Here
we need three servers
1) DNS Server (Running RHEL 5)
2) Samba LDAP Server (Running RHEL 5)
3) Windows XP (Client Machine)
1) DNS Server (Running RHEL 5)
2) Samba LDAP Server (Running RHEL 5)
3) Windows XP (Client Machine)
[root@dns
~]# yum install bind* -y
[root@dns
~]# vim /var/named/chroot/etc/named.conf
//
//
Sample named.conf BIND DNS server 'named' configuration file
//
for the Red Hat BIND distribution.
//
//
See the BIND Administrator's Reference Manual (ARM) for details, in:
//
file:///usr/share/doc/bind-*/arm/Bv9ARM.html
//
Also see the BIND Configuration GUI : /usr/bin/system-config-bind and
//
its manual.
//
options
{
// Those options should be used carefully because they disable port
// randomization
// query-source port
53;
// query-source-v6 port 53;
// Put files that named is allowed to write in the data/ directory:
directory "/var/named"; // the default
dump-file
"data/cache_dump.db";
statistics-file
"data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";
};
logging
{
/*
If you want to enable debugging, eg. using the 'rndc trace' command,
*
named will try to write the 'named.run' file in the $directory (/var/named).
*
By default, SELinux policy does not allow named to modify the /var/named
directory,
*
so put the default debug log file in data/ :
*/
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
//
//
All BIND 9 zones are in a "view", which allow different zones to be
served
//
to different types of client addresses, and for options to be set for groups
//
of zones.
//
//
By default, if named.conf contains no "view" clauses, all zones are
in the
//
"default" view, which matches all clients.
//
//
If named.conf contains any "view" clause, then all zones MUST be in a
view;
//
so it is recommended to start off using views to avoid having to restructure
//
your configuration files in the future.
//
include "/etc/named.rfc1912.zones";
// all views must contain the root hints zone:
include "/etc/named.root.hints";
// include "named.rfc1912.zones";
// you should not serve your rfc1912 names to non-localhost clients.
// These are your "authoritative" internal zones, and would probably
// also be included in the "localhost_resolver" view above :
zone "aiamibd.com" IN {
type master;
file "aiamibd.com.fz";
};
zone "1.168.192.in-addr.arpa" IN {
type master;
file "aiamibd.com.rz";
};
[root@dns
~]# cd /var/named/chroot/var/named
[root@dns
named]# cp /usr/share/doc/bind-9.3.6/sample/var/named/localdomain.zone ./aiamibd.com.fz
[root@dns
named]# cp /usr/share/doc/bind-9.3.6/sample/var/named/named.local ./aiamibd.com.rz
[root@dns
named]# chown root.named aiamibd*
[root@dns
named]# vim aiamibd.com.fz
$TTL
86400
@
IN SOA dns.aiamibd.com. dnsadmin.aiamibd.com. (
2111201101 ; serial (d. adams)
3H
; refresh
15M
; retry
1W
; expiry
1D
)
; minimum
@
IN
NS
dns.aiamibd.com.
dns
IN
A
192.168.1.1
www
IN CNAME dns
sambaldap
IN
A
192.168.1.2
winxp
IN
A
192.168.1.3
_ldap._tcp.aiamibd.com.
SRV 0 0 389 sambaldap.aiamibd.com.
_ldap._tcp.dc._msdcs.aiamibd.com.
SRV 0 0 389 sambaldap.aiamibd.com.
[root@dns
named]# vim aiamibd.com.fz
$TTL
86400
@
IN SOA dns.aiamibd.com. dnsadmin.aiamibd.com. (
2111201101 ; serial (d. adams)
3H
; refresh
15M
; retry
1W
; expiry
1D
)
; minimum
IN
NS
dns.aiamibd.com.
1
IN
PTR
dns
2
IN
PTR
sambaldap
3
IN
PTR
winxp
[root@dns
named]# service named start
[root@dns
named]# chkconfig named on
[root@dns
~]# nslookup dns.aiamibd.com
Server:
192.168.1.1
Address:
192.168.1.1#53
Name:
dns.aiamibd.com
Address:
192.168.1.1
[root@dns
~]# nslookup
>
192.168.1.3
Server:
192.168.1.1
Address:
192.168.1.1#53
3.1.168.192.in-addr.arpa
name = winxp.1.168.192.in-addr.arpa.
>
sambaldap.aiamibd.com
Server:
192.168.1.1
Address:
192.168.1.1#53
Name:
sambaldap.aiamibd.com
Address:
192.168.1.2
>
www.aiamibd.com
Server:
192.168.1.1
Address:
192.168.1.1#53
www.aiamibd.com
canonical name = dns.aiamibd.com.
Name:
dns.aiamibd.com
Address:
192.168.1.1
>
exit
[root@sambaldap
~]# yum install openldap* compat-db python-ldap php-ldap ldapjdk nss_ldap samba
samba-common samba-client perl-Crypt-SmbHash perl-Digest-SHA1 perl-Jcode
perl-Unicode-Map perl-Unicode-Map8 perl-Unicode-MapUTF8 perl-Unicode-String
smbldap-tools -y
[root@sambaldap
~]# vim /etc/openldap/schema/samba.schema
#######################################################################
##
Attributes used by Samba 3.0 schema ##
#######################################################################
##
##
Password hashes
##
attributetype
( 1.3.6.1.4.1.7165.2.1.24 NAME 'sambaLMPassword'
DESC 'LanManager Password'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )
attributetype
( 1.3.6.1.4.1.7165.2.1.25 NAME 'sambaNTPassword'
DESC 'MD4 hash of the unicode password'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )
##
##
Account flags in string format ([UWDX ])
##
attributetype
( 1.3.6.1.4.1.7165.2.1.26 NAME 'sambaAcctFlags'
DESC 'Account Flags'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16} SINGLE-VALUE )
##
##
Password timestamps & policies
##
attributetype
( 1.3.6.1.4.1.7165.2.1.27 NAME 'sambaPwdLastSet'
DESC 'Timestamp of the last password update'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype
( 1.3.6.1.4.1.7165.2.1.28 NAME 'sambaPwdCanChange'
DESC 'Timestamp of when the user is allowed to update the password'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype
( 1.3.6.1.4.1.7165.2.1.29 NAME 'sambaPwdMustChange'
DESC 'Timestamp of when the password will expire'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype
( 1.3.6.1.4.1.7165.2.1.30 NAME 'sambaLogonTime'
DESC 'Timestamp of last logon'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype
( 1.3.6.1.4.1.7165.2.1.31 NAME 'sambaLogoffTime'
DESC 'Timestamp of last logoff'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype
( 1.3.6.1.4.1.7165.2.1.32 NAME 'sambaKickoffTime'
DESC 'Timestamp of when the user will be logged off automatically'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype
( 1.3.6.1.4.1.7165.2.1.48 NAME 'sambaBadPasswordCount'
DESC 'Bad password attempt count'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype
( 1.3.6.1.4.1.7165.2.1.49 NAME 'sambaBadPasswordTime'
DESC 'Time of the last bad password attempt'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype
( 1.3.6.1.4.1.7165.2.1.55 NAME 'sambaLogonHours'
DESC 'Logon Hours'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{42} SINGLE-VALUE )
##
##
string settings
##
attributetype
( 1.3.6.1.4.1.7165.2.1.33 NAME 'sambaHomeDrive'
DESC 'Driver letter of home directory mapping'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{4} SINGLE-VALUE )
attributetype
( 1.3.6.1.4.1.7165.2.1.34 NAME 'sambaLogonScript'
DESC 'Logon script path'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )
attributetype
( 1.3.6.1.4.1.7165.2.1.35 NAME 'sambaProfilePath'
DESC 'Roaming profile path'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )
attributetype
( 1.3.6.1.4.1.7165.2.1.36 NAME 'sambaUserWorkstations'
DESC 'List of user workstations the user is allowed to logon to'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )
attributetype
( 1.3.6.1.4.1.7165.2.1.37 NAME 'sambaHomePath'
DESC 'Home directory UNC path'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
attributetype
( 1.3.6.1.4.1.7165.2.1.38 NAME 'sambaDomainName'
DESC 'Windows NT domain to which the user belongs'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
attributetype
( 1.3.6.1.4.1.7165.2.1.47 NAME 'sambaMungedDial'
DESC 'Base64 encoded user parameter string'
EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} )
attributetype
( 1.3.6.1.4.1.7165.2.1.54 NAME 'sambaPasswordHistory'
DESC 'Concatenated MD5 hashes of the salted NT passwords used on this account'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} )
##
##
SID, of any type
##
attributetype
( 1.3.6.1.4.1.7165.2.1.20 NAME 'sambaSID'
DESC 'Security ID'
EQUALITY caseIgnoreIA5Match
SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
##
##
Primary group SID, compatible with ntSid
##
attributetype
( 1.3.6.1.4.1.7165.2.1.23 NAME 'sambaPrimaryGroupSID'
DESC 'Primary Group Security ID'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
attributetype
( 1.3.6.1.4.1.7165.2.1.51 NAME 'sambaSIDList'
DESC 'Security ID List'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} )
##
##
group mapping attributes
##
attributetype
( 1.3.6.1.4.1.7165.2.1.19 NAME 'sambaGroupType'
DESC 'NT Group Type'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
##
##
Store info on the domain
##
attributetype
( 1.3.6.1.4.1.7165.2.1.21 NAME 'sambaNextUserRid'
DESC 'Next NT rid to give our for users'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype
( 1.3.6.1.4.1.7165.2.1.22 NAME 'sambaNextGroupRid'
DESC 'Next NT rid to give out for groups'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype
( 1.3.6.1.4.1.7165.2.1.39 NAME 'sambaNextRid'
DESC 'Next NT rid to give out for anything'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype
( 1.3.6.1.4.1.7165.2.1.40 NAME 'sambaAlgorithmicRidBase'
DESC 'Base at which the samba RID generation algorithm should operate'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype
( 1.3.6.1.4.1.7165.2.1.41 NAME 'sambaShareName'
DESC 'Share Name'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
attributetype
( 1.3.6.1.4.1.7165.2.1.42 NAME 'sambaOptionName'
DESC 'Option Name'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
attributetype
( 1.3.6.1.4.1.7165.2.1.43 NAME 'sambaBoolOption'
DESC 'A boolean option'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
attributetype
( 1.3.6.1.4.1.7165.2.1.44 NAME 'sambaIntegerOption'
DESC 'An integer option'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype
( 1.3.6.1.4.1.7165.2.1.45 NAME 'sambaStringOption'
DESC 'A string option'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetype
( 1.3.6.1.4.1.7165.2.1.46 NAME 'sambaStringListOption'
DESC 'A string list option'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
##attributetype
( 1.3.6.1.4.1.7165.2.1.50 NAME 'sambaPrivName'
##
SUP name )
##attributetype
( 1.3.6.1.4.1.7165.2.1.52 NAME 'sambaPrivilegeList'
##
DESC 'Privileges List'
##
EQUALITY caseIgnoreIA5Match
##
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} )
attributetype
( 1.3.6.1.4.1.7165.2.1.53 NAME 'sambaTrustFlags'
DESC 'Trust Password Flags'
EQUALITY caseIgnoreIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
#
"min password length"
attributetype
( 1.3.6.1.4.1.7165.2.1.58 NAME 'sambaMinPwdLength'
DESC 'Minimal password length (default: 5)'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
#
"password history"
attributetype
( 1.3.6.1.4.1.7165.2.1.59 NAME 'sambaPwdHistoryLength'
DESC 'Length of Password History Entries (default: 0 => off)'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
#
"user must logon to change password"
attributetype
( 1.3.6.1.4.1.7165.2.1.60 NAME 'sambaLogonToChgPwd'
DESC 'Force Users to logon for password change (default: 0 => off, 2 =>
on)'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
#
"maximum password age"
attributetype
( 1.3.6.1.4.1.7165.2.1.61 NAME 'sambaMaxPwdAge'
DESC 'Maximum password age, in seconds (default: -1 => never expire
passwords)'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
#
"minimum password age"
attributetype
( 1.3.6.1.4.1.7165.2.1.62 NAME 'sambaMinPwdAge'
DESC 'Minimum password age, in seconds (default: 0 => allow immediate
password change)'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
#
"lockout duration"
attributetype
( 1.3.6.1.4.1.7165.2.1.63 NAME 'sambaLockoutDuration'
DESC 'Lockout duration in minutes (default: 30, -1 => forever)'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
#
"reset count minutes"
attributetype
( 1.3.6.1.4.1.7165.2.1.64 NAME 'sambaLockoutObservationWindow'
DESC 'Reset time after lockout in minutes (default: 30)'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
#
"bad lockout attempt"
attributetype
( 1.3.6.1.4.1.7165.2.1.65 NAME 'sambaLockoutThreshold'
DESC 'Lockout users after bad logon attempts (default: 0 => off)'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
#
"disconnect time"
attributetype
( 1.3.6.1.4.1.7165.2.1.66 NAME 'sambaForceLogoff'
DESC 'Disconnect Users outside logon hours (default: -1 => off, 0 => on)'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
#
"refuse machine password change"
attributetype
( 1.3.6.1.4.1.7165.2.1.67 NAME 'sambaRefuseMachinePwdChange'
DESC 'Allow Machine Password changes (default: 0 => off)'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
#######################################################################
##
objectClasses used by Samba 3.0 schema ##
#######################################################################
##
The X.500 data model (and therefore LDAPv3) says that each entry can
##
only have one structural objectclass. OpenLDAP 2.0 does not enforce
##
this currently but will in v2.1
##
##
added new objectclass (and OID) for 3.0 to help us deal with backwards
##
compatibility with 2.2 installations (e.g. ldapsam_compat) --jerry
##
objectclass
( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' SUP top AUXILIARY
DESC 'Samba 3.0 Auxilary SAM Account'
MUST ( uid $ sambaSID )
MAY ( cn $ sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $
sambaLogonTime $ sambaLogoffTime $ sambaKickoffTime $
sambaPwdCanChange $ sambaPwdMustChange $ sambaAcctFlags $
displayName $ sambaHomePath $ sambaHomeDrive $ sambaLogonScript $
sambaProfilePath $ description $ sambaUserWorkstations $
sambaPrimaryGroupSID $ sambaDomainName $ sambaMungedDial $
sambaBadPasswordCount $ sambaBadPasswordTime $
sambaPasswordHistory $ sambaLogonHours) )
##
##
Group mapping info
##
objectclass
( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' SUP top AUXILIARY
DESC 'Samba Group Mapping'
MUST ( gidNumber $ sambaSID $ sambaGroupType )
MAY ( displayName $ description $ sambaSIDList ) )
##
##
Trust password for trust relationships (any kind)
##
objectclass
( 1.3.6.1.4.1.7165.2.2.14 NAME 'sambaTrustPassword' SUP top STRUCTURAL
DESC 'Samba Trust Password'
MUST ( sambaDomainName $ sambaNTPassword $ sambaTrustFlags )
MAY ( sambaSID $ sambaPwdLastSet ) )
##
##
Whole-of-domain info
##
objectclass
( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' SUP top STRUCTURAL
DESC 'Samba Domain Information'
MUST ( sambaDomainName $ sambaSID )
MAY ( sambaNextRid $ sambaNextGroupRid $ sambaNextUserRid $
sambaAlgorithmicRidBase $
sambaMinPwdLength $ sambaPwdHistoryLength $ sambaLogonToChgPwd $
sambaMaxPwdAge $ sambaMinPwdAge $
sambaLockoutDuration $ sambaLockoutObservationWindow $
sambaLockoutThreshold $
sambaForceLogoff $ sambaRefuseMachinePwdChange ) )
##
##
used for idmap_ldap module
##
objectclass
( 1.3.6.1.4.1.7165.2.2.7 NAME 'sambaUnixIdPool' SUP top AUXILIARY
DESC 'Pool for allocating UNIX uids/gids'
MUST ( uidNumber $ gidNumber ) )
objectclass
( 1.3.6.1.4.1.7165.2.2.8 NAME 'sambaIdmapEntry' SUP top AUXILIARY
DESC 'Mapping from a SID to an ID'
MUST ( sambaSID )
MAY ( uidNumber $ gidNumber ) )
objectclass
( 1.3.6.1.4.1.7165.2.2.9 NAME 'sambaSidEntry' SUP top STRUCTURAL
DESC 'Structural Class for a SID'
MUST ( sambaSID ) )
objectclass
( 1.3.6.1.4.1.7165.2.2.10 NAME 'sambaConfig' SUP top AUXILIARY
DESC 'Samba Configuration Section'
MAY ( description ) )
objectclass
( 1.3.6.1.4.1.7165.2.2.11 NAME 'sambaShare' SUP top STRUCTURAL
DESC 'Samba Share Section'
MUST ( sambaShareName )
MAY ( description ) )
objectclass
( 1.3.6.1.4.1.7165.2.2.12 NAME 'sambaConfigOption' SUP top STRUCTURAL
DESC 'Samba Configuration Option'
MUST ( sambaOptionName )
MAY ( sambaBoolOption $ sambaIntegerOption $ sambaStringOption $
sambaStringListoption $ description ) )
[root@sambaldap
~]# vim /etc/openldap/slapd.conf
include
/etc/openldap/schema/core.schema
include
/etc/openldap/schema/cosine.schema
include
/etc/openldap/schema/inetorgperson.schema
include
/etc/openldap/schema/nis.schema
include
/etc/openldap/schema/samba.schema
#
Allow LDAPv2 client connections. This is NOT the default.
allow
bind_v2
loglevel
-1
pidfile
/var/run/openldap/slapd.pid
argsfile
/var/run/openldap/slapd.args
#######################################################################
#
ldbm and/or bdb database definitions
#######################################################################
#
Indices to maintain for this database
index
objectClass
eq,pres
index
ou,cn,mail,surname,givenname eq,pres,sub
index
uidNumber,gidNumber,loginShell eq,pres
index
uid,memberUid
eq,pres,sub
index
nisMapName,nisMapEntry
eq,pres,sub
index
sambaSID,sambaPrimaryGroupSID,sambaDomainName eq
database
bdb
suffix
"dc=aiamibd,dc=com"
rootdn
"cn=Manager,dc=aiamibd,dc=com"
rootpw
redhat
#
rootpw
{crypt}ijFYNcSNctBYg
directory
/var/lib/ldap
#Access
control List information
access
to attrs="userPassword,sambaLMPassword,sambaNTPassword"
by selfwrite
by anonymous auth
#
users can authenticate and change their password
access
to
attrs="userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange"
by dn="cn=samba,ou=DSA,dc=aiamibd,dc=com" write
by dn="cn=smbldap-tools,ou=DSA,dc=aiamibd,dc=com" write
by dn="cn=nssldap,ou=DSA,dc=aiamibd,dc=com" write
by dn="uid=root,ou=People,dc=aiamibd,dc=com" write
by anonymous auth
by self write
by * none
#
some attributes need to be readable anonymously so that 'id user' can answer
correctly
access
to attrs=objectClass,entry,homeDirectory,uid,uidNumber,gidNumber,memberUid
by dn="cn=samba,ou=DSA,dc=aiamibd,dc=com" write
by dn="cn=smbldap-tools,dc=aiamibd,dc=com" write
by dn="uid=root,ou=People,dc=aiamibd,dc=com" write
by * read
#
somme attributes can be writable by users themselves
access
to
attrs=description,telephoneNumber,roomNumber,homePhone,loginShell,gecos,cn,sn,givenname
by dn="cn=samba,ou=DSA,dc=aiamibd,dc=com" write
by dn="cn=smbldap-tools,dc=aiamibd,dc=com" write
by dn="uid=root,ou=People,dc=aiamibd,dc=com" write
by self write
by * read
#
some attributes need to be writable for samba
access
to attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange,sambaPwdMustChange,sambaAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaProfilePath,description,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,sambaMungedDial,sambaBadPasswordCount,sambaBadPasswordTime,sambaPasswordHistory,sambaLogonHours,sambaSID,sambaSIDList,sambaTrustFlags,sambaGroupType,sambaNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase,sambaShareName,sambaOptionName,sambaBoolOption,sambaIntegerOption,sambaStringOption,sambaStringListoption
by dn="cn=samba,ou=DSA,dc=aiamibd,dc=com" write
by dn="cn=smbldap-tools,ou=DSA,dc=aiamibd,dc=com" write
by dn="uid=root,ou=People,dc=aiamibd,dc=com" write
by self read
by * none
#
samba need to be able to create the samba domain account
access
to dn.base="dc=aiamibd,dc=com"
by dn="cn=samba,ou=DSA,dc=aiamibd,dc=com" write
by dn="cn=smbldap-tools,ou=DSA,dc=aiamibd,dc=com" write
by dn="uid=root,ou=People,dc=aiamibd,dc=com" write
by * none
#
samba need to be able to create new users account
access
to dn="ou=Users,dc=aiamibd,dc=com"
by dn="cn=samba,ou=DSA,dc=aiamibd,dc=com" write
by dn="cn=smbldap-tools,ou=DSA,dc=aiamibd,dc=com" write
by dn="uid=root,ou=People,dc=aiamibd,dc=com" write
by * none
#
samba need to be able to create new groups account
access
to dn="ou=Groups,dc=aiamibd,dc=com"
by dn="cn=samba,ou=DSA,dc=aiamibd,dc=com" write
by dn="cn=smbldap-tools,ou=DSA,dc=aiamibd,dc=com" write
by dn="uid=root,ou=People,dc=aiamibd,dc=com" write
by * none
#
samba need to be able to create new computers account
access
to dn="ou=Computers,dc=aiamibd,dc=com"
by dn="cn=samba,ou=DSA,dc=aiamibd,dc=com" write
by dn="cn=smbldap-tools,ou=DSA,dc=aiamibd,dc=com" write
by dn="uid=root,ou=People,dc=aiamibd,dc=com" write
by * none
access
to *
by self read
by * none
No comments:
Post a Comment