[Samba] ldap password sync

Edmundo Valle Neto edmundo.valle at terra.com.br
Wed Apr 11 01:29:53 GMT 2007


You appears to have two conflicting options setted, I saw that you 
enabled the "ldap passwd sync", this is the right way to do this, samba 
will sync the password directly in ldap without any external command (at 
least I think it does that way).

But when you set "unix password sync" to yes, samba will try to use the 
specified "passwd program" using the specified "passwd chat" as root. I 
dont know exactly what happens in the samba code when the two are setted 
to yes, in my tests (with the other options (unix pass sync, passwd 
program and chat) setted as yours) windows clients refuses to change the 
password saying that they doesnt have right to do that (heh, a very nice 
error message to someone say to me that I need to fix my LDAP acls to 
solve that :) ).

If I remember right "unix password sync" is no by default (you can check 
this with "testparm -v | grep sync" when the option is not setted), in 
this case, passwd program and chat are simply ignored, doesnt make 
difference what you put there.

Just dont set "unix password sync" to yes at the same time with "ldap 
passwd sync".


Edmundo Valle Neto

David Pinkerton escreveu:
> I'm trying to get ldap/unix password sync working.
> Using this config, packet traces show no requests to update userPassword (only the samba passwords)
> Can  someone see what I've done wrong?
> [global]
>    workgroup = HOME
>    netbios name = DHP
>    security = user
>    encrypt passwords = yes
>    enable privileges = yes
>    passdb backend = ldapsam:ldap://
>    passwd program = /usr/local/sbin/smbldap-passwd -u %u
>    unix password sync = yes
>    log file = /var/log/samba/%m.log
>    utmp = yes
>    max log size = 50
>    log level = 1
>    syslog = 0
>    add user script = /usr/local/sbin/smbldap-useradd -m "%u"
>    add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
>    add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
>    add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g"
>    delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u" "%g"
>    set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u"
>    domain logons = yes
>    domain master = yes
>    os level = 65
>    preferred master = yes
>    wins support = yes
>    ldap admin dn = cn=admin,o=dhp
>    ldap passwd sync = yes
>    ldap delete dn = yes
>    ldap suffix = o=dhp
>    ldap machine suffix = ou=machine
>    ldap user suffix = ou=staff
>    ldap group suffix = ou=group
>    ldap idmap suffix = ou=idmap
>    idmap uid = 10000-20000
>    idmap gid = 10000-20000
> The contents of this email may be privileged and confidential, any unauthorised use of the contents is expressly prohibited. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. PLAN Australia is not liable for the proper and complete transmission of the information contained in this communication, nor for any delay in its receipt.

More information about the samba mailing list