetype
( 1.3.6.1.4.1.7165.2.1.33 NAME 'sambaHomeDrive'
DESC 'Driver letter of home directory mapping'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{4} SINGLE-VALUE )
attributetype
( 1.3.6.1.4.1.7165.2.1.34 NAME 'sambaLogonScript'
DESC 'Logon script path'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )
attributetype
( 1.3.6.1.4.1.7165.2.1.35 NAME 'sambaProfilePath'
DESC 'Roaming profile path'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )
attributetype
( 1.3.6.1.4.1.7165.2.1.36 NAME 'sambaUserWorkstations'
DESC 'List of user workstations the user is allowed to logon to'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )
attributetype
( 1.3.6.1.4.1.7165.2.1.37 NAME 'sambaHomePath'
DESC 'Home directory UNC path'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
attributetype
( 1.3.6.1.4.1.7165.2.1.38 NAME 'sambaDomainName'
DESC 'Windows NT domain to which the user belongs'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
attributetype
( 1.3.6.1.4.1.7165.2.1.47 NAME 'sambaMungedDial'
DESC 'Base64 encoded user parameter string'
EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} )
attributetype
( 1.3.6.1.4.1.7165.2.1.54 NAME 'sambaPasswordHistory'
DESC 'Concatenated MD5 hashes of the salted NT passwords used on this account'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} )
##
##
SID, of any type
##
attributetype
( 1.3.6.1.4.1.7165.2.1.20 NAME 'sambaSID'
DESC 'Security ID'
EQUALITY caseIgnoreIA5Match
SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
##
##
Primary group SID, compatible with ntSid
##
attributetype
( 1.3.6.1.4.1.7165.2.1.23 NAME 'sambaPrimaryGroupSID'
DESC 'Primary Group Security ID'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
attributetype
( 1.3.6.1.4.1.7165.2.1.51 NAME 'sambaSIDList'
DESC 'Security ID List'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} )
##
##
group mapping attributes
##
attributetype
( 1.3.6.1.4.1.7165.2.1.19 NAME 'sambaGroupType'
DESC 'NT Group Type'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
##
##
Store info on the domain
##
attributetype
( 1.3.6.1.4.1.7165.2.1.21 NAME 'sambaNextUserRid'
DESC 'Next NT rid to give our for users'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype
( 1.3.6.1.4.1.7165.2.1.22 NAME 'sambaNextGroupRid'
DESC 'Next NT rid to give out for groups'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype
( 1.3.6.1.4.1.7165.2.1.39 NAME 'sambaNextRid'
DESC 'Next NT rid to give out for anything'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype
( 1.3.6.1.4.1.7165.2.1.40 NAME 'sambaAlgorithmicRidBase'
DESC 'Base at which the samba RID generation algorithm should operate'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype
( 1.3.6.1.4.1.7165.2.1.41 NAME 'sambaShareName'
DESC 'Share Name'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
attributetype
( 1.3.6.1.4.1.7165.2.1.42 NAME 'sambaOptionName'
DESC 'Option Name'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
attributetype
( 1.3.6.1.4.1.7165.2.1.43 NAME 'sambaBoolOption'
DESC 'A boolean option'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
attributetype
( 1.3.6.1.4.1.7165.2.1.44 NAME 'sambaIntegerOption'
DESC 'An integer option'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype
( 1.3.6.1.4.1.7165.2.1.45 NAME 'sambaStringOption'
DESC 'A string option'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetype
( 1.3.6.1.4.1.7165.2.1.46 NAME 'sambaStringListOption'
DESC 'A string list option'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
##attributetype
( 1.3.6.1.4.1.7165.2.1.50 NAME 'sambaPrivName'
##
SUP name )
##attributetype
( 1.3.6.1.4.1.7165.2.1.52 NAME 'sambaPrivilegeList'
##
DESC 'Privileges List'
##
EQUALITY caseIgnoreIA5Match
##
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} )
attributetype
( 1.3.6.1.4.1.7165.2.1.53 NAME 'sambaTrustFlags'
DESC 'Trust Password Flags'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
#
"min password length"
attributetype
( 1.3.6.1.4.1.7165.2.1.58 NAME 'sambaMinPwdLength'
DESC 'Minimal password length (default: 5)'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
#
"password history"
attributetype
( 1.3.6.1.4.1.7165.2.1.59 NAME 'sambaPwdHistoryLength'
DESC 'Length of Password History Entries (default: 0 => off)'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
#
"user must logon to change password"
attributetype
( 1.3.6.1.4.1.7165.2.1.60 NAME 'sambaLogonToChgPwd'
DESC 'Force Users to logon for password change (default: 0 => off, 2 =>
on)'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
#
"maximum password age"
attributetype
( 1.3.6.1.4.1.7165.2.1.61 NAME 'sambaMaxPwdAge'
DESC 'Maximum password age, in seconds (default: -1 => never expire
passwords)'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
#
"minimum password age"
attributetype
( 1.3.6.1.4.1.7165.2.1.62 NAME 'sambaMinPwdAge'
DESC 'Minimum password age, in seconds (default: 0 => allow immediate
password change)'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
#
"lockout duration"
attributetype
( 1.3.6.1.4.1.7165.2.1.63 NAME 'sambaLockoutDuration'
DESC 'Lockout duration in minutes (default: 30, -1 => forever)'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
#
"reset count minutes"
attributetype
( 1.3.6.1.4.1.7165.2.1.64 NAME 'sambaLockoutObservationWindow'
DESC 'Reset time after lockout in minutes (default: 30)'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
#
"bad lockout attempt"
attributetype
( 1.3.6.1.4.1.7165.2.1.65 NAME 'sambaLockoutThreshold'
DESC 'Lockout users after bad logon attempts (default: 0 => off)'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
#
"disconnect time"
attributetype
( 1.3.6.1.4.1.7165.2.1.66 NAME 'sambaForceLogoff'
DESC 'Disconnect Users outside logon hours (default: -1 => off, 0 => on)'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
#
"refuse machine password change"
attributetype
( 1.3.6.1.4.1.7165.2.1.67 NAME 'sambaRefuseMachinePwdChange'
DESC 'Allow Machine Password changes (default: 0 => off)'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
#######################################################################
##
objectClasses used by Samba 3.0 schema ##
#######################################################################
##
The X.500 data model (and therefore LDAPv3) says that each entry can
##
only have one structural objectclass. OpenLDAP 2.0 does not enforce
##
this currently but will in v2.1
##
##
added new objectclass (and OID) for 3.0 to help us deal with backwards
##
compatibility with 2.2 installations (e.g. ldapsam_compat) --jerry
##
objectclass
( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' SUP top AUXILIARY
DESC 'Samba 3.0 Auxilary SAM Account'
MUST ( uid $ sambaSID )
MAY ( cn $ sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $
sambaLogonTime $ sambaLogoffTime $ sambaKickoffTime $
sambaPwdCanChange $ sambaPwdMustChange $ sambaAcctFlags $
displayName $ sambaHomePath $ sambaHomeDrive $ sambaLogonScript $
sambaProfilePath $ description $ sambaUserWorkstations $
sambaPrimaryGroupSID $ sambaDomainName $ sambaMungedDial $
sambaBadPasswordCount $ sambaBadPasswordTime $
sambaPasswordHistory $ sambaLogonHours) )
##
##
Group mapping info
##
objectclass
( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' SUP top AUXILIARY
DESC 'Samba Group Mapping'
MUST ( gidNumber $ sambaSID $ sambaGroupType )
MAY ( displayName $ description $ sambaSIDList ) )
##
##
Trust password for trust relationships (any kind)
##
objectclass
( 1.3.6.1.4.1.7165.2.2.14 NAME 'sambaTrustPassword' SUP top STRUCTURAL
DESC 'Samba Trust Password'
MUST ( sambaDomainName $ sambaNTPassword $ sambaTrustFlags )
MAY ( sambaSID $ sambaPwdLastSet ) )
##
##
Whole-of-domain info
##
objectclass
( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' SUP top STRUCTURAL
DESC 'Samba Domain Information'
MUST ( sambaDomainName $ sambaSID )
MAY ( sambaNextRid $ sambaNextGroupRid $ sambaNextUserRid $
sambaAlgorithmicRidBase $
sambaMinPwdLength $ sambaPwdHistoryLength $ sambaLogonToChgPwd $
sambaMaxPwdAge $ sambaMinPwdAge $
sambaLockoutDuration $ sambaLockoutObservationWindow $
sambaLockoutThreshold $
sambaForceLogoff $ sambaRefuseMachinePwdChange ) )
##
##
used for idmap_ldap module
##
objectclass
( 1.3.6.1.4.1.7165.2.2.7 NAME 'sambaUnixIdPool' SUP top AUXILIARY
DESC 'Pool for allocating UNIX uids/gids'
MUST ( uidNumber $ gidNumber ) )
objectclass
( 1.3.6.1.4.1.7165.2.2.8 NAME 'sambaIdmapEntry' SUP top AUXILIARY
DESC 'Mapping from a SID to an ID'
MUST ( sambaSID )
MAY ( uidNumber $ gidNumber ) )
objectclass
( 1.3.6.1.4.1.7165.2.2.9 NAME 'sambaSidEntry' SUP top STRUCTURAL
DESC 'Structural Class for a SID'
MUST ( sambaSID ) )
objectclass
( 1.3.6.1.4.1.7165.2.2.10 NAME 'sambaConfig' SUP top AUXILIARY
DESC 'Samba Configuration Section'
MAY ( description ) )
objectclass
( 1.3.6.1.4.1.7165.2.2.11 NAME 'sambaShare' SUP top STRUCTURAL
DESC 'Samba Share Section'
MUST ( sambaShareName )
MAY ( description ) )
objectclass
( 1.3.6.1.4.1.7165.2.2.12 NAME 'sambaConfigOption' SUP top STRUCTURAL
DESC 'Samba Configuration Option'
MUST ( sambaOptionName )
MAY ( sambaBoolOption $ sambaIntegerOption $ sambaStringOption $
sambaStringListoption $ description ) )
[root@sambaldap
~]# vim /etc/openldap/slapd.conf
include
/etc/openldap/schema/core.schema
include
/etc/openldap/schema/cosine.schema
include
/etc/openldap/schema/inetorgperson.schema
include
/etc/openldap/schema/nis.schema
include
/etc/openldap/schema/samba.schema
#
Allow LDAPv2 client connections. This is NOT the default.
allow
bind_v2
loglevel
-1
pidfile
/var/run/openldap/slapd.pid
argsfile
/var/run/openldap/slapd.args
#######################################################################
#
ldbm and/or bdb database definitions
#######################################################################
#
Indices to maintain for this database
index
objectClass
eq,pres
index
ou,cn,mail,surname,givenname eq,pres,sub
index
uidNumber,gidNumber,loginShell eq,pres
index
uid,memberUid
eq,pres,sub
index
nisMapName,nisMapEntry
eq,pres,sub
index
sambaSID,sambaPrimaryGroupSID,sambaDomainName eq
database
bdb
suffix
"dc=aiamibd,dc=com"
rootdn
"cn=Manager,dc=aiamibd,dc=com"
rootpw
redhat
#
rootpw
{crypt}ijFYNcSNctBYg
directory
/var/lib/ldap
#Access
control List information
access
to attrs="userPassword,sambaLMPassword,sambaNTPassword"
by selfwrite
by anonymous auth
#
users can authenticate and change their password
access
to
attrs="userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange"
by dn="cn=samba,ou=DSA,dc=aiamibd,dc=com" write
by dn="cn=smbldap-tools,ou=DSA,dc=aiamibd,dc=com" write
by dn="cn=nssldap,ou=DSA,dc=aiamibd,dc=com" write
by dn="uid=root,ou=People,dc=aiamibd,dc=com" write
by anonymous auth
by self write
by * none
#
some attributes need to be readable anonymously so that 'id user' can answer
correctly
access
to attrs=objectClass,entry,homeDirectory,uid,uidNumber,gidNumber,memberUid
by dn="cn=samba,ou=DSA,dc=aiamibd,dc=com" write
by dn="cn=smbldap-tools,dc=aiamibd,dc=com" write
by dn="uid=root,ou=People,dc=aiamibd,dc=com" write
by * read
#
somme attributes can be writable by users themselves
access
to
attrs=description,telephoneNumber,roomNumber,homePhone,loginShell,gecos,cn,sn,givenname
by dn="cn=samba,ou=DSA,dc=aiamibd,dc=com" write
by dn="cn=smbldap-tools,dc=aiamibd,dc=com" write
by dn="uid=root,ou=People,dc=aiamibd,dc=com" write
by self write
by * read
#
some attributes need to be writable for samba
access
to attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange,sambaPwdMustChange,sambaAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaProfilePath,description,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,sambaMungedDial,sambaBadPasswordCount,sambaBadPasswordTime,sambaPasswordHistory,sambaLogonHours,sambaSID,sambaSIDList,sambaTrustFlags,sambaGroupType,sambaNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase,sambaShareName,sambaOptionName,sambaBoolOption,sambaIntegerOption,sambaStringOption,sambaStringListoption
by dn="cn=samba,ou=DSA,dc=aiamibd,dc=com" write
by dn="cn=smbldap-tools,ou=DSA,dc=aiamibd,dc=com" write
by dn="uid=root,ou=People,dc=aiamibd,dc=com" write
by self read
by * none
#
samba need to be able to create the samba domain account
access
to dn.base="dc=aiamibd,dc=com"
by dn="cn=samba,ou=DSA,dc=aiamibd,dc=com" write
by dn="cn=smbldap-tools,ou=DSA,dc=aiamibd,dc=com" write
by dn="uid=root,ou=People,dc=aiamibd,dc=com" write
by * none
#
samba need to be able to create new users account
access
to dn="ou=Users,dc=aiamibd,dc=com"
by dn="cn=samba,ou=DSA,dc=aiamibd,dc=com" write
by dn="cn=smbldap-tools,ou=DSA,dc=aiamibd,dc=com" write
by dn="uid=root,ou=People,dc=aiamibd,dc=com" write
by * none
#
samba need to be able to create new groups account
access
to dn="ou=Groups,dc=aiamibd,dc=com"
by dn="cn=samba,ou=DSA,dc=aiamibd,dc=com" write
by dn="cn=smbldap-tools,ou=DSA,dc=aiamibd,dc=com" write
by dn="uid=root,ou=People,dc=aiamibd,dc=com" write
by * none
#
samba need to be able to create new computers account
access
to dn="ou=Computers,dc=aiamibd,dc=com"
by dn="cn=samba,ou=DSA,dc=aiamibd,dc=com" write
by dn="cn=smbldap-tools,ou=DSA,dc=aiamibd,dc=com" write
by dn="uid=root,ou=People,dc=aiamibd,dc=com" write
by * none
access
to *
by self read
by * none
