[Samba] load password users in Ldap

Buchan Milne bgmilne at cae.co.za
Fri May 30 12:46:02 GMT 2003 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> ------------------------------
>
> Message: 13
> Date: Fri, 30 May 2003 12:06:28 +0200
> From: Jose Antonio G?mez Mu?oz <jagomez at coam.org>
> Subject: [Samba] load password users in Ldap
> To: <samba at lists.samba.org>
> Message-ID: <01e301c32693$2315b8e0$8f05a8c0 at coam.org>
> Content-Type: text/plain;	charset="iso-8859-1"
>
> Hello,
>
> I'm new in Samba Ldap. I use samba-2.2.3a and openldap2-2.1.4-46.

Please use a newer version of samba, firstly 2.2.3a is vulnerable to a
remote root exploit, secondly, a lot of changes required for good LDAP
operation are only available in later (ie 2.2.7a or later) releases.

> I am going to load in Ldap a lot of users in a ldif file as it is
> shown below. But I don't know how to put samba password. I can use:

> smbpasswd juan1
>
> and then the fields lmPassword and ntPassword are changed. In this
> way, after load all users in Ldap I would need a script to do a
> smbpasswd for each user automatically, without prompt me for each one.
> ¿ How can I do to avoid prompting me ?

See the mkntpwd program in examples/LDAP/smbldap-tools/mkntpwd for a
tool that will create LM and NT hashes for you from a clear-text password.

If you already have samba passwords in an smbpasswd file, see
import_smbpasswd.pl in examples/LDAP, If you have users in passwd files,
you can also import a lot of the information using the migration tools.

>

> I think it is better to put the real password in lmPassword and
> ntPassword but it doesn't work. Which is the easiest method to put the
> samba password in the load process?

>
> ldif file
> ==============
>
> dn: uid=juan1, ou=smb, dc=Colegio Oficial de Arquitectos de Madrid, dc=es
> cn: juan1
> objectClass: sambaAccount
> objectClass: posixAccount
> uid: juan1
> pwdLastSet: 0
> logonTime: 0
> logoffTime: 2147483647
> kickoffTime: 2147483647
> pwdCanChange: 0
> pwdMustChange: 2147483647
> userPassword: hola
> lmPassword: 37D5B8AB8069F5B8AB5B8AB8B8AB8069
> ntPassword: 5B8AB8B8AB85B8A5B8AB8B8AB82BE319
> acctFlags: [UX         ]
> uidNumber: 1020
> gidNumber: 1001
> loginShell: /bin/bash
> rid: 3040
> primaryGroupID: 513
> homeDirectory: /dev/null
>
>
>
>
> /etc/samba/smb.conf
> ====================
> ldap server = localhost
> ldap port = 389
> ldap suffix = "ou=smb, dc=Colegio Oficial de Arquitectos de Madrid, dc=es"
> ldap admin dn = "cn=Manager, dc=Colegio Oficial de Arquitectos de
Madrid, dc=es"

Your suffix implies that you own the domain "Colegio Oficial de
Arquitectos de Madrid.es" (dc means domain component), you may want to
rather use o=Colegio Oficial de Arquitectos de Madrid,c=es instead, or a
real domain-type suffix.

BTW, you may want to review these documents, which cover a lot of the
issues:

http://www.mandrakesecure.net/en/docs/samba-pdc.php
http://www.mandrakesecure.net/en/docs/samba-ldap-advanced.php

(note, some minor modifications may occur to these documents still ...)

Since you are using openldap-2.1, you should also look at this document:
http://www.unav.es/cti/ldap-smb/ldap-smb-2_2-howto.html#AUXILIARY

(at this stage, openldap-2.0.x may be a better choice, just because it
is understood better, and all the available schemas work with it).

Regards,
Buchan

- --
|--------------Another happy Mandrake Club member--------------|
Buchan Milne                Mechanical Engineer, Network Manager
Cellphone * Work            +27 82 472 2231 * +27 21 8828820x202
Stellenbosch Automotive Engineering         http://www.cae.co.za
GPG Key                   http://ranger.dnsalias.com/bgmilne.asc
1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE+11KJrJK6UGDSBKcRApjTAJ9QL5MbtkMx1uZIygPnXwxYLXexTgCfUX7/
6gLzfRnhEgmjsBk9DKvHXX8=
=JPIb
-----END PGP SIGNATURE-----

******************************************************************
Please click on http://www.cae.co.za/disclaimer.htm to read our
e-mail disclaimer.
******************************************************************

More information about the samba mailing list