[Samba] Samba 3 ldap password sync

[Graham Leggett]

Kevin Metz wrote:

> Well, I seem to have gotten past the most difficult parts as far as Samba and LDAP
> are concerned. I'm able to have a user log in to the domain, and get authenticated
> via LDAP. The user can also change the LDAP password from the Windows screen
> (control-alt-delete->change password). So most stuff as far as the windows domain
> login appears.
>  
> My problem is this. Linux and other users need to be able to change their ldap
> password. If they log into the box, or change it via a web interface it changes
> their ldap password, but samba doesn't seem to recognize it. For example as root I
> changed a users password via the command line and it said it was changing the LDAP
> password. I confirmed the password was changed by accessing a web page that
> authenticates using ldap and the new password worked. I then tried to access via
> samba and the new password did no work.
> 
> Am I doing something wrong or missing something obvious? Does samba cache passwords
> somewhere? I've got ldap sync set to on but that doesn't appear to be working. 

Windows encodes the password differently to the unix side, and as a 
result, the password is stored in the ldap database twice. When you 
change the password from Samba, it updates the two encoded password 
versions both for windows and for unix. When you change the password for 
unix, it only changes the unix password and not the windows encoded 
version - thus your problem.

There is an extention available for the newer versions of openldap (not 
sure if it is openldap specific) that will allow openldap to handle the 
encoding of passwords for you in the various formats - this means that 
it will "just work" no matter what software changed the password, even 
if the software had no idea about windows. I haven't used it before 
though - try and read up on openldap for more details.

Regards,
Graham
--