Apparently I forgot to restart samba after making the backend change. Also, the pdbedit command did not import samba info for all accounts. Which means that after I restarted samba some people (and machines) could not login. However, I could use "pdbedit -Lv" and "pbedit -Lw" in cojunction with the old smb.conf file to extract the user SID an NTpassword entries.
On Tue, Sep 22, 2009 at 8:59 PM, Gaiseric Vandal <gaiseric.van...@gmail.com> wrote: > I am running Samba ver 3.0.33 on Solaris 10 (sparc.) Initially I had > the server configured as a domain controller with the "passdb backend > = tdbsam" option. The underlying unix accounts were stored in LDAP > (Sun Directory Server.) Those accounts are also used for non-Samba > services. > > Since I have domain trusts with NT domains, I am using winbind and > idmapping. The idmap data was also stored in ldap (under > ou=idmap,ou=mydomain.com.) > > Since I wanted to eventually configured add a BDC controller I changed > my PDC configuration to use LDAP backend with the following steps: > Tried running "pdbedit -e ldapsam:ldap://ldap1.mydomain.com " - > but that didn't seem to work. > > Used "pdbedit -L -w" to dump the NT account info to a text file > Ran some custom perl scripts to read that file and update > add/modify samba attributes (including sambaLMPassword, > sambaNTPassword, objectClass=NTUser, sambaSID) to my ldap accounts. > The SambaSID value for the LDAP account was copied from the > output of "wbinfo -n username" > Set the ldap admin passwd with "smbpasswd -w thepassword" > Changed smb.conf to use ldap as the backend > > > smb.conf includes > > passdb backend = ldapsam:ldap://ldap1.mydomain.com > ldap suffix=o=mydomain.com > ldap user suffix=ou=people > ldap group suffix=ou=smb_groups > ldap machine suffix=ou=machines > ldap admin dn="cn=Directory Manager" > ldap ssl = no > ldap passwd sync = no > ldap idmap suffix=ou=idmap > > > > > If I use pdbedit to add or delete a samba user, it will appropriately > add or remove samba attributes to the existing ldap account. (It > won't actually create or delete the accounts.) And it does look > like it tries to set the SambaNTPassword and SambaLMPassword fields. > However, when I try to login, I can not login until I reset the > password with smbpasswd. And when I change the password with > smbpassword it does not update the ldap fields. I am not sure > what is getting updated. > > The /etc/samba/private/passdb.tdb file - which I would expect to > never change- shows that it was modified last at 10 am this morning. > Even tho thet last password change was at 3 pm this afternoon. > > ls - /etc/samba/private/passdb.tdb > Sep 22 10:10 passdb.tdb > > > I had unix password sync enabled in smb.conf so that when user's > changed password with smbpasswd, it would also change the ldap > password. And this did work- at least from the user perspective- > both the "Samba/Windows" and "LDAP/UNIX" password would change. > Although the where the Samba password was being changed I am not sure. > > If I turn it off, it looks like smbpasswd will update the > SambaNTPassword field in ldap. So is Samba caching the password > changes somewhere locally if it can't update the SambaNTPassword in > ldap? Even prior to the LDAP switch over, it seemed that the date > stamp on passdb.tdb didn't update when I changed passwords. > > Thanks > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba