[Samba] After migrating users to ldap, passwords still stored in passdb.tdb

Gaiseric Vandal gaiseric.vandal at gmail.com
Fri Oct 9 14:48:59 MDT 2009

Apparently I forgot to restart samba after making the backend change.

Also, the pdbedit command did not import samba info for all accounts.
Which means that after I restarted samba some people (and machines)
could not login.   However, I could use "pdbedit -Lv" and "pbedit -Lw"
in cojunction with the old smb.conf file to extract the user SID an
NTpassword entries.

On Tue, Sep 22, 2009 at 8:59 PM, Gaiseric Vandal
<gaiseric.vandal at gmail.com> wrote:
> I am running Samba ver 3.0.33 on Solaris 10 (sparc.)   Initially I had
> the server configured as a domain controller with the "passdb backend
> = tdbsam" option.  The underlying unix accounts were stored in LDAP
> (Sun Directory Server.)   Those accounts are also used for non-Samba
> services.
> Since I have domain trusts with NT domains, I am using winbind and
> idmapping.  The idmap data was also stored in ldap (under
> ou=idmap,ou=mydomain.com.)
> Since I wanted to eventually configured add a BDC controller I changed
> my PDC configuration to use LDAP backend with the following steps:
>   Tried running "pdbedit -e ldapsam:ldap://ldap1.mydomain.com "  -
> but that didn't seem to work.
>  Used "pdbedit -L -w" to dump the NT account info to a text file
>   Ran some custom perl scripts to read that file and update
> add/modify samba attributes (including sambaLMPassword,
> sambaNTPassword, objectClass=NTUser, sambaSID) to my ldap accounts.
>   The  SambaSID value for the LDAP account was copied from the
> output of "wbinfo -n username"
>   Set the ldap admin passwd with "smbpasswd -w thepassword"
>    Changed smb.conf to use ldap as the backend
> smb.conf includes
>       passdb backend = ldapsam:ldap://ldap1.mydomain.com
>      ldap suffix=o=mydomain.com
>      ldap user suffix=ou=people
>      ldap group suffix=ou=smb_groups
>      ldap machine suffix=ou=machines
>      ldap admin dn="cn=Directory Manager"
>      ldap ssl = no
>      ldap passwd sync = no
>      ldap idmap suffix=ou=idmap
> If I use pdbedit to add or delete a samba user, it will appropriately
> add or remove samba attributes to the existing ldap account.  (It
> won't actually create or delete the accounts.)      And it does look
> like it tries to set the SambaNTPassword and SambaLMPassword fields.
> However, when I try to login, I can not login until I reset the
> password with smbpasswd.   And when I change the password with
> smbpassword it does not update the ldap fields.      I am not sure
> what is getting updated.
> The /etc/samba/private/passdb.tdb  file -  which I would expect to
> never change-  shows that it was modified last at 10 am this morning.
>  Even tho thet last password change was at 3 pm this afternoon.
> ls -  /etc/samba/private/passdb.tdb
> Sep 22 10:10 passdb.tdb
> I had unix password sync enabled in smb.conf so that when user's
> changed password with smbpasswd, it would also change the ldap
> password.    And this did work-  at least from the user perspective-
> both the "Samba/Windows" and "LDAP/UNIX" password would change.
> Although the where the Samba password was being changed I am not sure.
>  If I turn it off, it looks like smbpasswd will update the
> SambaNTPassword field in ldap.     So is Samba caching the password
> changes somewhere locally if it can't update the SambaNTPassword in
> ldap?    Even prior to the LDAP switch over, it seemed that the date
> stamp on passdb.tdb didn't update when I changed passwords.
> Thanks

More information about the samba mailing list