[Samba] After migrating users to ldap, passwords still stored in passdb.tdb
gaiseric.vandal at gmail.com
Fri Oct 9 14:48:59 MDT 2009
Apparently I forgot to restart samba after making the backend change.
Also, the pdbedit command did not import samba info for all accounts.
Which means that after I restarted samba some people (and machines)
could not login. However, I could use "pdbedit -Lv" and "pbedit -Lw"
in cojunction with the old smb.conf file to extract the user SID an
On Tue, Sep 22, 2009 at 8:59 PM, Gaiseric Vandal
<gaiseric.vandal at gmail.com> wrote:
> I am running Samba ver 3.0.33 on Solaris 10 (sparc.) Initially I had
> the server configured as a domain controller with the "passdb backend
> = tdbsam" option. The underlying unix accounts were stored in LDAP
> (Sun Directory Server.) Those accounts are also used for non-Samba
> Since I have domain trusts with NT domains, I am using winbind and
> idmapping. The idmap data was also stored in ldap (under
> Since I wanted to eventually configured add a BDC controller I changed
> my PDC configuration to use LDAP backend with the following steps:
> Tried running "pdbedit -e ldapsam:ldap://ldap1.mydomain.com " -
> but that didn't seem to work.
> Used "pdbedit -L -w" to dump the NT account info to a text file
> Ran some custom perl scripts to read that file and update
> add/modify samba attributes (including sambaLMPassword,
> sambaNTPassword, objectClass=NTUser, sambaSID) to my ldap accounts.
> The SambaSID value for the LDAP account was copied from the
> output of "wbinfo -n username"
> Set the ldap admin passwd with "smbpasswd -w thepassword"
> Changed smb.conf to use ldap as the backend
> smb.conf includes
> passdb backend = ldapsam:ldap://ldap1.mydomain.com
> ldap suffix=o=mydomain.com
> ldap user suffix=ou=people
> ldap group suffix=ou=smb_groups
> ldap machine suffix=ou=machines
> ldap admin dn="cn=Directory Manager"
> ldap ssl = no
> ldap passwd sync = no
> ldap idmap suffix=ou=idmap
> If I use pdbedit to add or delete a samba user, it will appropriately
> add or remove samba attributes to the existing ldap account. (It
> won't actually create or delete the accounts.) And it does look
> like it tries to set the SambaNTPassword and SambaLMPassword fields.
> However, when I try to login, I can not login until I reset the
> password with smbpasswd. And when I change the password with
> smbpassword it does not update the ldap fields. I am not sure
> what is getting updated.
> The /etc/samba/private/passdb.tdb file - which I would expect to
> never change- shows that it was modified last at 10 am this morning.
> Even tho thet last password change was at 3 pm this afternoon.
> ls - /etc/samba/private/passdb.tdb
> Sep 22 10:10 passdb.tdb
> I had unix password sync enabled in smb.conf so that when user's
> changed password with smbpasswd, it would also change the ldap
> password. And this did work- at least from the user perspective-
> both the "Samba/Windows" and "LDAP/UNIX" password would change.
> Although the where the Samba password was being changed I am not sure.
> If I turn it off, it looks like smbpasswd will update the
> SambaNTPassword field in ldap. So is Samba caching the password
> changes somewhere locally if it can't update the SambaNTPassword in
> ldap? Even prior to the LDAP switch over, it seemed that the date
> stamp on passdb.tdb didn't update when I changed passwords.
More information about the samba