On 11/30/12 09:42, Brian Gold wrote:
On 2012-11-30 9:22 am, Gaiseric Vandal wrote:
Can you clarify one thing - why are you using the sambaNTPassword in
openldap if openldap is not currently used samba authentication? I
would have thought that you would use the standard password field.
We are using the standard userPassword field for most things, but for
radius authentication via PEAP/MSCHAPv2, we needed to use
sambaNTPassword instead.
That makes sense
I use Samba 3.x DC's with an ldap back end. I also use the ldap
backend for unix authentication as well as authentication to various
other systems that support LDAP authentication. If you are using
one or more BDC's you really do have to use an LDAP back end. But
there is no reason why member server's can use an LDAP backend.
If the underlying unix account for each samba account is in
/etc/passwd and not LDAP, you should consolidate it all into LDAP.
We currently don't want to deploy a PDC or BDC if we don't need to.
All we want to do is have a file server that can authenticate using
the username/password stored in openldap.
Should be no problem.
Do the sambaNTPassword (and other samba attributes) in LDAP match
those in the tdb backend? You may find you want to blast away the
existing sambaNTPassword entries in LDAP before you migrate the TDB
data to LDAP.
No, our current Samba file server has a totally separate set of
passwords. When we transition over to this new Samba file server, we
will be having all our users use their openldap password instead. We
do not want to sync their existing tdb passwords over to LDAP.
No, you wouldn't sync passwords to TDB. Does your LDAP entry for
each user currently have a SambaSID value? Also, when you type "pdbedit
-Lv someuser" you should see the unix account for the user. The unix
account is either explicitly created (e.g. in /etc/passwd or ldap or
nis) or dynamically created by winbind.
# pdbedit -Lv someuser
Unix username: someuser
NT username: someuser
Account Flags: [U ]
User SID: S-1-5-21-xxxxx
Primary Group SID: S-1-5-21-xxx
Full Name: Some User
Home Directory: \\someserver\users\someuser
HomeDir Drive: X:
Logon Script: logon.bat
Profile Path:
Domain: SOMEDOMAIN
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: 0
Kickoff time: 0
Password last set: Fri, 30 Sep 2011 09:40:43 EDT
Password can change: Fri, 30 Sep 2011 09:40:43 EDT
Password must change: never
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
#
Assuming you are not using winbind to allocate uid's and gid's for samba
users, your LDAP user entry will eventually look something like
dn: uid=someuser,ou=someou,ou=people,o=yourdomain.com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
cn: Some User
gidNumber: xx
homeDirectory: /home/someuser
sambaSID: S-1-5-21-xxxx
sn: UserLastName
uid: someuser
uidNumber: 123
displayName: Some User
gecos: Some User
givenName: Some User
loginShell: /bin/tcsh
sambaAcctFlags: [UX ]
sambaHomeDrive: X:
sambaHomePath: \\someserver\users\someuser
sambaLogonScript: logon.bat
sambaNTPassword: xxxxxxxxxxxxxxxxxxxx
sambaPasswordHistory: 000000000000000000000000000000000000000000000000000000
0000000000
sambaPwdLastSet: 1291843237
st: xxxxxx
street: xxxxxxxxx
telephoneNumber: xxxxxxxxx
userPassword:: xxxxxxxxxxxx
Although the login script and network home directory probably not
relevant in a non-DC setup.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba