[Samba] NT/LM Samba passwords and userPassword sync

Marcin Giedz giedz at arise.pl
Mon May 7 06:17:14 GMT 2007


Perhaps this post is not directly connected with Samba itself but after 
I saw that Samba uses EXOP for LDAP password changing I decided to write 
it to this list as well. Here is what I'd like to do:
1) I use openldap-2.3.35 for Samba auth mechanism
2) additionally I use openldap for any other auths I have in my subnet - 
exim, imap, svn, linux-login, etc...

In case of Samba the NT/LM passwords play major role, for others I use 
userPassword. However userPassword (posixAccount) shows up in different 
places not only once:

ldapsearch -x -LLL uid=giedz


dn: uid=giedz,ou=people,dc=xxxx,dc=pl
uid: giedz
objectClass: sambaSamAccount
sambaLMPassword: 598DDCE2660D3193AAD3B435B51404EE
sambaNTPassword: 2D20D252A479F485CDF5E171D93985BF
userPassword:: e01ENX0yRmVPMzRSWXpnYjd4YnQycFl4Y3BBPT0=


dn: mail=giedz at xxxx.com,ou=domains,dc=xxxx,dc=pl
mail: giedz at xxxx.com
userPassword:: e01ENX0yRmVPMzRSWXpnYjd4YnQycFl4Y3BBPT0=


dn: mail=giedz at xxxxx.com.pl,ou=domains,dc=xxxxx,dc=pl
userPassword:: e01ENX0yRmVPMzRSWXpnYjd4YnQycFl4Y3BBPT0=

I want to give my users ability to change their passwords by themselfs.
But I need to sync all passwords for particular user. I mean when user 
changes his/her password from windows via Samba (ldap passwd sync = yes) 
the LM/NT and all userPassword are being changed respectively (regarding 
the particular dn=giedz,ou=people,dc=xxx,dc=pl), right?

The same when "passwd" command is involved - when user uses it, this 
means all passwords are changed (windows + all userPassword).

I heard about smb5kpwd but I don't use Kerberos and I don't think it's 
suitable for my need, isn't it?

So in this case do you have any idea what should I do? Of course I could 
you external script to change userPassword everywhere, but since EXOP 
exists I thought it's much wiser to use native feature rather than 
external solution.


ARISE M.Giedz, T.Żebruń Sp.j.
http: www.arise.pl
mail: giedz at arise.pl
tel: +48 502 537 157

More information about the samba mailing list