[Samba] changing ldap passwords?

Xavi León Javier.Leon-Gutierrez at upc.edu
Tue Jan 25 09:31:26 GMT 2005 

En/na Tim Tyler ha escrit:

>   Samba experts,
>   I am using Samba 3.0.8 on an AIX 5.1 system with ldap 
> authentication.  I have ldap working so that users can authenticate in 
> their samba account via ldap.   However, I am trying to figure out the 
> best method for allowing users to change their ldap samba account 
> password.
>    What is the best method to allow end users to change their LM/NT 
> passwords for Samba via LDAP?
> Should I be using smbpasswd?  Or should I be using the smbldap-tools 
> and use smbldap-passwd.pl? Or is there another option?

Hi, i wanted the same a month ago and googling a little i found a litlle 
web based php application which changed the "user password" attribute
of an ldap server (phpLdapPasswd). And i thought, what a fuck, i use the 
NT/LM passwords for samba...
But looking into the code i saw that it's not difficult to access/modify 
ldap attributes with php, so i decided to make a patch for support
nt/lm changing passwords.
you can get the app in its version 0.5 in: 
    http://www.xenos.net/software/phpLdapPasswd/

you may have the mkntpwd (search it, i don't remember where i got it) 
program in order to achieve the LM:NT hashes.
apply the patch attached.
    (save the patch in the phpLdapPasswd directory and patch -p1 < 
passwdSambaSupport.patch

>
> Also, what do I need to set for privileges (ACL's) on the ldap server 
> side to allow users to change their samba password (if any)?

in my /etc/ldap/slapd.conf the part related to LM and NT passwords looks 
like:

access to attribute=sambaNTPassword
          by dn="cn=admin,dc=company,dc=cat"
          by anonymous auth
          by self write
          by * none

access to attribute=sambaLMPassword
          by dn="cn=admin,dc=company,dc=cat"
          by anonymous=auth
          by self write
          by * none

I have to notice that when i put the sambaNTPassword and sambaLMPassword 
in the same ACL (as you) it did'nt work for me...
putting them separetly works. I supose to make a typing mistake that i 
couldn't see.

>
>  Any recommendations and hints about implementing it are much 
> appreciated!
> thanks!
>  Tim

Tell me if you have any problems, nowadays it's working for me ok.

Xavi
-------------- next part --------------
diff -Naur phpLdapPasswd-0.5/config.php phpLdapPasswd-withSambaSupport-0.5/config.php
--- phpLdapPasswd-0.5/config.php	2004-08-26 17:48:22.000000000 +0200
+++ phpLdapPasswd-withSambaSupport-0.5/config.php	2005-01-21 11:27:03.000000000 +0100
@@ -64,6 +64,22 @@
 // default Debian Woody system!)
 $ENCODING = MD5;
 
+// If you have SambaAccounts in your Ldap database you may want to have both unix
+// and samba passwords syncronized. Set this to 1 if you want to do so. Otherwise,
+// set it to 0..
+$SAMBASYNCRO = 0;
+
+// If you set SAMBASYNCRO to 1, you must have the mkntpwd aplication, which makes
+// the necessary NTHashes to perform windows authentication. So here, put the
+// full mkntpwd file path (with the name of the file too).
+$MKNTPWD = "/usr/local/sbin/mkntpwd";
+
+// This two attributes is for making it more extensive. Depending on the samba schema,
+// this two attributes are named different, so you may put them here. If you don't know
+// what they are search in your samba.schema file.
+$SAMBANTATTR = "sambaNTPassword";
+$SAMBALMATTR = "sambaLMPassword";
+
 // This should be set to the attribute for which to search when a login ID
 // is entered.  This attribute should have a unique value in the $LDAPBASEDN
 // given.
diff -Naur phpLdapPasswd-0.5/functions.php phpLdapPasswd-withSambaSupport-0.5/functions.php
--- phpLdapPasswd-0.5/functions.php	2004-08-26 17:50:46.000000000 +0200
+++ phpLdapPasswd-withSambaSupport-0.5/functions.php	2005-01-21 11:42:09.000000000 +0100
@@ -497,4 +497,37 @@
 
 	return $ds;
 }
+
+// **************************************************************************
+// Function:
+//
+// Purpose: Update the Samba NT and LM Passwords
+//
+// Usage: createSambaPasswords($password)
+//
+// - $password:     The password in plain text to encode
+//
+// Returns: an array of two positions -> sambaLMPassword and SambaNTPassword
+// **************************************************************************
+function createSambaPasswords($password) {
+    global $MKNTPWD;
+    global $SAMBANTATTR;
+    global $SAMBALMATTR;
+    $sambaPass = array("sambaLMPassword" => NULL,
+                       "sambaNTPassword" => NULL);
+
+    if (!(@file_exists($MKNTPWD) && is_executable($MKNTPWD))) {
+        fatal_error("You don't have the mkntpwd program in the correct path (look in config.php) 
+                     or it is not executable");
+    }
+    $sambaPassCommand = $MKNTPWD . " " . $password;
+    if($sambaPassCommandOutput = shell_exec($sambaPassCommand)) {
+        $sambaPass[$SAMBALMATTR] = trim(substr($sambaPassCommandOutput, 0, strPos($sambaPassCommandOutput, ':')));
+        $sambaPass[$SAMBANTATTR] = trim(substr($sambaPassCommandOutput, strPos($sambaPassCommandOutput, ':') +1));
+    }
+    else {
+        fatal_error("The mkntpwd has failed making the NTHashes for Samba");
+    }
+    return $sambaPass;
+}
 ?>
diff -Naur phpLdapPasswd-0.5/index.php phpLdapPasswd-withSambaSupport-0.5/index.php
--- phpLdapPasswd-0.5/index.php	2004-08-26 17:49:50.000000000 +0200
+++ phpLdapPasswd-withSambaSupport-0.5/index.php	2005-01-21 11:51:56.000000000 +0100
@@ -89,6 +89,14 @@
 	display_template($TEMPLATE_CHANGEPASS, "You gave an incorrect current password");
 }
 
+// Change the current sambaNTPassword and sambaLMPassword attributes
+if ($SAMBASYNCRO) {
+    $encodedSambaPass = createSambaPasswords($newpass);
+    if (!(@ldap_mod_replace($ds, $dn, $encodedSambaPass))) {
+        fatal_error("Unable to change SambaPasswords.");
+    }
+}
+
 // Change the current password.
 $encodedpass = encode_password($newpass, $ENCODING);
 if (!(@ldap_mod_replace($ds, $dn, array('userpassword' => $encodedpass)))) {

More information about the samba mailing list