[Samba] Samba/Unix password sync with LDAP backend

Gaiseric Vandal gaiseric.vandal at gmail.com
Mon Mar 15 10:27:46 MDT 2010

On 03/14/2010 04:07 PM, Miguel Medalha wrote:
> I have been using Samba+Linux+openLDAP. The password synchronization 
> between the Samba and Unix accounts works well with the use of the 
> "ldap passwd sync" parameter in smb.conf.
> Now I am in the process of installing my first server using CentOS/Red 
> Hat/389 Directory Server and this does not work in the same way. It 
> seems that some additional software must be installed in each Windows 
> client machine in order to enable password sync.
> I noticed that it is possible to include the "nss_map_attribute" 
> option in /etc/ldap.conf.
> Would it be possible to map the "userPassword" attribute to the 
> "sambaNTPassword" attribute in order to have both password requests 
> pointing to a single place?
> Of course I can experiment with this, but I thought that perhaps 
> someone here has already some acquired knowledge on this...
> Thank you!

I am using Sun Directory Server.  I believe that both the Sun Directory 
server and the RedHat/Fedora directory server are forks of the earlier 
Iplanet/Netscape directory server.    The samba servers are running on 
Solaris.   With a local (non-ldap) password, root can easily use the 
passwd command to change a user's password, since entering the old 
password is not required.  But with ldap accounts this doesn't work-  if 
root tries to change another user's password with "passwd -r ldap", the 
old password is required.  Instead you need to use the "ldapasswd" 
command and authenticate as a user with the appropriate ldap 
administrative powers.

my smb.conf includes

         passwd program = /etc/samba/smbldappasswd.sh %u
         passwd chat =*New* %n\n *changed*
         unix password sync = yes

#cat /etc/samba/smbldappasswd.sh

echo -n  New password:
#uncomment the following 3 lines for diagnostics only
#date >> /etc/samba/smbldappasswd.log
#echo $USER >> /etc/samba/smbldappasswd.log
#echo $NEWPASS >> /etc/samba/smbldappasswd.log
/opt/SUNWdsee/dsee6/bin/ldappasswd -h obelix -D "LDAP Admin" -w 
ldap_admin_password  -v -s $NEWPASS  $USER

The script is owned by root, with perms 700.   I really did not like 
putting a password in a script but couldn't find away around it.

The other approach I had tried, with out luck, was trying to pass old 
password (%o) to the "passwd -r" command.   I don't think the old 
password got passed to the "passwd program."

More information about the samba mailing list