In our current testing environment, we are using nslcd to get user and
group information from the Samba4 LDAP server, using the last part of
objectSid as uidNumber. The configuration is designed to pull down
unixHomeDirectory and loginShell if they exist, but they default to
standard values if they do not. nslcd on each machine binds to LDAP
using a dedicated user account, nslcd-service, and the entire setup
works pretty well.
But now we have run into a problem - although both POSIX attributes
exists on a particular user (ismith in this case) they cannot be read by
the machine using nslcd-service to bind to the LDAP directory. After
further testing, we found that binding as Administrator makes the
attributes show up - in fact adding nslcd-service to 'Domain Admins'
group also lets it see those attributes. Unfortunately both of these
options are a huge security risk - any server that becomes compromised
can effectively take control of the Samba4 domain and server, and in
turn take out the rest of the network.
It seems strange that all normal attributes are perfectly readable by
any user, while the manually added POSIX attributes are not. I do not
know enough about AD configuration to figure out where the ACLs are
stored for this, and documentation has been scarce to say the least.
Thus I have come to this mailing list for guidance.
An alternative strategy would be to enable anonymous binding on the LDAP
server, but the (slightly less scarce) documentation shows that to do
that requires each entry be specifically set to allow this, which seems
to be more hassle than it is worth. Any help on this would also be
greatly appreciated.
Thanks,
Rob
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
