[Samba] ldap password sync

Edmundo Valle Neto edmundo.valle at terra.com.br
Wed Apr 11 02:14:02 GMT 2007 

Sean Elble escreveu:
> On 4/10/07 9:29 PM, "Edmundo Valle Neto" <edmundo.valle at terra.com.br> wrote:
>
>   
>> David.
>>
>> You appears to have two conflicting options setted, I saw that you
>> enabled the "ldap passwd sync", this is the right way to do this, samba
>> will sync the password directly in ldap without any external command (at
>> least I think it does that way).
>>
>>     
>
> Heh, I never even noticed that he had that option enabled in the first
> place. Oops . . .
>
>   
>> But when you set "unix password sync" to yes, samba will try to use the
>> specified "passwd program" using the specified "passwd chat" as root. I
>> dont know exactly what happens in the samba code when the two are setted
>> to yes, in my tests (with the other options (unix pass sync, passwd
>> program and chat) setted as yours) windows clients refuses to change the
>> password saying that they doesnt have right to do that (heh, a very nice
>> error message to someone say to me that I need to fix my LDAP acls to
>> solve that :) ).
>>
>>     
>
> I would think that one *COULD* use just the unix password sync and passwd
> program parameters to change all the passwords, assuming the passwd program
> had access to a DN with ACLs to change those parameters. BUT, LDAP passwd
> sync is definitely the easiest/best option . . .
>   
Yes it could and probably works, but as the official IDEALX 
documentation suggests: 
http://sourceforge.net/docman/display_doc.php?docid=33543&group_id=166108

6.8  The directive passwd program = /usr/local/sbin/smbldap-passwd -u %u 
is not called, or i got a error message when changing the password from 
windows
The directive is called if you also set unix password sync = Yes. Notes:

    * if you use OpenLDAP, none of those two options are needed. You 
just need ldap passwd sync = Yes.
    * the script called here must only update the userPassword 
attribute. This is the reason of the -u option. Samba passwords will be 
updated by samba itself.
    * the passwd chat directive must match what is prompted when using 
the smbldap-passwd command

So..., just -u to change only userPassword and a working passwd chat :)

And in: 8.1.3  The samba configuration file : /etc/samba/smb.conf

        #unix password sync = Yes
        #passwd program = /opt/IDEALX/sbin/smbldap-passwd -u %u
        #passwd chat = "Changing password for*\nNew password*" %n\n 
"*Retype new password*" %n\n"
        ldap passwd sync = Yes

One OR another.

>> If I remember right "unix password sync" is no by default (you can check
>> this with "testparm -v | grep sync" when the option is not setted), in
>> this case, passwd program and chat are simply ignored, doesnt make
>> difference what you put there.
>>
>> Just dont set "unix password sync" to yes at the same time with "ldap
>> passwd sync".
>>     
>
> Good advice - Wish I had noticed that in David's original post.
>
>   
>> Regards.
>>
>> Edmundo Valle Neto
>>
>>
>> David Pinkerton escreveu:
>>     
>>> I'm trying to get ldap/unix password sync working.
>>>
>>> Using this config, packet traces show no requests to update userPassword
>>> (only the samba passwords)
>>>
>>> Can  someone see what I've done wrong?
>>>
>>>
>>>
>>> [global]
>>>    workgroup = HOME
>>>    netbios name = DHP
>>>
>>>    security = user
>>>    encrypt passwords = yes
>>>    enable privileges = yes
>>>
>>>    passdb backend = ldapsam:ldap://127.0.0.1
>>>    passwd program = /usr/local/sbin/smbldap-passwd -u %u
>>>    unix password sync = yes
>>>
>>>    log file = /var/log/samba/%m.log
>>>    utmp = yes
>>>    max log size = 50
>>>    log level = 1
>>>    syslog = 0
>>>
>>>    add user script = /usr/local/sbin/smbldap-useradd -m "%u"
>>>    add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
>>>
>>>    add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
>>>
>>>    add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g"
>>>    delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u"
>>> "%g"
>>>    set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u"
>>>
>>>    domain logons = yes
>>>    domain master = yes
>>>    os level = 65
>>>    preferred master = yes
>>>    wins support = yes
>>>
>>>    ldap admin dn = cn=admin,o=dhp
>>>    ldap passwd sync = yes
>>>    ldap delete dn = yes
>>>    ldap suffix = o=dhp
>>>    ldap machine suffix = ou=machine
>>>    ldap user suffix = ou=staff
>>>    ldap group suffix = ou=group
>>>    ldap idmap suffix = ou=idmap
>>>    idmap uid = 10000-20000
>>>    idmap gid = 10000-20000
>>>
>>>
>>>
>>>
>>>
>>> The contents of this email may be privileged and confidential, any
>>> unauthorised use of the contents is expressly prohibited. If you are not the
>>> intended recipient, any disclosure, copying, distribution or any action taken
>>> or omitted to be taken in reliance on it, is prohibited and may be unlawful.
>>> PLAN Australia is not liable for the proper and complete transmission of the
>>> information contained in this communication, nor for any delay in its
>>> receipt.
>>>  
>>>
>>>   
>>>       
>
>

More information about the samba mailing list