On 03/14/2010 04:07 PM, Miguel Medalha wrote:
I have been using Samba+Linux+openLDAP. The password synchronization
between the Samba and Unix accounts works well with the use of the
"ldap passwd sync" parameter in smb.conf.
Now I am in the process of installing my first server using CentOS/Red
Hat/389 Directory Server and this does not work in the same way. It
seems that some additional software must be installed in each Windows
client machine in order to enable password sync.
I noticed that it is possible to include the "nss_map_attribute"
option in /etc/ldap.conf.
Would it be possible to map the "userPassword" attribute to the
"sambaNTPassword" attribute in order to have both password requests
pointing to a single place?
Of course I can experiment with this, but I thought that perhaps
someone here has already some acquired knowledge on this...
Thank you!
I am using Sun Directory Server. I believe that both the Sun Directory
server and the RedHat/Fedora directory server are forks of the earlier
Iplanet/Netscape directory server. The samba servers are running on
Solaris. With a local (non-ldap) password, root can easily use the
passwd command to change a user's password, since entering the old
password is not required. But with ldap accounts this doesn't work- if
root tries to change another user's password with "passwd -r ldap", the
old password is required. Instead you need to use the "ldapasswd"
command and authenticate as a user with the appropriate ldap
administrative powers.
my smb.conf includes
passwd program = /etc/samba/smbldappasswd.sh %u
passwd chat =*New* %n\n *changed*
unix password sync = yes
#cat /etc/samba/smbldappasswd.sh
#!/bin/bash
USER="uid="$1",ou=people,o=mydomain.com"
echo -n New password:
read NEWPASS
#uncomment the following 3 lines for diagnostics only
#date >> /etc/samba/smbldappasswd.log
#echo $USER >> /etc/samba/smbldappasswd.log
#echo $NEWPASS >> /etc/samba/smbldappasswd.log
/opt/SUNWdsee/dsee6/bin/ldappasswd -h obelix -D "LDAP Admin" -w
ldap_admin_password -v -s $NEWPASS $USER
The script is owned by root, with perms 700. I really did not like
putting a password in a script but couldn't find away around it.
The other approach I had tried, with out luck, was trying to pass old
password (%o) to the "passwd -r" command. I don't think the old
password got passed to the "passwd program."
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
