[Samba] BDC and password change program

Bruno Guerreiro bruno.guerreiro at ine.pt
Wed Aug 31 12:00:53 GMT 2005 

I'm using smbldap-tools, so i don't use smbpasswd directly
In command line...

[root at slavedc root]# smbpasswd -r masterdc -U test.user
Old SMB password:
New SMB password:
Retype new SMB password:
Password changed for user test.user on masterdc.
[root at slavedc root]#


It ask's for the old password. Altough i'm root at slavedc, I may not be at
masterdc, therefore the need to provide the old password

Can you pass the old value to smbpasswd in smb.conf?

Ever tried smbldap-tools ( http://www.idealx.org/prj/samba/index.en.html )? 

Best Regards,
Bruno Guerreiro

-----Original Message-----
From: kent [mailto:kent at mail.wareham.mec.edu]
Sent: quarta-feira, 31 de Agosto de 2005 12:41
To: bruno.guerreiro at ine.pt; Samba
Subject: RE: [Samba] BDC and password change program


Have you used the -r option for smbpasswd to connect to the PDC in smb.conf?
Just wondering what the password chat would be. I can test it out and see
what
works.

Kent N

Bruno Guerreiro <bruno.guerreiro at ine.pt> wrote: 
> Hi there,
> The best (only?) way to go is with a LDAP Master+slave architecture.
> All changes must be done at the LDAP Master server which automatically
> replicates them to all slave ldap servers.
> So, yes, the BDC MUST talk to the PDC, or at least the master ldap server
to
> change the password.
> 
> Best Regards.
> Bruno Guerreiro
> 
> -----Original Message-----
> From: kent [mailto:kent at mail.wareham.mec.edu]
> Sent: quarta-feira, 31 de Agosto de 2005 11:15
> To: mdonada at auroraalimentos.com.br; Samba
> Subject: Re: [Samba] BDC and password change program
> 
> 
> Hello,
> How are you doing? I just switched this summer from RedHat 8.0 with
compiled
> versions of Samba, OpenLDAP and Berkeley DB to Fedora Core 4 with
> precompiled
> Samba, OpenLDAP and BerkeleyDB. Here is the smb.conf from one school that
is
> a
> BDC:
> [global]
>    workgroup = WarehamPS
>         encrypt passwords = Yes
>         time offset = 60
>         time server = Yes
> #       log level = 5
>         socket options = TCP_NODELAY TCP_NODELAY SO_RCVBUF=8192
> SO_SNDBUF=8192
>         security = user
>         username map = /etc/samba/smbusers
>         logon script = whs1.bat
>         writable = Yes
>         interfaces = eth0 eth1
>         directory mask = 02770
>         preferred master = yes
>         netbios name = whs1
>         server string = Fedora Core 4 SAMBA server
>         passdb backend = ldapsam:ldap://127.0.0.1
>         ldap passwd sync = Yes
>         machine password timeout = 604800
>         passwd program = /usr/bin/smbpasswd %u
>        passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
> *Retype\snew\sUnix\spassword:* %n\n
>         log file = /var/log/samba/%m.log
>         debug level = 2
>         max log size = 50
>         add machine script = /usr/sbin/addmachine.sh "%u"
>         logon path =
>         logon drive = H:
>         logon home =
>         domain logons = Yes
>         os level = 64
>         domain master = No
>         dns proxy = no
>         admin users = @domain_admins
>         wins support = no
>         wins server = 172.16.0.13
>         wins proxy = yes
>         local master = yes
>         name resolve order = hosts wins bcast
>         ldap suffix = dc=tow,dc=net
>         ldap machine suffix = ou=Computers
>         ldap user suffix = ou=Users
>         ldap group suffix = ou=Groups
>         ldap admin dn = cn=admin,dc=tow,dc=net
>         ldap ssl = no
> 
> [homes]
>         comment = Home Directories
>         read only = no
>         browseable = no
>         writable = yes
>         path = %H
> #       valid users = %S
> 
> [netlogon]
>         root preexec = /accounts/netlogon/prelogon.pl %U
>         path = /accounts/netlogon
>         comment = Netlogon share
>         locking = no
>         browseable = yes
>         valid users = @whsstaff, @whsstudent, @whs-cafe, navinstall, kent
>         read only = yes
>         hide files = /.*/*dll/*DLL/*.bat/*.kix/*.rap/*pl/
>         write list = @domain_admins
> [staff]
>         comment = Staff directory
>         path = /accounts/common
>         create mode = 0660
>         browseable = no
>         write list = @whsstaff
>         valid users = @whsstaff
> [programs]
>         comment = Applications
>         path = /accounts/programs
>         browseable = no
>         create mode = 0660
>         write list = @whsstaff
>         valid users = @whsstaff
> 
> [cafeteria]
>         path = /accounts/cafeteria/data
>         browseable = no
>         valid users = @whs-cafe, dperry
>         force group = whs-cafe
>         create mode = 0660
>         directory mode = 0770
> 
> Here is the smb.conf for the PDC:
> [global]
>         workgroup = WarehamPS
>         encrypt passwords = Yes
>         time server = Yes
>         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>         security = user
>         writable = Yes
>         interfaces = eth0 eth1
>         directory mask = 02770
>         preferred master = yes
>         local master = Yes
>         username map = /etc/samba/smbusers
>         netbios name = wms1
>         server string = Fedora Core 4 SAMBA Server
>         passdb backend = ldapsam:ldap://172.16.0.24
>         ldap passwd sync = Yes
>         machine password timeout = 604800
>         passwd program = /usr/bin/smbpasswd %u
>        passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
> *Retype\snew\sUnix\spassword:* %n\n
>         log file = /var/log/samba/%m.log
>         debug level = 2
>         max log size = 30
> #       add machine script = /usr/bin/smbpasswd -m %u
>         add machine script = /usr/sbin/addmachine.sh "%u"
>         logon script = wms1.bat
>         logon path =
>         logon drive = H:
>         logon home =
>         domain logons = Yes
>         os level = 255
>         domain master = Yes
>         dns proxy = Yes
>         admin users = @domain_admins
>         wins support = Yes
>         remote browse sync = 172.16.0.3 172.16.0.19 172.16.0.15
172.16.0.26
> 172.16.0.20 172.16.80.1
>         name resolve order = hosts wins bcast
>         ldap suffix = dc=tow,dc=net
>         ldap machine suffix = ou=Computers
>         ldap user suffix = ou=Users
>         ldap group suffix = ou=Groups
>         ldap admin dn = cn=admin,dc=tow,dc=net
>         ldap ssl = no
> 
> [homes]
>         comment = Home Directories
>         read only = no
>         browseable = no
>         writable = yes
>         path = %H
>         hide files = /.*/
> [netlogon]
>         comment = Netlogon share
>         root preexec = /accounts/netlogon/prelogon.pl %U
>         path = /accounts/netlogon
>         valid users = @wmsstaff, @wmsstudent, @domain_users, @wms-cafe,
> navinstall
>         locking = no
>         browseable = no
>         read only = yes
>         write list = @domain_admins
>         hide files = /*.dll/*.rap/*.kix/*.bat/*.pl/
> 
> [cafeteria]
>         path = /accounts/cafeteria/data
>         browseable = yes
>         valid users = @wms-cafe, dperry
>         force group = wms-cafe
>         create mode = 0660
>         directory mode = 0770
> 
> [staff]
>         path = /accounts/common
>         browseable = no
>         valid users = @wmsstaff
>         force group = wmsstaff
>         write list = @domain_admins, @wmsstaff
>         create mode = 0660
>         directory mode = 0770
> [programs]
>         path = /accounts/programs
>         browseable = no
>         valid users = @wmsstaff, @techstaff
>         create mode = 0660
> [tech]
>         path = /accounts/tech
>         browseable = no
>         valid users = @techstaff
>         force group = techstaff
>         write list = @techstaff
>         create mode = 0660
>         directory mode = 0770
> 
> The addmachine.sh script is my own version of an add machine. All users,
> groups,
> computers have corresponding posix accounts in LDAP as well as Samba
> objectClass
> and attributes. I don't use any Windows utilities to manipulate user group
> information in LDAP, I have my own set of routines tailored to our system
> that
> allows individual control of LDAP info or we can batch add/delete accounts
> and
> user attributes by interactive shell scripts.
> 
> My question to the Samba community is still: should the password program
on
> the
> BDC talk to the PDC by smbpasswd -r <PDC address>? I'm having a little
> password
> out of sync problem.
> 
> Kent N.
> 
> Marcio Luciano Donada &lt;mdonada at auroraalimentos.com.br&gt; wrote: 
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > 
> > kent wrote:
> > 
> > | Hello, Just wondering what I should be using for the password
> > | change program on a BDC. Should it be: passwd program =
> > | /usr/bin/smbpasswd -r <PDC address> %u
> > |
> > | I'm having a problem with passwords not staying in sync between the
> > | PDC and BDC with pass backend ldap.
> > |
> > | The systems are all Fedora Core 4, Samba 3.0.14a, openldap 2.2.23
> > |
> > | Kent N
> > |
> > Ola, I am trying to configure the BDC. How voce this making to add
> > them you scheme in the base ldap?  Voce can supply its configures
> > (smb.conf) for me to give one analyzed and smbldap.conf?
> > 
> > thank's
> > 
> > - --
> > Márcio Luciano Donada
> > T.I. Aurora Alimentos Chapecó(SC)
> > Cooperativa Central Oeste Catarinense
> > mdonada at auroraalimentos dot com dot br
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.2 (FreeBSD)
> > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
> > 
> > iD8DBQFDFK8uyJq2hZEymxcRAlKbAJ9zHBrhgypVI1s7U5mpm/Frsan+mgCfT+Sa
> > AAQEnZuvd72KHjQU5KML1mc=
> > =1iV1
> > -----END PGP SIGNATURE-----
> > 
> > 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>

More information about the samba mailing list