I have a working Samba PDC that uses OpenLDAP as backend. I am about to set up a samba proxy user and have problems writing the correct secure ACLs.
I used this acl:
{0}to * by group.exact="cn=ldap.admins,ou=groups,dc=example,dc=com" write by * break
{1}to dn.one="dc=example,dc=com" filter=(objectClass=sambaDomain) by group.exact="cn=samba.admins,ou=groups,dc=example,dc=com" write by * break
{2}to attrs=@sambaSamAccount,userPassword by group.exact="cn=samba.admins,ou=groups,dc=example,dc=com" write by * break
{3}to dn.subtree="ou=people,dc=example,dc=com" attrs=userPassword by self write by * break
{4}to attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange by self read by anonymous auth by * none
{5}to * by users read
(found here: http://blogger.ziesemer.com/2011/01/ldap-authentication-for-samba.html)
And form Windows I am unable to log on (Windows says incorrect password or username.
When I insert a new olcAccess line as rule No 0, everything is perfect:
olcAccess: {0}to * by * read
I think that this behaviour is caused by the fact that in the middle of the authentication process samba rebinds to the OpenLDAP: the connection from samba using the proxy user is dropped, and an anonymous bind is initiated.
In the log you see lines like this:
Jul 6 12:06:06 ubuserver slapd[1088]: conn=1110 fd=48 ACCEPT from PATH=/var/run/slapd/ldapi (PATH=/var/run/slapd/ldapi)
Jul 6 12:06:06 ubuserver slapd[1088]: conn=1110 op=0 BIND dn="" method=128
Jul 6 12:06:06 ubuserver slapd[1088]: conn=1110 op=0 RESULT tag=97 err=0 text=
Jul 6 12:06:06 ubuserver slapd[1088]: conn=1110 op=1 SRCH base="dc=example,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=suser2))"
Jul 6 12:06:06 ubuserver slapd[1088]: conn=1110 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass
Jul 6 12:06:06 ubuserver slapd[1088]: => access_allowed: search access to "dc=itthon,dc=cucc" "entry" requested
Jul 6 12:06:06 ubuserver slapd[1088]: => acl_get: [1] attr entry
Jul 6 12:06:06 ubuserver slapd[1088]: => acl_mask: access to entry "dc=example,dc=com", attr "entry" requested
Jul 6 12:06:06 ubuserver slapd[1088]: => acl_mask: to all values by "", (=0)
Jul 6 12:06:06 ubuserver slapd[1088]: <= check a_dn_pat: *
Jul 6 12:06:06 ubuserver slapd[1088]: <= acl_mask: [2] applying +0 (break)
Jul 6 12:06:06 ubuserver slapd[1088]: <= acl_mask: [2] mask: =0
Jul 6 12:06:06 ubuserver slapd[1088]: => dn: [2] dc=example,dc=com
Jul 6 12:06:06 ubuserver slapd[1088]: => dn: [4] ou=people,dc=example,dc=com
Jul 6 12:06:06 ubuserver slapd[1088]: => acl_get: [6] attr entry
Jul 6 12:06:06 ubuserver slapd[1088]: => acl_mask: access to entry "dc=example,dc=com", attr "entry" requested
Jul 6 12:06:06 ubuserver slapd[1088]: => acl_mask: to all values by "", (=0)
Jul 6 12:06:06 ubuserver slapd[1088]: <= check a_dn_pat: users
Jul 6 12:06:06 ubuserver slapd[1088]: <= acl_mask: no more <who> clauses, returning =0 (stop)
Questions:
- Do I understand things right that the problem is caused by the anonymous rebind?
- Is there way to tell Samba to bind always with the proxy user (the one specified in the
ldap admin dnin thesmb.conf)? - If not, the is there a way to set up secure ACLs, i.e. not to give read rights to everyone?
(System is Ubuntu 12.04)
The peroblem was that samba gave the job to PAM, and in the /etc/ldap.conf I've forgotten to fill out bind user and bind pw. So PAM bound to LDAP as anonymous and had no rights to read those attributes.