[Samba] ldap password sync

Sean Elble elbles at sessys.com
Wed Apr 11 00:05:20 GMT 2007


On 4/10/07 7:25 PM, "David Pinkerton" <David.Pinkerton at planaustralia.com.au>
wrote:

> 
> I'm trying to get ldap/unix password sync working.
> 
> Using this config, packet traces show no requests to update userPassword (only
> the samba passwords)
> 
> Can  someone see what I've done wrong?
> 
> 
> 
> [global]
>    workgroup = HOME
>    netbios name = DHP
> 
>    security = user
>    encrypt passwords = yes
>    enable privileges = yes
> 
>    passdb backend = ldapsam:ldap://127.0.0.1
>    passwd program = /usr/local/sbin/smbldap-passwd -u %u
>    unix password sync = yes
> 

This could easily be part of your problem. I would imagine that your
smbldap-passwd script is not working correctly, is misconfigured some way,
et cetra. Perhaps you might want to try this in your smb.conf file instead
of using the passwd program and unix password sync parameters:

Ldap passwd sync = yes

>From the smb.conf(5) man page:

"This option is used to define whether or not Samba should sync the LDAP
password with the NT and LM hashes for normal accounts (NOT for workstation,
server or domain trusts) on a password change via SAMBA."

That sounds like it should do exactly what you want it to do, assuming of
course, your admin DN has the privileges to set the userPassword parameter.
I'm not speaking from experience here, as I use Kerberos for UNIX/Linux
password authentication, but I think that should take care of what you want
to do . . . Hope that helps.

>    log file = /var/log/samba/%m.log
>    utmp = yes
>    max log size = 50
>    log level = 1
>    syslog = 0
> 
>    add user script = /usr/local/sbin/smbldap-useradd -m "%u"
>    add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
> 
>    add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
> 
>    add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g"
>    delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u"
> "%g"
>    set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u"
> 
>    domain logons = yes
>    domain master = yes
>    os level = 65
>    preferred master = yes
>    wins support = yes
> 
>    ldap admin dn = cn=admin,o=dhp
>    ldap passwd sync = yes
>    ldap delete dn = yes
>    ldap suffix = o=dhp
>    ldap machine suffix = ou=machine
>    ldap user suffix = ou=staff
>    ldap group suffix = ou=group
>    ldap idmap suffix = ou=idmap
>    idmap uid = 10000-20000
>    idmap gid = 10000-20000
> 
> 
> 
> 
> 
> The contents of this email may be privileged and confidential, any
> unauthorised use of the contents is expressly prohibited. If you are not the
> intended recipient, any disclosure, copying, distribution or any action taken
> or omitted to be taken in reliance on it, is prohibited and may be unlawful.
> PLAN Australia is not liable for the proper and complete transmission of the
> information contained in this communication, nor for any delay in its receipt.
>  

-- 
+-------------------------------------------------+
|  Sean Elble                                     |
|  Virginia Tech, Class of 2008                   |
|  Vice President, VTLUUG                         |
|  E-Mail:   elbles at sessys.com                    |
|  Web:      http://www.sessys.com/~elbles/       |
+-------------------------------------------------+


________________________________________________________________________
SES Computer Systems Anti-Virus and Anti-Spam E-Mail Filtering
Powered By ClamAV & SpamAssassin


More information about the samba mailing list