[Samba] Samba/Unix password sync with LDAP backend
Gaiseric Vandal
gaiseric.vandal at gmail.com
Mon Mar 15 10:27:46 MDT 2010
On 03/14/2010 04:07 PM, Miguel Medalha wrote:
> I have been using Samba+Linux+openLDAP. The password synchronization
> between the Samba and Unix accounts works well with the use of the
> "ldap passwd sync" parameter in smb.conf.
>
> Now I am in the process of installing my first server using CentOS/Red
> Hat/389 Directory Server and this does not work in the same way. It
> seems that some additional software must be installed in each Windows
> client machine in order to enable password sync.
>
> I noticed that it is possible to include the "nss_map_attribute"
> option in /etc/ldap.conf.
> Would it be possible to map the "userPassword" attribute to the
> "sambaNTPassword" attribute in order to have both password requests
> pointing to a single place?
>
> Of course I can experiment with this, but I thought that perhaps
> someone here has already some acquired knowledge on this...
>
> Thank you!
I am using Sun Directory Server. I believe that both the Sun Directory
server and the RedHat/Fedora directory server are forks of the earlier
Iplanet/Netscape directory server. The samba servers are running on
Solaris. With a local (non-ldap) password, root can easily use the
passwd command to change a user's password, since entering the old
password is not required. But with ldap accounts this doesn't work- if
root tries to change another user's password with "passwd -r ldap", the
old password is required. Instead you need to use the "ldapasswd"
command and authenticate as a user with the appropriate ldap
administrative powers.
my smb.conf includes
passwd program = /etc/samba/smbldappasswd.sh %u
passwd chat =*New* %n\n *changed*
unix password sync = yes
#cat /etc/samba/smbldappasswd.sh
#!/bin/bash
USER="uid="$1",ou=people,o=mydomain.com"
echo -n New password:
read NEWPASS
#uncomment the following 3 lines for diagnostics only
#date >> /etc/samba/smbldappasswd.log
#echo $USER >> /etc/samba/smbldappasswd.log
#echo $NEWPASS >> /etc/samba/smbldappasswd.log
/opt/SUNWdsee/dsee6/bin/ldappasswd -h obelix -D "LDAP Admin" -w
ldap_admin_password -v -s $NEWPASS $USER
The script is owned by root, with perms 700. I really did not like
putting a password in a script but couldn't find away around it.
The other approach I had tried, with out luck, was trying to pass old
password (%o) to the "passwd -r" command. I don't think the old
password got passed to the "passwd program."
More information about the samba
mailing list