[Samba] Samba, OpenLDAP and Passwords

Francesco Storti francesco.storti at gmail.com
Thu Oct 13 06:35:39 MDT 2011


The "getent passwd" and "getent group" return respectively users and groups
of my LDAP directory.
LDAP users can login to all the linux box that are been configured for using
LDAP as backend (as specified via PAM and NSS).
In my slapd.conf the ACLs that you specified are not present, because I am
working on a test environment, and the admin specified in the smb.conf is
the rootdn of the LDAP directory (who can do anything on everything).
Thank you again

2011/10/13 Daniel Müller <mueller at tropenklinik.de>

> What does your getent passwd show?
> What does your getent group show?
> Can your ldap-user login to your linux/unix box?
> Is your linux-box auth set to your ladp-server?
>
> Do you have something like this in your slapd.conf!?:
>
>  access to attrs=userPassword,shadowLastChange
>        by anonymous auth
>        by self write
>        by dn="cn=youradmin,dc=xxx,dc=xxx" write
>        by * none
>
> access to attrs=sambaLMPassword
>        by self write
>        by anonymous auth
>        by dn="cn=youradmin,dc=xxx,dc=xxxx" write
>        by * none
>
> access to attrs=sambaNTPassword
>        by self write
>        by anonymous auth
>        by dn="cn=youradmin,dc=xxx,dc=xxxx" write
>        by * none
>
> access to attrs=sambaPwdLastSet,sambaPwdMustChange
>        by self write
>        by anonymous auth
>        by dn="cn=youradmin,dc=xxx,dc=xxxx" write
>        by * none
>
>
>
> access to *
>        by dn="cn=youradmin,dc=xxx,dc=xxxx" write
>        by users read
>        by self write
>        by * read
>
> -----------------------------------------------
> EDV Daniel Müller
>
> Leitung EDV
> Tropenklinik Paul-Lechler-Krankenhaus
> Paul-Lechler-Str. 24
> 72076 Tübingen
>
> Tel.: 07071/206-463, Fax: 07071/206-499
> eMail: mueller at tropenklinik.de
> Internet: www.tropenklinik.de
> -----------------------------------------------
> -----Ursprüngliche Nachricht-----
> Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
> Im
> Auftrag von Francesco Storti
> Gesendet: Donnerstag, 13. Oktober 2011 12:46
> An: samba at lists.samba.org
> Betreff: [Samba] Samba, OpenLDAP and Passwords
>
> Hi,
> I have an existing OpenLDAP directory, that I want to use as the backend
> for
> a Samba 3 instance.
> I do not want for now making Samba a Domain Controller, but only define in
> it some shares accessible by users on LDAP.
> I have imported in my slapd.conf the samba schema, and I have inserted in
> my
> smb.conf all the directives for connecting to an LDAP server:
>
> passdb backend = ldapsam:ldaps://slap1.xxxx.xx
> ldap suffix = dc=xxxx,dc=xx
> ldap admin dn = "cn=admin,dc=xxxx,dc=xx"
> ldap delete dn = No
> ldap machine suffix = ou=Computers
> ldap user suffix = ou=Users
> ldap group suffix = ou=Groups
> ldap password sync = yes
>
> I have defined the admin password with the smbpasswd utility, and
> everything
> is working.
> If I want that a LDAP user uses Samba, I have to use again the smbpasswd
> utility for adding him to the samba users and defining a new password that
> will be the LDAP attribute SambaNTPassword (and the new password overwrites
> the LDAP userPassword, thanks to the "ldap password sync = yes" directive
> in
> smb.conf).
> If I want to permit that a user can change his LDAP userPassword and align
> it to the SambaNTPassword, I have seen that I can do it by using the
> smbk5pwd overlay and pam_password exop.
> But I do not know a method for using the existing LDAP userPassword for
> Samba authentication: I do not want that all the users have to redefine
> their passwords.
> Someone of you knows a way for doing that?
> Thank you in advance
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>


More information about the samba mailing list