[Samba] Samba 3 ldap password sync
minfrin at sharp.fm
Mon May 3 19:32:22 GMT 2004
Kevin Metz wrote:
> Well, I seem to have gotten past the most difficult parts as far as Samba and LDAP
> are concerned. I'm able to have a user log in to the domain, and get authenticated
> via LDAP. The user can also change the LDAP password from the Windows screen
> (control-alt-delete->change password). So most stuff as far as the windows domain
> login appears.
> My problem is this. Linux and other users need to be able to change their ldap
> password. If they log into the box, or change it via a web interface it changes
> their ldap password, but samba doesn't seem to recognize it. For example as root I
> changed a users password via the command line and it said it was changing the LDAP
> password. I confirmed the password was changed by accessing a web page that
> authenticates using ldap and the new password worked. I then tried to access via
> samba and the new password did no work.
> Am I doing something wrong or missing something obvious? Does samba cache passwords
> somewhere? I've got ldap sync set to on but that doesn't appear to be working.
Windows encodes the password differently to the unix side, and as a
result, the password is stored in the ldap database twice. When you
change the password from Samba, it updates the two encoded password
versions both for windows and for unix. When you change the password for
unix, it only changes the unix password and not the windows encoded
version - thus your problem.
There is an extention available for the newer versions of openldap (not
sure if it is openldap specific) that will allow openldap to handle the
encoding of passwords for you in the various formats - this means that
it will "just work" no matter what software changed the password, even
if the software had no idea about windows. I haven't used it before
though - try and read up on openldap for more details.
More information about the samba