[Samba] ldap password sync
Edmundo Valle Neto
edmundo.valle at terra.com.br
Wed Apr 11 02:14:02 GMT 2007
Sean Elble escreveu:
> On 4/10/07 9:29 PM, "Edmundo Valle Neto" <edmundo.valle at terra.com.br> wrote:
>> You appears to have two conflicting options setted, I saw that you
>> enabled the "ldap passwd sync", this is the right way to do this, samba
>> will sync the password directly in ldap without any external command (at
>> least I think it does that way).
> Heh, I never even noticed that he had that option enabled in the first
> place. Oops . . .
>> But when you set "unix password sync" to yes, samba will try to use the
>> specified "passwd program" using the specified "passwd chat" as root. I
>> dont know exactly what happens in the samba code when the two are setted
>> to yes, in my tests (with the other options (unix pass sync, passwd
>> program and chat) setted as yours) windows clients refuses to change the
>> password saying that they doesnt have right to do that (heh, a very nice
>> error message to someone say to me that I need to fix my LDAP acls to
>> solve that :) ).
> I would think that one *COULD* use just the unix password sync and passwd
> program parameters to change all the passwords, assuming the passwd program
> had access to a DN with ACLs to change those parameters. BUT, LDAP passwd
> sync is definitely the easiest/best option . . .
Yes it could and probably works, but as the official IDEALX
6.8 The directive passwd program = /usr/local/sbin/smbldap-passwd -u %u
is not called, or i got a error message when changing the password from
The directive is called if you also set unix password sync = Yes. Notes:
* if you use OpenLDAP, none of those two options are needed. You
just need ldap passwd sync = Yes.
* the script called here must only update the userPassword
attribute. This is the reason of the -u option. Samba passwords will be
updated by samba itself.
* the passwd chat directive must match what is prompted when using
the smbldap-passwd command
So..., just -u to change only userPassword and a working passwd chat :)
And in: 8.1.3 The samba configuration file : /etc/samba/smb.conf
#unix password sync = Yes
#passwd program = /opt/IDEALX/sbin/smbldap-passwd -u %u
#passwd chat = "Changing password for*\nNew password*" %n\n
"*Retype new password*" %n\n"
ldap passwd sync = Yes
One OR another.
>> If I remember right "unix password sync" is no by default (you can check
>> this with "testparm -v | grep sync" when the option is not setted), in
>> this case, passwd program and chat are simply ignored, doesnt make
>> difference what you put there.
>> Just dont set "unix password sync" to yes at the same time with "ldap
>> passwd sync".
> Good advice - Wish I had noticed that in David's original post.
>> Edmundo Valle Neto
>> David Pinkerton escreveu:
>>> I'm trying to get ldap/unix password sync working.
>>> Using this config, packet traces show no requests to update userPassword
>>> (only the samba passwords)
>>> Can someone see what I've done wrong?
>>> workgroup = HOME
>>> netbios name = DHP
>>> security = user
>>> encrypt passwords = yes
>>> enable privileges = yes
>>> passdb backend = ldapsam:ldap://127.0.0.1
>>> passwd program = /usr/local/sbin/smbldap-passwd -u %u
>>> unix password sync = yes
>>> log file = /var/log/samba/%m.log
>>> utmp = yes
>>> max log size = 50
>>> log level = 1
>>> syslog = 0
>>> add user script = /usr/local/sbin/smbldap-useradd -m "%u"
>>> add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
>>> add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
>>> add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g"
>>> delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u"
>>> set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u"
>>> domain logons = yes
>>> domain master = yes
>>> os level = 65
>>> preferred master = yes
>>> wins support = yes
>>> ldap admin dn = cn=admin,o=dhp
>>> ldap passwd sync = yes
>>> ldap delete dn = yes
>>> ldap suffix = o=dhp
>>> ldap machine suffix = ou=machine
>>> ldap user suffix = ou=staff
>>> ldap group suffix = ou=group
>>> ldap idmap suffix = ou=idmap
>>> idmap uid = 10000-20000
>>> idmap gid = 10000-20000
>>> The contents of this email may be privileged and confidential, any
>>> unauthorised use of the contents is expressly prohibited. If you are not the
>>> intended recipient, any disclosure, copying, distribution or any action taken
>>> or omitted to be taken in reliance on it, is prohibited and may be unlawful.
>>> PLAN Australia is not liable for the proper and complete transmission of the
>>> information contained in this communication, nor for any delay in its
More information about the samba