[Samba] BDC and password change program

kent at mail.wareham.mec.edu kent at mail.wareham.mec.edu
Wed Aug 31 13:16:12 GMT 2005 

Hi Stephane,
That worked! No more password sync problems. I commented out the password
program and the password chat on the BDCs. I tested the password change on
a XP and Win 98 several times then checked the replicas. All the paswords
are in sync as well as the posix account passwords.

Thanks again

Kent N

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi,
>
> I think simply that with the parameter ldap passwd sync, the passwd
> chat is not called.
> The only question that I ask to me is : why changing a passwd on a BDC ?
> A BDC is a backup DC, if the PDC is down, a BDC can provide
> authentification.
>
> But, you can modifiy the smb.conf of BDC to
>
> passdb backend = ldapsam:"ldap://127.0.0.1 ldap://172.16.0.24"
>
> kent a écrit :
>
>> Hi, Thanks for getting back to me so fast.
>>
>>
>> Stéphane_Purnelle <stephane.purnelle at tiscali.be> wrote:
>>
>>
>
>> The LDAP server in 172.16.0.24 is the master ldap server, but on
>> smb.conf of BDC, the ldap server is on localhost. If the IP adresse
>> of BDC is 172.16.0.24, you must have no problem. Now, if different,
>> you must configure ldap for replication. Because changing password
>> on the PDC is not replicated to BDC.
>>
>>> PDC: 172.16.0.13 However the master ldap server is on
>>> 172.16.0.24. We use LDAP for mail authentication as well as
>>> OpenGoupware etc. There is no local copy
>> of LDAP
>>> directory on the PDC. Everthing including the operating system
>> points to
>>> 172.16.0.24.
>>
>>> All of the BDCs have replicas. I realize that authentication to a
>>>
>> BDC on a
>>> subnet uses the pass backend which in all of my BDCs is
>>> localhost.
>> My problem
>>> with the BDCs is the password program that I believe is changing
>> the LDAP
>>> replica on the BDC and not the PDC. So I end up with a password
>> mismatch.
>>
>>> If I disable the password chat on all BDCs will password chat be
>> passed on to
>>> the PDC?
>>
>>> Thank you for your help.
>>
>>> Kent N
>>
>> The BDC not verify password with the PDC, but with the passwd
>> backend only. You can disable these lines : passwd program =
>> /usr/bin/smbpasswd %u passwd chat = *Enter\snew\sUNIX\spassword:*
>> %n\n*Retype\snew\sUnix\spassword:* %n\n
>>
>> On BDC
>>
>> kent a écrit :
>>
>>> Have you used the -r option for smbpasswd to connect to the PDC
>>> in smb.conf? Just wondering what the password chat would be. I
>>> can test it out and see what works.
>>
>>> Kent N
>>
>>> Bruno Guerreiro <bruno.guerreiro at ine.pt> wrote:
>>
>>>> Hi there, The best (only?) way to go is with a LDAP
>>>> Master+slave architecture. All changes must be done at the LDAP
>>>> Master server which automatically replicates them to all slave
>>>> ldap servers. So, yes, the BDC MUST talk to the PDC, or at
>>>> least the master ldap server to change the password.
>>
>>>> Best Regards. Bruno Guerreiro
>>
>>>> -----Original Message----- From: kent
>>>> [mailto:kent at mail.wareham.mec.edu] Sent: quarta-feira, 31 de
>>>> Agosto de 2005 11:15 To: mdonada at auroraalimentos.com.br; Samba
>>>> Subject: Re: [Samba] BDC and password change program
>>
>>
>>>> Hello, How are you doing? I just switched this summer from
>>>> RedHat 8.0 with compiled versions of Samba, OpenLDAP and
>>>> Berkeley DB to Fedora Core 4 with precompiled Samba, OpenLDAP
>>>> and BerkeleyDB. Here is the smb.conf from one school that is a
>>>> BDC: [global] workgroup = WarehamPS encrypt passwords = Yes
>>>> time offset = 60 time server = Yes # log level = 5 socket
>>>> options = TCP_NODELAY TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>>>> security = user username map = /etc/samba/smbusers logon script
>>>> = whs1.bat writable = Yes interfaces = eth0 eth1 directory mask
>>>> = 02770 preferred master = yes netbios name = whs1 server
>>>> string = Fedora Core 4 SAMBA server passdb backend =
>>>> ldapsam:ldap://127.0.0.1 ldap passwd sync = Yes machine
>>>> password timeout = 604800 passwd program = /usr/bin/smbpasswd
>>>> %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
>>>> *Retype\snew\sUnix\spassword:* %n\n log file =
>>>> /var/log/samba/%m.log debug level = 2 max log size = 50 add
>>>> machine script = /usr/sbin/addmachine.sh "%u" logon path =
>>>> logon drive = H: logon home = domain logons = Yes os level = 64
>>>> domain master = No dns proxy = no admin users = @domain_admins
>>>> wins support = no wins server = 172.16.0.13 wins proxy = yes
>>>> local master = yes name resolve order = hosts wins bcast ldap
>>>> suffix = dc=tow,dc=net ldap machine suffix = ou=Computers ldap
>>>> user suffix = ou=Users ldap group suffix = ou=Groups ldap admin
>>>> dn = cn=admin,dc=tow,dc=net ldap ssl = no
>>
>>>> [homes] comment = Home Directories read only = no browseable =
>>>> no writable = yes path = %H # valid users = %S
>>
>>>> [netlogon] root preexec = /accounts/netlogon/prelogon.pl %U
>>>> path = /accounts/netlogon comment = Netlogon share locking = no
>>>> browseable = yes valid users = @whsstaff, @whsstudent,
>>>> @whs-cafe, navinstall, kent read only = yes hide files =
>>>> /.*/*dll/*DLL/*.bat/*.kix/*.rap/*pl/ write list =
>>>> @domain_admins [staff] comment = Staff directory path =
>>>> /accounts/common create mode = 0660 browseable = no write list
>>>> = @whsstaff valid users = @whsstaff [programs] comment =
>>>> Applications path = /accounts/programs browseable = no create
>>>> mode = 0660 write list = @whsstaff valid users = @whsstaff
>>
>>>> [cafeteria] path = /accounts/cafeteria/data browseable = no
>>>> valid users = @whs-cafe, dperry force group = whs-cafe create
>>>> mode = 0660 directory mode = 0770
>>
>>>> Here is the smb.conf for the PDC: [global] workgroup =
>>>> WarehamPS encrypt passwords = Yes time server = Yes socket
>>>> options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 security =
>>>> user writable = Yes interfaces = eth0 eth1 directory mask =
>>>> 02770 preferred master = yes local master = Yes username map =
>>>> /etc/samba/smbusers netbios name = wms1 server string = Fedora
>>>> Core 4 SAMBA Server passdb backend = ldapsam:ldap://172.16.0.24
>>>> ldap passwd sync = Yes machine password timeout = 604800
>>>> passwd program = /usr/bin/smbpasswd %u passwd chat =
>>>> *Enter\snew\sUNIX\spassword:* %n\n
>>>> *Retype\snew\sUnix\spassword:* %n\n log file =
>>>> /var/log/samba/%m.log debug level = 2 max log size = 30 # add
>>>> machine script = /usr/bin/smbpasswd -m %u add machine script =
>>>> /usr/sbin/addmachine.sh "%u" logon script = wms1.bat logon path
>>>> = logon drive = H: logon home = domain logons = Yes os level =
>>>> 255 domain master = Yes dns proxy = Yes admin users =
>>>> @domain_admins wins support = Yes remote browse sync =
>>>> 172.16.0.3 172.16.0.19 172.16.0.15 172.16.0.26 172.16.0.20
>>>> 172.16.80.1 name resolve order = hosts wins bcast ldap suffix =
>>>> dc=tow,dc=net ldap machine suffix = ou=Computers ldap user
>>>> suffix = ou=Users ldap group suffix = ou=Groups ldap admin dn =
>>>> cn=admin,dc=tow,dc=net ldap ssl = no
>>
>>>> [homes] comment = Home Directories read only = no browseable =
>>>> no writable = yes path = %H hide files = /.*/ [netlogon]
>>>> comment = Netlogon share root preexec =
>>>> /accounts/netlogon/prelogon.pl %U path = /accounts/netlogon
>>>> valid users = @wmsstaff, @wmsstudent, @domain_users, @wms-cafe,
>>>> navinstall locking = no browseable = no read only = yes write
>>>> list = @domain_admins hide files =
>>>> /*.dll/*.rap/*.kix/*.bat/*.pl/
>>
>>>> [cafeteria] path = /accounts/cafeteria/data browseable = yes
>>>> valid users = @wms-cafe, dperry force group = wms-cafe create
>>>> mode = 0660 directory mode = 0770
>>
>>>> [staff] path = /accounts/common browseable = no valid users =
>>>> @wmsstaff force group = wmsstaff write list = @domain_admins,
>>>> @wmsstaff create mode = 0660 directory mode = 0770 [programs]
>>>> path = /accounts/programs browseable = no valid users =
>>>> @wmsstaff, @techstaff create mode = 0660 [tech] path =
>>>> /accounts/tech browseable = no valid users = @techstaff force
>>>> group = techstaff write list = @techstaff create mode = 0660
>>>> directory mode = 0770
>>
>>>> The addmachine.sh script is my own version of an add machine.
>>>> All users, groups, computers have corresponding posix accounts
>>>> in LDAP as well as Samba objectClass and attributes. I don't
>>>> use any Windows utilities to manipulate user group information
>>>> in LDAP, I have my own set of routines tailored to our system
>>>> that allows individual control of LDAP info or we can batch
>>>> add/delete accounts and user attributes by interactive shell
>>>> scripts.
>>
>>>> My question to the Samba community is still: should the
>>>> password program on the BDC talk to the PDC by smbpasswd -r
>>>> <PDC address>? I'm having a little password out of sync
>>>> problem.
>>
>>>> Kent N.
>>
>>>> Marcio Luciano Donada &lt;mdonada at auroraalimentos.com.br&gt;
>>>> wrote:
>>
>>> kent wrote:
>>
>>> | Hello, Just wondering what I should be using for the password |
>>> change program on a BDC. Should it be: passwd program = |
>>> /usr/bin/smbpasswd -r <PDC address> %u | | I'm having a problem
>>> with passwords not staying in sync between the | PDC and BDC with
>>> pass backend ldap. | | The systems are all Fedora Core 4, Samba
>>> 3.0.14a, openldap 2.2.23 | | Kent N | Ola, I am trying to
>>> configure the BDC. How voce this making to add them you scheme in
>>> the base ldap? Voce can supply its configures (smb.conf) for me
>>> to give one analyzed and smbldap.conf?
>>
>>> thank's
>>
>>> -- Márcio Luciano Donada T.I. Aurora Alimentos Chapecó(SC)
>>> Cooperativa Central Oeste Catarinense mdonada at auroraalimentos
>>> dot com dot br
>>
>>
>>>> -- To unsubscribe from this list go to the following URL and
>>>> read the instructions:
>>>> https://lists.samba.org/mailman/listinfo/samba -- To
>>>> unsubscribe from this list go to the following URL and read the
>>>> instructions: https://lists.samba.org/mailman/listinfo/samba
>>
>>
>>
>> -- Stéphane Purnelle <stephane.purnelle at tiscali.be> Site Web :
>> http://www.linuxplusvalue.be
>
>
> - --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>
>
>
>
>
>
> - --
> Stéphane Purnelle <stephane.purnelle at tiscali.be>
> Site Web : http://www.linuxplusvalue.be
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.5 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFDFajc8tswkE3d0ecRAvPFAJ9JmEd41uoSN6oQ7yiawYAILf0ztgCeKTD1
> vk0qCgQjf+B62H4r6fcPGKc=
> =xEzS
> -----END PGP SIGNATURE-----
>
>

More information about the samba mailing list