[Samba] NT/LM Samba passwords and userPassword sync

Marcin Giedz giedz at arise.pl
Mon May 7 06:17:14 GMT 2007 

Hello,

Perhaps this post is not directly connected with Samba itself but after 
I saw that Samba uses EXOP for LDAP password changing I decided to write 
it to this list as well. Here is what I'd like to do:
1) I use openldap-2.3.35 for Samba auth mechanism
2) additionally I use openldap for any other auths I have in my subnet - 
exim, imap, svn, linux-login, etc...

In case of Samba the NT/LM passwords play major role, for others I use 
userPassword. However userPassword (posixAccount) shows up in different 
places not only once:


ldapsearch -x -LLL uid=giedz

----------------

dn: uid=giedz,ou=people,dc=xxxx,dc=pl
uid: giedz
.....
objectClass: sambaSamAccount
....
sambaLMPassword: 598DDCE2660D3193AAD3B435B51404EE
sambaNTPassword: 2D20D252A479F485CDF5E171D93985BF
....
userPassword:: e01ENX0yRmVPMzRSWXpnYjd4YnQycFl4Y3BBPT0=

---------------------

dn: mail=giedz at xxxx.com,ou=domains,dc=xxxx,dc=pl
mail: giedz at xxxx.com
......
userPassword:: e01ENX0yRmVPMzRSWXpnYjd4YnQycFl4Y3BBPT0=

-----------------

dn: mail=giedz at xxxxx.com.pl,ou=domains,dc=xxxxx,dc=pl
.....
userPassword:: e01ENX0yRmVPMzRSWXpnYjd4YnQycFl4Y3BBPT0=


I want to give my users ability to change their passwords by themselfs.
But I need to sync all passwords for particular user. I mean when user 
changes his/her password from windows via Samba (ldap passwd sync = yes) 
the LM/NT and all userPassword are being changed respectively (regarding 
the particular dn=giedz,ou=people,dc=xxx,dc=pl), right?

The same when "passwd" command is involved - when user uses it, this 
means all passwords are changed (windows + all userPassword).

I heard about smb5kpwd but I don't use Kerberos and I don't think it's 
suitable for my need, isn't it?

So in this case do you have any idea what should I do? Of course I could 
you external script to change userPassword everywhere, but since EXOP 
exists I thought it's much wiser to use native feature rather than 
external solution.


Regards,
Marcin

-- 
ARISE M.Giedz, T.Żebruń Sp.j.
http: www.arise.pl
mail: giedz at arise.pl
tel: +48 502 537 157

More information about the samba mailing list