On Wednesday, 17 February 2010 11:31:42 Ralf Zimmermann wrote: > Hi Christian, > > * Christian Manal <[email protected]> [16.02.2010 16:41]: > > > ok. I read it ;-) The Samba Server is a Sles11 with > > > openldap2-2.4.12 and Samba-3.4.5. The Samba Server is not the LDAP > > > Master. This is another Server with a self compiled openldap-2.4.20. > > > The Samba Server runs with the Sles11 shipped openLDAP version. There > > > it doesn't exits a smbk5pwd overlay. > > > > > > I think that I must compile and configure the overlay only on the Samba > > > Server. Is this correct? Ups and also on the BDC's? > > > > The overlay has to be installed on the LDAP master. Wouldn't make sense > > otherwise, since slaves are usually read-only. > > the overlay smbk5pwd does not really work in this szenario. I have > compiled heimdal
Why? Do you need LDAP password changes to change Heimdal passwords (IOW, did you have a Heimdal installation before)? What version did you install? > on Sles11 and compiled the smbk5pwd with make and make > install. From the same source used to build slapd on the box the module runs under? > <snip Makefile> > DEFS=-DDO_SAMBA So, you shouldn't need Heimdal at all ... > HEIMDAL_INC=-I/usr/heimdal/include > #HEIMDAL_INC= > SSL_INC= > LDAP_INC=-I../../../include -I../../../servers/slapd > INCS=$(LDAP_INC) $(HEIMDAL_INC) $(SSL_INC) > > HEIMDAL_LIB=-L/usr/heimdal/lib -lkrb5 -lkadm5srv > #HEIMDAL_LIB= > SSL_LIB=-lcrypto > LDAP_LIB=-lldap_r -llber > LIBS=$(LDAP_LIB) $(HEIMDAL_LIB) $(SSL_LIB) > </snip> > > Then I add 'moduleload smbk5pwd.la' and in the hdb section 'overlay > smbk5pwd'. After this I create the online configuration with 'slaptest > -d1 -f ...'. All looks fine. slapd starts without a error message. I > change the smb.conf 'ldap passwd sync = yes' to 'ldap passwd sync = Only'. > > With the overlay smbk5pwd nothing happens when I change a password > over a Windows Client. Without the overlay I can see the PASSMOD for the > user. Well, without Heimdal has been working perfectly for me for a long time. At times (e.g. 1.3.0 without patches), heimdal API changes have broken the Heimdal support in smbk5pwd. Note that some distributions ship recent OpenLDAP with a working (at least for samba) smbk5pwd, others include a smbk5pwd with Heimdal support as well. Regards, Buchan
