[Samba] Samba, OpenLDAP and Passwords

Daniel Müller mueller at tropenklinik.de
Thu Oct 13 05:05:33 MDT 2011

What does your getent passwd show?
What does your getent group show?
Can your ldap-user login to your linux/unix box?
Is your linux-box auth set to your ladp-server?

Do you have something like this in your slapd.conf!?:

 access to attrs=userPassword,shadowLastChange
        by anonymous auth
        by self write
        by dn="cn=youradmin,dc=xxx,dc=xxx" write
        by * none

access to attrs=sambaLMPassword
        by self write
        by anonymous auth
        by dn="cn=youradmin,dc=xxx,dc=xxxx" write
        by * none

access to attrs=sambaNTPassword
        by self write
        by anonymous auth
        by dn="cn=youradmin,dc=xxx,dc=xxxx" write
        by * none

access to attrs=sambaPwdLastSet,sambaPwdMustChange
        by self write
        by anonymous auth
        by dn="cn=youradmin,dc=xxx,dc=xxxx" write
        by * none

access to *
        by dn="cn=youradmin,dc=xxx,dc=xxxx" write
        by users read
        by self write
        by * read

EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen

Tel.: 07071/206-463, Fax: 07071/206-499
eMail: mueller at tropenklinik.de
Internet: www.tropenklinik.de
-----Ursprüngliche Nachricht-----
Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im
Auftrag von Francesco Storti
Gesendet: Donnerstag, 13. Oktober 2011 12:46
An: samba at lists.samba.org
Betreff: [Samba] Samba, OpenLDAP and Passwords

I have an existing OpenLDAP directory, that I want to use as the backend for
a Samba 3 instance.
I do not want for now making Samba a Domain Controller, but only define in
it some shares accessible by users on LDAP.
I have imported in my slapd.conf the samba schema, and I have inserted in my
smb.conf all the directives for connecting to an LDAP server:

passdb backend = ldapsam:ldaps://slap1.xxxx.xx
ldap suffix = dc=xxxx,dc=xx
ldap admin dn = "cn=admin,dc=xxxx,dc=xx"
ldap delete dn = No
ldap machine suffix = ou=Computers
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap password sync = yes

I have defined the admin password with the smbpasswd utility, and everything
is working.
If I want that a LDAP user uses Samba, I have to use again the smbpasswd
utility for adding him to the samba users and defining a new password that
will be the LDAP attribute SambaNTPassword (and the new password overwrites
the LDAP userPassword, thanks to the "ldap password sync = yes" directive in
If I want to permit that a user can change his LDAP userPassword and align
it to the SambaNTPassword, I have seen that I can do it by using the
smbk5pwd overlay and pam_password exop.
But I do not know a method for using the existing LDAP userPassword for
Samba authentication: I do not want that all the users have to redefine
their passwords.
Someone of you knows a way for doing that?
Thank you in advance
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list