Ralf Zimmermann schrieb: > Hi Christian, > > * Christian Manal <[email protected]> [16.02.2010 16:18]: >> Ralf Zimmermann schrieb: >>> Hi Christian, >>> >>> * Christian Manal <[email protected]> [16.02.2010 16:05]: >>>>> the option 'ldap passwd sync' is set to yes. I will looking to the >>>>> overlay >>>>> smbk5pwd again. But I think it will not resolve the problem because samba >>>>> makes >>>>> a modify for the samba attributes. >>>>> >>>>> We have a default ppolicy. But this policy works only with >>>>> pwdAttribute >>>>> userPassword not with sambaNTPassword. The problem is, that a User can >>>>> change >>>>> his password with a Windows Client. The sambaNTPassword is always set >>>>> whatever >>>>> in the policy is configured. >>>>> >>>> If you set 'ldap passwd sync' to 'only' the Samba server triggers an >>>> extended operation for password change and doesn't touch the Samba >>>> attributes. smbk5pwd will take care of the Samba passwords. >>>> >>>> >>>> Best regards, >>>> Christian Manal >>> thanks, I take a look at smbk5pwd. Must I install heimdal kerberos? I >>> need it >>> only for samba and we have installed mit kerberos. >>> >>> >> You can disable Kerberos support in the Makefile. > > ok. I read it ;-) The Samba Server is a Sles11 with openldap2-2.4.12 > and > Samba-3.4.5. The Samba Server is not the LDAP Master. This is another > Server > with a self compiled openldap-2.4.20. The Samba Server runs with the > Sles11 > shipped openLDAP version. There it doesn't exits a smbk5pwd overlay. > > I think that I must compile and configure the overlay only on the Samba > Server. > Is this correct? Ups and also on the BDC's? >
The overlay has to be installed on the LDAP master. Wouldn't make sense otherwise, since slaves are usually read-only. Best regards, Christian Manal
