[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: ACL questions. Answered (long)
On Fri, 12 Mar 2004, Buchan Milne wrote:
> > access to attrs=userPassword,sambaLMPassword,sambaNTPassword
> > by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write
> > by * auth
> >
> > # Allow users to change their login shell by themselves
> > access to attrs=loginShell
> > by self write
> >
> > # Allow uid=Sambaroot to write any samba entries and objecClass to
> > children
> > # of ou=People.
> > access to dn.children="ou=People,dc=math,dc=gatech,dc=edu"
> > attrs=objectClass,sambaSamAccount
> > by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write
> > by * read
> >
> > # Allow uid=Sambaroot to write the mentioned attributes in ou=Groups
> > access to dn.children="ou=Groups,dc=math,dc=gatech,dc=edu"
> > attrs=description,sambaSID,sambaGroupType,displayName,objectClass
> > by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write
> > by * read
> >
> > # Allow uid=Sambaroot to write the objectClass and samba attributes to
> > # children of ou=Host
> > access to dn.children="ou=Hosts,dc=math,dc=gatech,dc=edu"
> > attrs=objectClass,sambaSamAccount
> > by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write
> > by * read
> >
> > # Allow uid=Sambaroot to write to all children of ou=Idmap
> > access to dn.children="ou=Idmap,dc=math,dc=gatech,dc=edu"
> > by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write
> > by * read
> >
>
> As I read this, it seems you allow Sambaroot to modify entries below
> ou=Idmap, but, since Sambaroot does nothave write access to ou=Idmap,
> surely you will get the "no write access to parent" error if samba tries
> to add an idmap entry? The same issue applies to ou=Hosts does it not?
> This would mean joining machines "on-the-fly" would not work ...
So far I have not found How to get samba to put an entry in Idmap.
Whenever I map Windows to Unix groups it puts samba attributes to my
already created unix groups in ou=Groups. I still have not been able to
test this trhough samba. However manually adding an entry using
uid=Sambaroot does show the problem, so we would need to change from:
access to dn.children="ou=Idmap,dc=math,dc=gatech,dc=edu"
to:
access to dn.subtree="ou=Idmap,dc=math,dc=gatech,dc=edu"
Note that this will allow uid=Sambaroot to add/remove entries under
ou=Idmap.
>
> > # Now we restrict uid=Sambaroot so that this user cannot erase things
> > access to dn.regex="ou=(.+),dc=math,dc=gatech,dc=edu"
> > by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" read
> > by * read
> >
> > # We also allow uid=Sambaroot to add the sambaDomainName entry under the
> > # database root (same level as rootdn).
> > access to dn.subtree="dc=math,dc=gatech,dc=edu"
> > by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write
> > by * read
> >
>
> Don't you want to prevent uid=Sambaroot from making entries which aren't
> sambaDomain's? ie:
> access to dn.subtree="dc=math,dc=gatech,dc=edu"
> attrs=sambaDomain
> by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write
> by * read
>
> But, then again we may have the "no write access to parent" ?
What you say is correct, adding attrs=sambaDomain gives you the "no write
access to parent":
--------------------begin test ---------------------------
Adding user root
New SMB password:
Retype new SMB password:
failed to add domain dn= sambaDomainName=DJR-TEST,dc=math,dc=gatech,dc=edu
with: Insufficient access
no write access to parent
Adding domain info for DJR-TEST failed with NT_STATUS_UNSUCCESSFUL
--------------------end test------------------------------
>
>
> > # Then we grant access to read everything else.
> > access to *
> > by * read
>
> Finally, I am wondering about supporting a multi-samba-domain
> implementation (yes, I know there are other ways) without duplicating
> ACLs. ie, how would I make generic ACLs work for this kind of setup?
>
> I have tried things like:
> access to dn="^(.*,)+ou=Hosts,(dc=.+,)+$$"
> attrs=objectClass,sambaSamAccount
> by dn="uid=Sambaroot,ou=People,$2$$" write
> by * read
>
> (as far as I understand, something like this can only be done with
> dn.regex, not dn.children?).
I am not fully sure how to do this. Maybe someone else can help. I also
believe that you cannot use dn.children to match
dn="^(.*,)+ou=Hosts,(dc=.+,)+$$". That can only be done with dn.regex.
Diego
>
> Regards,
> Buchan
>