[Samba] BDC and password change program
Bruno Guerreiro
bruno.guerreiro at ine.pt
Wed Aug 31 10:20:51 GMT 2005
Hi there,
The best (only?) way to go is with a LDAP Master+slave architecture.
All changes must be done at the LDAP Master server which automatically
replicates them to all slave ldap servers.
So, yes, the BDC MUST talk to the PDC, or at least the master ldap server to
change the password.
Best Regards.
Bruno Guerreiro
-----Original Message-----
From: kent [mailto:kent at mail.wareham.mec.edu]
Sent: quarta-feira, 31 de Agosto de 2005 11:15
To: mdonada at auroraalimentos.com.br; Samba
Subject: Re: [Samba] BDC and password change program
Hello,
How are you doing? I just switched this summer from RedHat 8.0 with compiled
versions of Samba, OpenLDAP and Berkeley DB to Fedora Core 4 with
precompiled
Samba, OpenLDAP and BerkeleyDB. Here is the smb.conf from one school that is
a
BDC:
[global]
workgroup = WarehamPS
encrypt passwords = Yes
time offset = 60
time server = Yes
# log level = 5
socket options = TCP_NODELAY TCP_NODELAY SO_RCVBUF=8192
SO_SNDBUF=8192
security = user
username map = /etc/samba/smbusers
logon script = whs1.bat
writable = Yes
interfaces = eth0 eth1
directory mask = 02770
preferred master = yes
netbios name = whs1
server string = Fedora Core 4 SAMBA server
passdb backend = ldapsam:ldap://127.0.0.1
ldap passwd sync = Yes
machine password timeout = 604800
passwd program = /usr/bin/smbpasswd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUnix\spassword:* %n\n
log file = /var/log/samba/%m.log
debug level = 2
max log size = 50
add machine script = /usr/sbin/addmachine.sh "%u"
logon path =
logon drive = H:
logon home =
domain logons = Yes
os level = 64
domain master = No
dns proxy = no
admin users = @domain_admins
wins support = no
wins server = 172.16.0.13
wins proxy = yes
local master = yes
name resolve order = hosts wins bcast
ldap suffix = dc=tow,dc=net
ldap machine suffix = ou=Computers
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap admin dn = cn=admin,dc=tow,dc=net
ldap ssl = no
[homes]
comment = Home Directories
read only = no
browseable = no
writable = yes
path = %H
# valid users = %S
[netlogon]
root preexec = /accounts/netlogon/prelogon.pl %U
path = /accounts/netlogon
comment = Netlogon share
locking = no
browseable = yes
valid users = @whsstaff, @whsstudent, @whs-cafe, navinstall, kent
read only = yes
hide files = /.*/*dll/*DLL/*.bat/*.kix/*.rap/*pl/
write list = @domain_admins
[staff]
comment = Staff directory
path = /accounts/common
create mode = 0660
browseable = no
write list = @whsstaff
valid users = @whsstaff
[programs]
comment = Applications
path = /accounts/programs
browseable = no
create mode = 0660
write list = @whsstaff
valid users = @whsstaff
[cafeteria]
path = /accounts/cafeteria/data
browseable = no
valid users = @whs-cafe, dperry
force group = whs-cafe
create mode = 0660
directory mode = 0770
Here is the smb.conf for the PDC:
[global]
workgroup = WarehamPS
encrypt passwords = Yes
time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
security = user
writable = Yes
interfaces = eth0 eth1
directory mask = 02770
preferred master = yes
local master = Yes
username map = /etc/samba/smbusers
netbios name = wms1
server string = Fedora Core 4 SAMBA Server
passdb backend = ldapsam:ldap://172.16.0.24
ldap passwd sync = Yes
machine password timeout = 604800
passwd program = /usr/bin/smbpasswd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUnix\spassword:* %n\n
log file = /var/log/samba/%m.log
debug level = 2
max log size = 30
# add machine script = /usr/bin/smbpasswd -m %u
add machine script = /usr/sbin/addmachine.sh "%u"
logon script = wms1.bat
logon path =
logon drive = H:
logon home =
domain logons = Yes
os level = 255
domain master = Yes
dns proxy = Yes
admin users = @domain_admins
wins support = Yes
remote browse sync = 172.16.0.3 172.16.0.19 172.16.0.15 172.16.0.26
172.16.0.20 172.16.80.1
name resolve order = hosts wins bcast
ldap suffix = dc=tow,dc=net
ldap machine suffix = ou=Computers
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap admin dn = cn=admin,dc=tow,dc=net
ldap ssl = no
[homes]
comment = Home Directories
read only = no
browseable = no
writable = yes
path = %H
hide files = /.*/
[netlogon]
comment = Netlogon share
root preexec = /accounts/netlogon/prelogon.pl %U
path = /accounts/netlogon
valid users = @wmsstaff, @wmsstudent, @domain_users, @wms-cafe,
navinstall
locking = no
browseable = no
read only = yes
write list = @domain_admins
hide files = /*.dll/*.rap/*.kix/*.bat/*.pl/
[cafeteria]
path = /accounts/cafeteria/data
browseable = yes
valid users = @wms-cafe, dperry
force group = wms-cafe
create mode = 0660
directory mode = 0770
[staff]
path = /accounts/common
browseable = no
valid users = @wmsstaff
force group = wmsstaff
write list = @domain_admins, @wmsstaff
create mode = 0660
directory mode = 0770
[programs]
path = /accounts/programs
browseable = no
valid users = @wmsstaff, @techstaff
create mode = 0660
[tech]
path = /accounts/tech
browseable = no
valid users = @techstaff
force group = techstaff
write list = @techstaff
create mode = 0660
directory mode = 0770
The addmachine.sh script is my own version of an add machine. All users,
groups,
computers have corresponding posix accounts in LDAP as well as Samba
objectClass
and attributes. I don't use any Windows utilities to manipulate user group
information in LDAP, I have my own set of routines tailored to our system
that
allows individual control of LDAP info or we can batch add/delete accounts
and
user attributes by interactive shell scripts.
My question to the Samba community is still: should the password program on
the
BDC talk to the PDC by smbpasswd -r <PDC address>? I'm having a little
password
out of sync problem.
Kent N.
Marcio Luciano Donada <mdonada at auroraalimentos.com.br> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> kent wrote:
>
> | Hello, Just wondering what I should be using for the password
> | change program on a BDC. Should it be: passwd program =
> | /usr/bin/smbpasswd -r <PDC address> %u
> |
> | I'm having a problem with passwords not staying in sync between the
> | PDC and BDC with pass backend ldap.
> |
> | The systems are all Fedora Core 4, Samba 3.0.14a, openldap 2.2.23
> |
> | Kent N
> |
> Ola, I am trying to configure the BDC. How voce this making to add
> them you scheme in the base ldap? Voce can supply its configures
> (smb.conf) for me to give one analyzed and smbldap.conf?
>
> thank's
>
> - --
> Márcio Luciano Donada
> T.I. Aurora Alimentos Chapecó(SC)
> Cooperativa Central Oeste Catarinense
> mdonada at auroraalimentos dot com dot br
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (FreeBSD)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFDFK8uyJq2hZEymxcRAlKbAJ9zHBrhgypVI1s7U5mpm/Frsan+mgCfT+Sa
> AAQEnZuvd72KHjQU5KML1mc=
> =1iV1
> -----END PGP SIGNATURE-----
>
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
More information about the samba
mailing list