[Samba] BDC and password change program

Stéphane Purnelle stephane.purnelle at tiscali.be
Wed Aug 31 11:52:36 GMT 2005 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The LDAP server in 172.16.0.24 is the master ldap server, but on
smb.conf of BDC, the ldap server is on localhost.
If the IP adresse of BDC is 172.16.0.24, you must have no problem.
Now, if different, you must configure ldap for replication.
Because changing password on the PDC is not replicated to BDC.

The BDC not verify password with the PDC, but with the passwd backend
only.
You can disable these lines :
passwd program = /usr/bin/smbpasswd %u
passwd chat = *Enter\snew\sUNIX\spassword:*
%n\n*Retype\snew\sUnix\spassword:* %n\n

On BDC

kent a écrit :

> Have you used the -r option for smbpasswd to connect to the PDC in
> smb.conf? Just wondering what the password chat would be. I can
> test it out and see what works.
>
> Kent N
>
> Bruno Guerreiro <bruno.guerreiro at ine.pt> wrote:
>
>> Hi there, The best (only?) way to go is with a LDAP Master+slave
>> architecture. All changes must be done at the LDAP Master server
>> which automatically replicates them to all slave ldap servers.
>> So, yes, the BDC MUST talk to the PDC, or at least the master
>> ldap server to change the password.
>>
>> Best Regards. Bruno Guerreiro
>>
>> -----Original Message----- From: kent
>> [mailto:kent at mail.wareham.mec.edu] Sent: quarta-feira, 31 de
>> Agosto de 2005 11:15 To: mdonada at auroraalimentos.com.br; Samba
>> Subject: Re: [Samba] BDC and password change program
>>
>>
>> Hello, How are you doing? I just switched this summer from RedHat
>> 8.0 with compiled versions of Samba, OpenLDAP and Berkeley DB to
>> Fedora Core 4 with precompiled Samba, OpenLDAP and BerkeleyDB.
>> Here is the smb.conf from one school that is a BDC: [global]
>> workgroup = WarehamPS encrypt passwords = Yes time offset = 60
>> time server = Yes # log level = 5 socket options =
>> TCP_NODELAY TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 security =
>> user username map = /etc/samba/smbusers logon script = whs1.bat
>> writable = Yes interfaces = eth0 eth1 directory mask = 02770
>> preferred master = yes netbios name = whs1 server string = Fedora
>> Core 4 SAMBA server passdb backend = ldapsam:ldap://127.0.0.1
>> ldap passwd sync = Yes machine password timeout = 604800 passwd
>> program = /usr/bin/smbpasswd %u passwd chat =
>> *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUnix\spassword:*
>> %n\n log file = /var/log/samba/%m.log debug level = 2 max log
>> size = 50 add machine script = /usr/sbin/addmachine.sh "%u" logon
>> path = logon drive = H: logon home = domain logons = Yes os level
>> = 64 domain master = No dns proxy = no admin users =
>> @domain_admins wins support = no wins server = 172.16.0.13 wins
>> proxy = yes local master = yes name resolve order = hosts wins
>> bcast ldap suffix = dc=tow,dc=net ldap machine suffix =
>> ou=Computers ldap user suffix = ou=Users ldap group suffix =
>> ou=Groups ldap admin dn = cn=admin,dc=tow,dc=net ldap ssl = no
>>
>> [homes] comment = Home Directories read only = no browseable = no
>> writable = yes path = %H # valid users = %S
>>
>> [netlogon] root preexec = /accounts/netlogon/prelogon.pl %U path
>> = /accounts/netlogon comment = Netlogon share locking = no
>> browseable = yes valid users = @whsstaff, @whsstudent, @whs-cafe,
>> navinstall, kent read only = yes hide files =
>> /.*/*dll/*DLL/*.bat/*.kix/*.rap/*pl/ write list = @domain_admins
>> [staff] comment = Staff directory path = /accounts/common create
>> mode = 0660 browseable = no write list = @whsstaff valid users =
>> @whsstaff [programs] comment = Applications path =
>> /accounts/programs browseable = no create mode = 0660 write list
>> = @whsstaff valid users = @whsstaff
>>
>> [cafeteria] path = /accounts/cafeteria/data browseable = no valid
>> users = @whs-cafe, dperry force group = whs-cafe create mode =
>> 0660 directory mode = 0770
>>
>> Here is the smb.conf for the PDC: [global] workgroup = WarehamPS
>> encrypt passwords = Yes time server = Yes socket options =
>> TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 security = user
>> writable = Yes interfaces = eth0 eth1 directory mask = 02770
>> preferred master = yes local master = Yes username map =
>> /etc/samba/smbusers netbios name = wms1 server string = Fedora
>> Core 4 SAMBA Server passdb backend = ldapsam:ldap://172.16.0.24
>> ldap passwd sync = Yes machine password timeout = 604800 passwd
>> program = /usr/bin/smbpasswd %u passwd chat =
>> *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUnix\spassword:*
>> %n\n log file = /var/log/samba/%m.log debug level = 2 max log
>> size = 30 # add machine script = /usr/bin/smbpasswd -m %u
>> add machine script = /usr/sbin/addmachine.sh "%u" logon script =
>> wms1.bat logon path = logon drive = H: logon home = domain logons
>> = Yes os level = 255 domain master = Yes dns proxy = Yes admin
>> users = @domain_admins wins support = Yes remote browse sync =
>> 172.16.0.3 172.16.0.19 172.16.0.15 172.16.0.26 172.16.0.20
>> 172.16.80.1 name resolve order = hosts wins bcast ldap suffix =
>> dc=tow,dc=net ldap machine suffix = ou=Computers ldap user suffix
>> = ou=Users ldap group suffix = ou=Groups ldap admin dn =
>> cn=admin,dc=tow,dc=net ldap ssl = no
>>
>> [homes] comment = Home Directories read only = no browseable = no
>> writable = yes path = %H hide files = /.*/ [netlogon] comment =
>> Netlogon share root preexec = /accounts/netlogon/prelogon.pl %U
>> path = /accounts/netlogon valid users = @wmsstaff, @wmsstudent,
>> @domain_users, @wms-cafe, navinstall locking = no browseable = no
>> read only = yes write list = @domain_admins hide files =
>> /*.dll/*.rap/*.kix/*.bat/*.pl/
>>
>> [cafeteria] path = /accounts/cafeteria/data browseable = yes
>> valid users = @wms-cafe, dperry force group = wms-cafe create
>> mode = 0660 directory mode = 0770
>>
>> [staff] path = /accounts/common browseable = no valid users =
>> @wmsstaff force group = wmsstaff write list = @domain_admins,
>> @wmsstaff create mode = 0660 directory mode = 0770 [programs]
>> path = /accounts/programs browseable = no valid users =
>> @wmsstaff, @techstaff create mode = 0660 [tech] path =
>> /accounts/tech browseable = no valid users = @techstaff force
>> group = techstaff write list = @techstaff create mode = 0660
>> directory mode = 0770
>>
>> The addmachine.sh script is my own version of an add machine. All
>> users, groups, computers have corresponding posix accounts in
>> LDAP as well as Samba objectClass and attributes. I don't use any
>> Windows utilities to manipulate user group information in LDAP, I
>> have my own set of routines tailored to our system that allows
>> individual control of LDAP info or we can batch add/delete
>> accounts and user attributes by interactive shell scripts.
>>
>> My question to the Samba community is still: should the password
>> program on the BDC talk to the PDC by smbpasswd -r <PDC address>?
>> I'm having a little password out of sync problem.
>>
>> Kent N.
>>
>> Marcio Luciano Donada &lt;mdonada at auroraalimentos.com.br&gt;
>> wrote:
>>

> kent wrote:
>
> | Hello, Just wondering what I should be using for the password |
> change program on a BDC. Should it be: passwd program = |
> /usr/bin/smbpasswd -r <PDC address> %u | | I'm having a problem
> with passwords not staying in sync between the | PDC and BDC with
> pass backend ldap. | | The systems are all Fedora Core 4, Samba
> 3.0.14a, openldap 2.2.23 | | Kent N | Ola, I am trying to configure
> the BDC. How voce this making to add them you scheme in the base
> ldap? Voce can supply its configures (smb.conf) for me to give one
> analyzed and smbldap.conf?
>
> thank's
>
> -- Márcio Luciano Donada T.I. Aurora Alimentos Chapecó(SC)
> Cooperativa Central Oeste Catarinense mdonada at auroraalimentos
> dot com dot br


>> -- To unsubscribe from this list go to the following URL and read
>> the instructions: https://lists.samba.org/mailman/listinfo/samba
>> -- To unsubscribe from this list go to the following URL and
>> read the instructions:
>> https://lists.samba.org/mailman/listinfo/samba
>>



- --
Stéphane Purnelle <stephane.purnelle at tiscali.be>
Site Web : http://www.linuxplusvalue.be
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDFZoD8tswkE3d0ecRAhjFAJ4i1kIhLtCYcdRT/2kP+hXufWGQZgCfYzJ5
8CefA2YDVzJOhPFQ/Z+0ZcM=
=OFAY
-----END PGP SIGNATURE-----

More information about the samba mailing list