[Samba] Password syncing

Gaiseric Vandal gaiseric.vandal at gmail.com
Wed Dec 11 08:35:51 MST 2013

I run Samba on Solaris with  Oracle Directory Server as back end.    
         I used a script to change the unix password.

With Oracle Directory Server , root is NOT an LDAP super user. (shd be 
the same with OpenLDAP.)

in smb.conf

         passwd program = /etc/samba/smbldappasswd.sh %u
         passwd chat =*New* %n\n *changed*
         unix password sync = yes
         passwd chat debug = yes
         log level = 3
         #pam password change = yes

# cat /etc/samba/smbldappasswd.sh
echo -n  New password:
date >> /etc/samba/smbldappasswd.log
echo $USER >> /etc/samba/smbldappasswd.log
/opt/SUNWdsee/dsee6/bin/ldappasswd -h ldapserver \
  -D "cn=Ldap SuperUser" -w LDAPSUPERUSER_PASSWORD   -v -s "$NEWPASS"  $USER

It isn't ideal since I have to save a password in a script so have to 
make sure the script is set accessible to root only.

The upside is that if a user's unix and windows passwords get out of 
sync, this brings them back into sync.

Alternately, you could have the passswd or  ldappasswd command run with 
the user's credentials-  you have to make sure you pass the user's 
existing password to the password chat script.     And it assumes that 
your existing unix  and windows passwords are already the same.

If the unix password changes but the windows password fails, it 
indicates your chat script is not configured to request or respond 
correctly when interacting with the unix ldap passwd or ldappasswd  
commands.        Getting the passwd command in linux to change your ldap 
password can be a little tricky.

I never got it working with the "pam password" change option in 
smb.conf.  I think that with ldap (unlike local /etc/passwd's or nis) it 
won't work since root won't have sufficient privileges to change a 
user's password.

On 12/09/13 06:09, James Cort wrote:
> On 9 Dec 2013, at 11:08, Daniel O'Connor <darius at dons.net.au> wrote:
>> On 9 Dec 2013, at 21:23, James Cort <james.cort at bediwin.co.uk> wrote:
>>> Can’t say I’ve had that problem myself - I’ve always found OpenLDAP to be solid as a rock as long as you use the tools it gives you to manage the database.
>> What version of OpenLDAP and what backend do you use?
> Never paid that much attention to it, TBH. Whatever’s in Debian Stable, using bdb as the backend.

More information about the samba mailing list