[Samba] Password syncing
Gaiseric Vandal
gaiseric.vandal at gmail.com
Wed Dec 11 08:35:51 MST 2013
I run Samba on Solaris with Oracle Directory Server as back end.
I used a script to change the unix password.
With Oracle Directory Server , root is NOT an LDAP super user. (shd be
the same with OpenLDAP.)
in smb.conf
passwd program = /etc/samba/smbldappasswd.sh %u
passwd chat =*New* %n\n *changed*
unix password sync = yes
passwd chat debug = yes
log level = 3
#pam password change = yes
# cat /etc/samba/smbldappasswd.sh
#!/bin/bash
USER="uid="$1",ou=people,o=mycompany.com"
NEWPASS=$2
echo -n New password:
read NEWPASS
date >> /etc/samba/smbldappasswd.log
echo $USER >> /etc/samba/smbldappasswd.log
/opt/SUNWdsee/dsee6/bin/ldappasswd -h ldapserver \
-D "cn=Ldap SuperUser" -w LDAPSUPERUSER_PASSWORD -v -s "$NEWPASS" $USER
#
It isn't ideal since I have to save a password in a script so have to
make sure the script is set accessible to root only.
The upside is that if a user's unix and windows passwords get out of
sync, this brings them back into sync.
Alternately, you could have the passswd or ldappasswd command run with
the user's credentials- you have to make sure you pass the user's
existing password to the password chat script. And it assumes that
your existing unix and windows passwords are already the same.
If the unix password changes but the windows password fails, it
indicates your chat script is not configured to request or respond
correctly when interacting with the unix ldap passwd or ldappasswd
commands. Getting the passwd command in linux to change your ldap
password can be a little tricky.
I never got it working with the "pam password" change option in
smb.conf. I think that with ldap (unlike local /etc/passwd's or nis) it
won't work since root won't have sufficient privileges to change a
user's password.
On 12/09/13 06:09, James Cort wrote:
> On 9 Dec 2013, at 11:08, Daniel O'Connor <darius at dons.net.au> wrote:
>
>> On 9 Dec 2013, at 21:23, James Cort <james.cort at bediwin.co.uk> wrote:
>>> Can’t say I’ve had that problem myself - I’ve always found OpenLDAP to be solid as a rock as long as you use the tools it gives you to manage the database.
>> What version of OpenLDAP and what backend do you use?
> Never paid that much attention to it, TBH. Whatever’s in Debian Stable, using bdb as the backend.
More information about the samba
mailing list