[Samba] LDAP - Samba password synchronization

Nico Kadel-Garcia nkadel at gmail.com
Fri Aug 10 07:04:04 MDT 2012 

On Thu, Aug 9, 2012 at 10:17 AM, Gaiseric Vandal
<gaiseric.vandal at gmail.com> wrote:
> The best approach is to configure samba to change the ldap password when
> a samba password changes.  See the smb.conf man page and password sync
> and password chat options.

LDAP doesn't usually actually have the password information. In most
modern setups, *Kerberos* has the passwords and provides the
authentication, and LDAP provides other account information,
integrated with Kerberos.

It turns out to be easy to switch from using local passwords to
Kerberos authentication on Linux and many UNIX systems.  The exact
commands very, but on RHEL 6 with DNS properly configured to use Samba
or AD Kerberos authentication:

       sudo authconfig --enablekrb5 --krb5realm=[name of realm]
--enablekrb5kdcdns --test
       sudo authconfig --enablekrb5 --krb5realm=[name of realm]
--enablekrb5kdcdns --update

Configure the local UNIX passwords to have locked passwords which do
not expire, and you can rely on the Kerberos for account expiration,
instead.

      sudo -s -H # do this first in case you're locking your own account
      usermod -p '!!' username # lock local password thoroughly
      chage -l username # check settings
      chage -M -1 -E -1 username # disable password obsolescence and
non-Kerberos expiration
      chage -l username # verify settings

Do the 'sudo -s -H' becuase chage gets a bit.... weird when run as a
non-root user through sudo.

The end result is to enable the kerberized authentication, and disable
local passwords entirely. Passwords should then be updateable with the
"kpasswd" command, and tools like recent versions of SSH and Apache
can manage Kerberos tickets for genuine single-sign-on, as well as
relying on the Kerberos authentication instead of local passwords.

> Samba and Unix use different password hash mechanisms so you have to
> have separate password fields.     The only other secure way may be to
> configure Windows clients to use kerberos authentication-  but that is a
> much bigger project.

See above. If you're using various Samba configurations that rely on
Kerberos for authentication, such as "ads", then this can save a lot
of password management trouble.

>
>
> On 08/09/12 09:55, RAKESH PRITMANI wrote:
>> Is there a way to syncronize SambaLmPassword  & NTLMpassword from LDAP
>> password. ldap passwd sync allows to sync ldap passwd from samba, I
>> need the other way. I already have external LDAP server with CRYPT
>> passwords and need to set SambaLMPasswd with these LDAP passwords.
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list