[Samba] Re: help with LDAP and Samba
Alexander E. Patrakov
patrakov at ums.usu.ru
Sat Aug 14 15:06:25 GMT 2004
Lionel Beard wrote:
> Hello Alexander,
>
> Saturday, August 14, 2004, 5:49:43 AM, you wrote:
>
> AEP> Andre Cameron wrote:
>
>
>>> unix password sync = Yes
>
> AEP> You don't need that in LDAP setup if you keep posix account information
> AEP> in LDAP using posixAccount objectclass, like LAM does. You probably want
> AEP> unix password sync = no, ldap password sync = yes and also mention
> AEP> pam_smbpass.so in /etc/pam.d/* and also install nss-ldap.
>
> "unix password sync" is not necessary when you want
> synchronization between Windows password and Unix password? When an
> user changes his password from a Windows workstation to change it for
> unix login?
>
Not necessary. Exactly what I said. In environment using pam_ldap, there
is no "unix password", there is "ldap password", and I have ldap
password sync = yes. In other words, passwords of unix users are
validated against ldap, and we let SAMBA change the ldap password.
Think about the situation when the user logs in from unix and runs the
"passwd" command. To update SMB password automatically, one needs
pam_smbpass. But see: if unix password sync = yes, SAMBA will call
passwd again, which will change the SAMBA password again via
pam_smbpass, and SAMBA will call passwd yet again - a loop.
And in my situation (unix password sync = no, ldap password sync = yes):
when a user changes the password from Windows, SAMBA updates also the
LDAp password (the one which is checked my pam_ldap). When a user
attempts to change his password from unix, pam_smbpass does the same =>
both SMB and LDAP passwords are changed.
--
Alexander E. Patrakov
More information about the samba
mailing list