Fwd: [Samba] Changing LDAP password from Windows XP
Asier Baranguán
abaranguan at elpagestion.com
Tue Mar 6 08:27:00 GMT 2007
Daniel Müller escribió:
> Here is a copy of my smb.conf:
You can accomplish this by two ways: using a password change script ala 'smbldap-passwd'
or using the Samba goodies. I assume you have the appropiate group mappings between your
linux server and your windows workstations:
root at kasparov ~ # net groupmap list
Domain Admins (S-1-5-21-2958930118-1012938775-211482674-512) -> Domain Admins
Domain Users (S-1-5-21-2958930118-1012938775-211482674-513) -> Domain Users
Domain Guests (S-1-5-21-2958930118-1012938775-211482674-514) -> Domain Guests
Domain Computers (S-1-5-21-2958930118-1012938775-211482674-515) -> Domain Computers
Administrators (S-1-5-32-544) -> Administrators
Account Operators (S-1-5-32-548) -> Account Operators
Print Operators (S-1-5-32-550) -> Print Operators
Backup Operators (S-1-5-32-551) -> Backup Operators
Replicators (S-1-5-32-552) -> Replicators
root at kasparov ~ #
My Samba relevant lines are this:
> - [ /etc/samba/smb.conf ] - - - - - - - - - - - - - - - - - - - - - -
[ ... ]
enable privileges = yes
obey pam restrictions = yes
pam password change = no
ldap passwd sync = yes
ldap delete dn = yes
ldap suffix = dc=example,dc=org
ldap admin dn = cn=samba,ou=DSA,dc=example,dc=org
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Idmap
# Uncomment if you use TLS
#ldap ssl = start_tls
passdb backend = ldapsam:ldap://ldap.example.org/
idmap backend = ldap:ldap://ldap.example.org/
# Scripts
add user script = /usr/sbin/smbldap-useradd -m -a "%u"
delete user script = /usr/sbin/smbldap-userdel "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you use LDAP as your backend make sure your ACLS work well. I follow the IDEALX HOWTO
and find that if I don't add as the last line of the ACLS 'access to * by * read' the LDAP
password synchronization didn't work well.
This are my ACLs:
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Added 'shadowLastChange' to avoid some warnings with libpam-unix2
access to
attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange,shadowLastChange
by dn="cn=samba,ou=DSA,dc=example,dc=org" write
by dn="cn=nssldap,ou=DSA,dc=example,dc=org" write
by self write
by anonymous auth
by * none
# some attributes need to be readable anonymously so that 'id user' can answer correctly
access to attrs=objectClass,homeDirectory,uid,uidNumber,gidNumber,memberUid
by dn="cn=samba,ou=DSA,dc=example,dc=org" write
by * read
access to attrs=entry
by dn="cn=samba,ou=DSA,dc=example,dc=org" write
by users read
by * none
# Users can change some attributes of their profile
access to
attrs=description,telephoneNumber,roomNumber,homePhone,loginShell,gecos,cn,sn,givenname,mail
by dn="cn=samba,ou=DSA,dc=example,dc=org" write
by self write
by users read
by * none
# some attributes need to be writable for samba
access to
attrs=cn,sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange,sambaAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaProfilePath,description,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,sambaMungedDial,sambaBadPasswordCount,sambaBadPasswordTime,sambaPasswordHistory,sambaLogonHours,sambaSID,sambaSIDList,sambaTrustFlags,sambaGroupType,sambaNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase,sambaShareName,sambaOptionName,sambaBoolOption,sambaIntegerOption,sambaStringOption,sambaStringListoption
by dn="cn=samba,ou=DSA,dc=example,dc=org" write
by self read
by * none
# samba gestiona:
# -> Cuentas de dominio
# -> Nuevos usuarios
# -> Nuevos grupos
# -> Máquinas en el dominio
access to dn.base="dc=example,dc=org"
by dn="cn=samba,ou=DSA,dc=example,dc=org" write
by * none
access to dn="ou=Users,dc=example,dc=org"
by dn="cn=samba,ou=DSA,dc=example,dc=org" write
by * none
access to dn="ou=Groups,dc=example,dc=org"
by dn="cn=samba,ou=DSA,dc=example,dc=org" write
by * none
access to dn="ou=Computers,dc=example,dc=org"
by dn="cn=samba,ou=DSA,dc=example,dc=org" write
by * none
access to *
by * read
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
And don't forget to adjust your PAM settings (install libpam-ldap or similar package) to
allow users change their password with the passwd command:
> - [ /etc/samba/smb.conf ] - - - - - - - - - - - - - - - - - - - - - -
#
# /etc/pam.d/common-password - password-related modules common to all services
#
password required pam_cracklib.so retry=3 minlen=4 difok=3
password sufficient pam_unix.so nullok use_authtok shadow md5
password sufficient pam_ldap.so use_authtok use_first_pass
password required pam_deny.so
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> [global]
> workgroup = MAIL
> netbios name = YOURMOM
> security = user
> passdb backend = ldapsam:ldap://mail.yourmom.net
> ldap admin dn = cn=Directory Manager
> ldap suffix = dc=yourmom,dc=net
> ldap user suffix = ou=People
> ldap idmap suffix = ou=People
> ldap machine suffix = ou=Computers
> ldap group suffix = ou=Groups
> ldap passwd sync = yes
Make sure this is set to 'yes'
> ldap delete dn = no
> obey pam restrictions = no
Set this to 'yes' and add
pam password change = no
> encrypt passwords = yes
> passwd program = /usr/sbin/smbldap-passwd %u
Comment this line, it's not needed.
> add machine script = /usr/sbin/smbldap-useradd -w "%u"
Make sure all the script lines are there.
Good luck!
More information about the samba
mailing list