[Samba] BDC and password change program

Stéphane Purnelle stephane.purnelle at tiscali.be
Wed Aug 31 12:55:58 GMT 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I think simply that with the parameter ldap passwd sync, the passwd
chat is not called.
The only question that I ask to me is : why changing a passwd on a BDC ?
A BDC is a backup DC, if the PDC is down, a BDC can provide
authentification.

But, you can modifiy the smb.conf of BDC to

passdb backend = ldapsam:"ldap://127.0.0.1 ldap://172.16.0.24"

kent a écrit :

> Hi, Thanks for getting back to me so fast.
>
>
> Stéphane_Purnelle <stephane.purnelle at tiscali.be> wrote:
>
>

> The LDAP server in 172.16.0.24 is the master ldap server, but on
> smb.conf of BDC, the ldap server is on localhost. If the IP adresse
> of BDC is 172.16.0.24, you must have no problem. Now, if different,
> you must configure ldap for replication. Because changing password
> on the PDC is not replicated to BDC.
>
>> PDC: 172.16.0.13 However the master ldap server is on
>> 172.16.0.24. We use LDAP for mail authentication as well as
>> OpenGoupware etc. There is no local copy
> of LDAP
>> directory on the PDC. Everthing including the operating system
> points to
>> 172.16.0.24.
>
>> All of the BDCs have replicas. I realize that authentication to a
>>
> BDC on a
>> subnet uses the pass backend which in all of my BDCs is
>> localhost.
> My problem
>> with the BDCs is the password program that I believe is changing
> the LDAP
>> replica on the BDC and not the PDC. So I end up with a password
> mismatch.
>
>> If I disable the password chat on all BDCs will password chat be
> passed on to
>> the PDC?
>
>> Thank you for your help.
>
>> Kent N
>
> The BDC not verify password with the PDC, but with the passwd
> backend only. You can disable these lines : passwd program =
> /usr/bin/smbpasswd %u passwd chat = *Enter\snew\sUNIX\spassword:*
> %n\n*Retype\snew\sUnix\spassword:* %n\n
>
> On BDC
>
> kent a écrit :
>
>> Have you used the -r option for smbpasswd to connect to the PDC
>> in smb.conf? Just wondering what the password chat would be. I
>> can test it out and see what works.
>
>> Kent N
>
>> Bruno Guerreiro <bruno.guerreiro at ine.pt> wrote:
>
>>> Hi there, The best (only?) way to go is with a LDAP
>>> Master+slave architecture. All changes must be done at the LDAP
>>> Master server which automatically replicates them to all slave
>>> ldap servers. So, yes, the BDC MUST talk to the PDC, or at
>>> least the master ldap server to change the password.
>
>>> Best Regards. Bruno Guerreiro
>
>>> -----Original Message----- From: kent
>>> [mailto:kent at mail.wareham.mec.edu] Sent: quarta-feira, 31 de
>>> Agosto de 2005 11:15 To: mdonada at auroraalimentos.com.br; Samba
>>> Subject: Re: [Samba] BDC and password change program
>
>
>>> Hello, How are you doing? I just switched this summer from
>>> RedHat 8.0 with compiled versions of Samba, OpenLDAP and
>>> Berkeley DB to Fedora Core 4 with precompiled Samba, OpenLDAP
>>> and BerkeleyDB. Here is the smb.conf from one school that is a
>>> BDC: [global] workgroup = WarehamPS encrypt passwords = Yes
>>> time offset = 60 time server = Yes # log level = 5 socket
>>> options = TCP_NODELAY TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>>> security = user username map = /etc/samba/smbusers logon script
>>> = whs1.bat writable = Yes interfaces = eth0 eth1 directory mask
>>> = 02770 preferred master = yes netbios name = whs1 server
>>> string = Fedora Core 4 SAMBA server passdb backend =
>>> ldapsam:ldap://127.0.0.1 ldap passwd sync = Yes machine
>>> password timeout = 604800 passwd program = /usr/bin/smbpasswd
>>> %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
>>> *Retype\snew\sUnix\spassword:* %n\n log file =
>>> /var/log/samba/%m.log debug level = 2 max log size = 50 add
>>> machine script = /usr/sbin/addmachine.sh "%u" logon path =
>>> logon drive = H: logon home = domain logons = Yes os level = 64
>>> domain master = No dns proxy = no admin users = @domain_admins
>>> wins support = no wins server = 172.16.0.13 wins proxy = yes
>>> local master = yes name resolve order = hosts wins bcast ldap
>>> suffix = dc=tow,dc=net ldap machine suffix = ou=Computers ldap
>>> user suffix = ou=Users ldap group suffix = ou=Groups ldap admin
>>> dn = cn=admin,dc=tow,dc=net ldap ssl = no
>
>>> [homes] comment = Home Directories read only = no browseable =
>>> no writable = yes path = %H # valid users = %S
>
>>> [netlogon] root preexec = /accounts/netlogon/prelogon.pl %U
>>> path = /accounts/netlogon comment = Netlogon share locking = no
>>> browseable = yes valid users = @whsstaff, @whsstudent,
>>> @whs-cafe, navinstall, kent read only = yes hide files =
>>> /.*/*dll/*DLL/*.bat/*.kix/*.rap/*pl/ write list =
>>> @domain_admins [staff] comment = Staff directory path =
>>> /accounts/common create mode = 0660 browseable = no write list
>>> = @whsstaff valid users = @whsstaff [programs] comment =
>>> Applications path = /accounts/programs browseable = no create
>>> mode = 0660 write list = @whsstaff valid users = @whsstaff
>
>>> [cafeteria] path = /accounts/cafeteria/data browseable = no
>>> valid users = @whs-cafe, dperry force group = whs-cafe create
>>> mode = 0660 directory mode = 0770
>
>>> Here is the smb.conf for the PDC: [global] workgroup =
>>> WarehamPS encrypt passwords = Yes time server = Yes socket
>>> options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 security =
>>> user writable = Yes interfaces = eth0 eth1 directory mask =
>>> 02770 preferred master = yes local master = Yes username map =
>>> /etc/samba/smbusers netbios name = wms1 server string = Fedora
>>> Core 4 SAMBA Server passdb backend = ldapsam:ldap://172.16.0.24
>>> ldap passwd sync = Yes machine password timeout = 604800
>>> passwd program = /usr/bin/smbpasswd %u passwd chat =
>>> *Enter\snew\sUNIX\spassword:* %n\n
>>> *Retype\snew\sUnix\spassword:* %n\n log file =
>>> /var/log/samba/%m.log debug level = 2 max log size = 30 # add
>>> machine script = /usr/bin/smbpasswd -m %u add machine script =
>>> /usr/sbin/addmachine.sh "%u" logon script = wms1.bat logon path
>>> = logon drive = H: logon home = domain logons = Yes os level =
>>> 255 domain master = Yes dns proxy = Yes admin users =
>>> @domain_admins wins support = Yes remote browse sync =
>>> 172.16.0.3 172.16.0.19 172.16.0.15 172.16.0.26 172.16.0.20
>>> 172.16.80.1 name resolve order = hosts wins bcast ldap suffix =
>>> dc=tow,dc=net ldap machine suffix = ou=Computers ldap user
>>> suffix = ou=Users ldap group suffix = ou=Groups ldap admin dn =
>>> cn=admin,dc=tow,dc=net ldap ssl = no
>
>>> [homes] comment = Home Directories read only = no browseable =
>>> no writable = yes path = %H hide files = /.*/ [netlogon]
>>> comment = Netlogon share root preexec =
>>> /accounts/netlogon/prelogon.pl %U path = /accounts/netlogon
>>> valid users = @wmsstaff, @wmsstudent, @domain_users, @wms-cafe,
>>> navinstall locking = no browseable = no read only = yes write
>>> list = @domain_admins hide files =
>>> /*.dll/*.rap/*.kix/*.bat/*.pl/
>
>>> [cafeteria] path = /accounts/cafeteria/data browseable = yes
>>> valid users = @wms-cafe, dperry force group = wms-cafe create
>>> mode = 0660 directory mode = 0770
>
>>> [staff] path = /accounts/common browseable = no valid users =
>>> @wmsstaff force group = wmsstaff write list = @domain_admins,
>>> @wmsstaff create mode = 0660 directory mode = 0770 [programs]
>>> path = /accounts/programs browseable = no valid users =
>>> @wmsstaff, @techstaff create mode = 0660 [tech] path =
>>> /accounts/tech browseable = no valid users = @techstaff force
>>> group = techstaff write list = @techstaff create mode = 0660
>>> directory mode = 0770
>
>>> The addmachine.sh script is my own version of an add machine.
>>> All users, groups, computers have corresponding posix accounts
>>> in LDAP as well as Samba objectClass and attributes. I don't
>>> use any Windows utilities to manipulate user group information
>>> in LDAP, I have my own set of routines tailored to our system
>>> that allows individual control of LDAP info or we can batch
>>> add/delete accounts and user attributes by interactive shell
>>> scripts.
>
>>> My question to the Samba community is still: should the
>>> password program on the BDC talk to the PDC by smbpasswd -r
>>> <PDC address>? I'm having a little password out of sync
>>> problem.
>
>>> Kent N.
>
>>> Marcio Luciano Donada &lt;mdonada at auroraalimentos.com.br&gt;
>>> wrote:
>
>> kent wrote:
>
>> | Hello, Just wondering what I should be using for the password |
>> change program on a BDC. Should it be: passwd program = |
>> /usr/bin/smbpasswd -r <PDC address> %u | | I'm having a problem
>> with passwords not staying in sync between the | PDC and BDC with
>> pass backend ldap. | | The systems are all Fedora Core 4, Samba
>> 3.0.14a, openldap 2.2.23 | | Kent N | Ola, I am trying to
>> configure the BDC. How voce this making to add them you scheme in
>> the base ldap? Voce can supply its configures (smb.conf) for me
>> to give one analyzed and smbldap.conf?
>
>> thank's
>
>> -- Márcio Luciano Donada T.I. Aurora Alimentos Chapecó(SC)
>> Cooperativa Central Oeste Catarinense mdonada at auroraalimentos
>> dot com dot br
>
>
>>> -- To unsubscribe from this list go to the following URL and
>>> read the instructions:
>>> https://lists.samba.org/mailman/listinfo/samba -- To
>>> unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/listinfo/samba
>
>
>
> -- Stéphane Purnelle <stephane.purnelle at tiscali.be> Site Web :
> http://www.linuxplusvalue.be


- --
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba






- --
Stéphane Purnelle <stephane.purnelle at tiscali.be>
Site Web : http://www.linuxplusvalue.be
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDFajc8tswkE3d0ecRAvPFAJ9JmEd41uoSN6oQ7yiawYAILf0ztgCeKTD1
vk0qCgQjf+B62H4r6fcPGKc=
=xEzS
-----END PGP SIGNATURE-----



More information about the samba mailing list