Re: ppolicy & sambaNTPassword

Ralf Zimmermann Tue, 16 Feb 2010 09:19:26 -0800

Hi Christian,

* Christian Manal <[email protected]> [16.02.2010 16:41]:
> Ralf Zimmermann schrieb:
> > Hi Christian,
> > 
> > * Christian Manal <[email protected]> [16.02.2010 16:18]:
> >> Ralf Zimmermann schrieb:
> >>> Hi Christian,
> >>>
> >>> * Christian Manal <[email protected]> [16.02.2010 16:05]:
> >>>>> the option  'ldap passwd sync'  is set  to yes. I  will looking to  the 
> >>>>> overlay
> >>>>> smbk5pwd again. But I think it will not resolve the problem because 
> >>>>> samba makes
> >>>>> a modify for the samba attributes.
> >>>>>
> >>>>> We  have a  default  ppolicy.  But this  policy  works  only with  
> >>>>> pwdAttribute
> >>>>> userPassword not with  sambaNTPassword. The problem is, that a  User 
> >>>>> can change
> >>>>> his password with a Windows Client.  The sambaNTPassword is always set 
> >>>>> whatever
> >>>>> in the policy is configured.
> >>>>>
> >>>> If you set 'ldap passwd sync' to 'only' the Samba server triggers an
> >>>> extended operation for password change and doesn't touch the Samba
> >>>> attributes. smbk5pwd will take care of the Samba passwords.
> >>>>
> >>>>
> >>>> Best regards,
> >>>> Christian Manal
> >>> thanks, I take a  look at smbk5pwd. Must I install heimdal  kerberos? I 
> >>> need it
> >>> only for samba and we have installed mit kerberos.
> >>>
> >>>
> >> You can disable Kerberos support in the Makefile.
> > 
> > ok.  I read  it ;-)  The Samba  Server is  a Sles11  with openldap2-2.4.12  
> > and
> > Samba-3.4.5. The  Samba Server is not  the LDAP Master. This  is another 
> > Server
> > with a  self compiled  openldap-2.4.20. The  Samba Server runs with  the 
> > Sles11
> > shipped openLDAP version. There it doesn't exits a smbk5pwd overlay.
> > 
> > I think that I must compile and configure the overlay only on the Samba 
> > Server.
> > Is this correct? Ups and also on the BDC's?
> > 
> 
> The overlay has to be installed on the LDAP master. Wouldn't make sense
> otherwise, since slaves are usually read-only.
> 
> 
> Best regards,
> Christian Manal


thanks for the advise. It sounds logically.

Thanks
Ralf Zimmermann

--

 .''`.  Ralf Zimmermann
: :' :  SIEGNETZ.IT GmbH             
`. `'   Schneppenkauten 1a      
  `-    57076 Siegen            
                               
        Tel.: +49 271 68193 13
        Fax.: +49 271 68193 29

        Amtsgericht Siegen HRB4838
        Geschaeftsfuehrer: Oliver Seitz
        Sitz der Gesellschaft ist Siegen

signature.asc
Description: Digital signature

Re: ppolicy & sambaNTPassword

Reply via email to