[Samba] ldap password sync
Sean Elble
elbles at sessys.com
Wed Apr 11 01:57:07 GMT 2007
On 4/10/07 9:29 PM, "Edmundo Valle Neto" <edmundo.valle at terra.com.br> wrote:
> David.
>
> You appears to have two conflicting options setted, I saw that you
> enabled the "ldap passwd sync", this is the right way to do this, samba
> will sync the password directly in ldap without any external command (at
> least I think it does that way).
>
Heh, I never even noticed that he had that option enabled in the first
place. Oops . . .
> But when you set "unix password sync" to yes, samba will try to use the
> specified "passwd program" using the specified "passwd chat" as root. I
> dont know exactly what happens in the samba code when the two are setted
> to yes, in my tests (with the other options (unix pass sync, passwd
> program and chat) setted as yours) windows clients refuses to change the
> password saying that they doesnt have right to do that (heh, a very nice
> error message to someone say to me that I need to fix my LDAP acls to
> solve that :) ).
>
I would think that one *COULD* use just the unix password sync and passwd
program parameters to change all the passwords, assuming the passwd program
had access to a DN with ACLs to change those parameters. BUT, LDAP passwd
sync is definitely the easiest/best option . . .
> If I remember right "unix password sync" is no by default (you can check
> this with "testparm -v | grep sync" when the option is not setted), in
> this case, passwd program and chat are simply ignored, doesnt make
> difference what you put there.
>
> Just dont set "unix password sync" to yes at the same time with "ldap
> passwd sync".
Good advice - Wish I had noticed that in David's original post.
>
> Regards.
>
> Edmundo Valle Neto
>
>
> David Pinkerton escreveu:
>> I'm trying to get ldap/unix password sync working.
>>
>> Using this config, packet traces show no requests to update userPassword
>> (only the samba passwords)
>>
>> Can someone see what I've done wrong?
>>
>>
>>
>> [global]
>> workgroup = HOME
>> netbios name = DHP
>>
>> security = user
>> encrypt passwords = yes
>> enable privileges = yes
>>
>> passdb backend = ldapsam:ldap://127.0.0.1
>> passwd program = /usr/local/sbin/smbldap-passwd -u %u
>> unix password sync = yes
>>
>> log file = /var/log/samba/%m.log
>> utmp = yes
>> max log size = 50
>> log level = 1
>> syslog = 0
>>
>> add user script = /usr/local/sbin/smbldap-useradd -m "%u"
>> add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
>>
>> add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
>>
>> add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g"
>> delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u"
>> "%g"
>> set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u"
>>
>> domain logons = yes
>> domain master = yes
>> os level = 65
>> preferred master = yes
>> wins support = yes
>>
>> ldap admin dn = cn=admin,o=dhp
>> ldap passwd sync = yes
>> ldap delete dn = yes
>> ldap suffix = o=dhp
>> ldap machine suffix = ou=machine
>> ldap user suffix = ou=staff
>> ldap group suffix = ou=group
>> ldap idmap suffix = ou=idmap
>> idmap uid = 10000-20000
>> idmap gid = 10000-20000
>>
>>
>>
>>
>>
>> The contents of this email may be privileged and confidential, any
>> unauthorised use of the contents is expressly prohibited. If you are not the
>> intended recipient, any disclosure, copying, distribution or any action taken
>> or omitted to be taken in reliance on it, is prohibited and may be unlawful.
>> PLAN Australia is not liable for the proper and complete transmission of the
>> information contained in this communication, nor for any delay in its
>> receipt.
>>
>>
>>
--
+-------------------------------------------------+
| Sean Elble |
| Virginia Tech, Class of 2008 |
| Vice President, VTLUUG |
| E-Mail: elbles at sessys.com |
| Web: http://www.sessys.com/~elbles/ |
| Cell: 860.946.9477 |
+-------------------------------------------------+
More information about the samba
mailing list