[Samba] password - ldap questions

Otto Schakenbos otto.schakenbos at NOSPMteleflex.com
Tue Dec 16 16:03:34 GMT 2003 

Dear List

i have setup a samba server with a openldap backend  (using the great 
guide from hilinsk and  Gerald's ldap system adminstration book)
I also have the unix account information stored in the ldap.
Current setup
samba 3.01 rc1
latest stable openldap on the same box
unix/samba accounts are stored in the ldap. (using nsswitch)

question 1
We have a corporate wide iplanet ldap server (which i can only read 
from) used for email. I tried to sync the passwords from this 
ldap-server with the samba-openldap one so my samba users only would 
have to remember one password. I used a script that fetches the 
(encrypted, sha1) passwords in a ldif file and ldapmodify this password 
to the samba-openldap. This part works. The problem is that samba want 
the sambaNTpassword and doesn't even look at the userpassword. Is there 
a way that i can make samba use the sha1 userpassword or  do i have a 
"no go, bad luck" here.

Another solution would be to go the other way around so to update the 
corporate ldap server when someone changes his windows/samba password 
and that brings me to question number 2.
question 2
If i change the password from my windows workstation using the native 
windows change password mechanism the sambaNTpassword gets changed but 
the userpassword doesn't. I'm using the smbldap-passwd.pl tool. If i use 
this tool directly from the command line it does update the userpassword 
just fine. (using the same syntax as in the smb.conf.
When i turn "sync unix passwords"  then the domain stops working (domain 
not found)
Below my smb.conf

Thanx for your help

Regards


[global]
	workgroup = TIS-AG
	netbios name = TISPDC
	null passwords = Yes
	passdb backend = ldapsam
	passwd program = /usr/local/sbin/smbldap-passwd.pl -o %u
	passwd chat = *new*password* %n\n *new*password:* %n\ *successfully*
	passwd chat debug = Yes
	log level = 1 passdb:2 auth:2
	log file = /var/log/samba/%m.log
	socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
	add user script = /usr/local/sbin/smbldap-useradd.pl -a %u
	delete user script = /usr/local/sbin/smbldap-userdel.pl %u
	add group script = /usr/local/sbin/smbldap-groupadd.pl %g
	delete group script = /usr/local/sbin/smbldap-groupdel.pl %g
	add user to group script = /usr/local/sbin/smbldap-groupmod.pl
	delete user from group script = /usr/local/sbin/smbldap-groupmod.pl -x %u %g
	set primary group script = /usr/local/sbin/smbldap-usermod.pl -G %g %u
	add machine script = /usr/local/sbin/smbldap-useradd.pl -w %m
	logon script = logon.bat
	logon path = 
	domain logons = Yes
	os level = 33
	preferred master = Yes
	domain master = Yes
	wins support = Yes
	ldap suffix = dc=Test,dc=com
	ldap machine suffix = ou=Machines
	ldap user suffix = ou=People
	ldap group suffix = ou=Group
	ldap admin dn = uid=root,ou=People,dc=Test,dc=com
	ldap ssl = no
	idmap backend = ldap:ldap://127.0.0.1
	idmap uid = 10000-20000
	idmap gid = 10000-20000
	winbind separator = +
	comment = Samba-PDC Server

[netlogon]
	path = /data/netlogon
	write list = ntadmin
	locking = No




-- 
Otto Schakenbos
PC-Support

TFX IT-Service AG
Fronackerstrasse 33-35
71332 Waiblingen
GERMANY

More information about the samba mailing list