[Samba] After migrating users to ldap, passwords still stored in passdb.tdb

Gaiseric Vandal gaiseric.vandal at gmail.com
Tue Sep 22 18:59:34 MDT 2009


I am running Samba ver 3.0.33 on Solaris 10 (sparc.)   Initially I had
the server configured as a domain controller with the "passdb backend
= tdbsam" option.  The underlying unix accounts were stored in LDAP
(Sun Directory Server.)   Those accounts are also used for non-Samba
services.

Since I have domain trusts with NT domains, I am using winbind and
idmapping.  The idmap data was also stored in ldap (under
ou=idmap,ou=mydomain.com.)

Since I wanted to eventually configured add a BDC controller I changed
my PDC configuration to use LDAP backend with the following steps:
   Tried running "pdbedit -e ldapsam:ldap://ldap1.mydomain.com "  -
but that didn't seem to work.

  Used "pdbedit -L -w" to dump the NT account info to a text file
   Ran some custom perl scripts to read that file and update
add/modify samba attributes (including sambaLMPassword,
sambaNTPassword, objectClass=NTUser, sambaSID) to my ldap accounts.
   The  SambaSID value for the LDAP account was copied from the
output of "wbinfo -n username"
   Set the ldap admin passwd with "smbpasswd -w thepassword"
    Changed smb.conf to use ldap as the backend


smb.conf includes

       passdb backend = ldapsam:ldap://ldap1.mydomain.com
      ldap suffix=o=mydomain.com
      ldap user suffix=ou=people
      ldap group suffix=ou=smb_groups
      ldap machine suffix=ou=machines
      ldap admin dn="cn=Directory Manager"
      ldap ssl = no
      ldap passwd sync = no
      ldap idmap suffix=ou=idmap




If I use pdbedit to add or delete a samba user, it will appropriately
add or remove samba attributes to the existing ldap account.  (It
won't actually create or delete the accounts.)      And it does look
like it tries to set the SambaNTPassword and SambaLMPassword fields.
However, when I try to login, I can not login until I reset the
password with smbpasswd.   And when I change the password with
smbpassword it does not update the ldap fields.      I am not sure
what is getting updated.

The /etc/samba/private/passdb.tdb  file -  which I would expect to
never change-  shows that it was modified last at 10 am this morning.
 Even tho thet last password change was at 3 pm this afternoon.

ls -  /etc/samba/private/passdb.tdb
Sep 22 10:10 passdb.tdb


I had unix password sync enabled in smb.conf so that when user's
changed password with smbpasswd, it would also change the ldap
password.    And this did work-  at least from the user perspective-
both the "Samba/Windows" and "LDAP/UNIX" password would change.
Although the where the Samba password was being changed I am not sure.

 If I turn it off, it looks like smbpasswd will update the
SambaNTPassword field in ldap.     So is Samba caching the password
changes somewhere locally if it can't update the SambaNTPassword in
ldap?    Even prior to the LDAP switch over, it seemed that the date
stamp on passdb.tdb didn't update when I changed passwords.

Thanks


More information about the samba mailing list