Smbldap-tools has a passwd script which will change/sync the password(s); you can even configure samba to utilize this script when a client from a windows machine tries to change their password, (see example below). I might also recommend you look into a decent web-based or graphical LDAP account manager, (LAM comes to mind, not sure what platform you're working from, but on FreeBSD it's just a matter of installing it from the ports check the website out - http://lam.sf.net/).
We are using LDAP, in conjunction with nss_ldap & pam_ldap on the unix side plus samba 3.0.11 on the windows side; single sign on regardless of which machine/platform any user is on. Roaving profiles on the windows network, and even Sun stations can share the same pam database for authentication and nss information - all works very well, and has suited us perfectly. We are currently using either LAM, (Ldap Account Manager - http://lam.sf.net/ ), or manual ldap insert/delete/modify commands to administer our users. LAM takes about ten minutes to setup and get going, and even less to figure out and work with; gives the ability to control Unix, Posix, Samba, and other attributes of any user, group, domain, or domain-machine (host) account. Anyhow, just my two cents - but you should take a look into something like LAM to save you time; (I know there are other utilities/user managers, one in particular we tried which runs from X-win... But we found the simplicity of LAM to be key). Here's an example of how to configure samba to use smbldap-tools' password script: ldap passwd sync = yes passwd program = /server/bin/smbldap-tools/smbldap-passwd.pl -u %u passwd chat = "Changing password for*\nNew Password*" %n\n "*Retype new password*" %n\n -- Nathan Vidican [EMAIL PROTECTED] Windsor Match Plate & Tool Ltd. http://www.wmplt.com/ -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Zeng Sent: Thursday, March 03, 2005 7:59 PM To: [EMAIL PROTECTED] Cc: [email protected] Subject: Re: [Samba] samba failed to authenticate to openLDAP Paul and Craig, I finally got it working. The reason it failed before is the way I built the LDAP DIT. I also found a problem in smbldap-populate script which I will describe below. Here were what I did: 1) run configure.pl 2) edit smbldap-populate and change the following line: my ($organisation,$ext) = ($config{suffix} =~ m/dc=(.*),dc=(.*)$/); to: my ($organisation,$ext) = ($config{suffix} =~ m/dc=(.*)$/); The reason is I only have a single name for my domain, i.e. "dc=mfelc". but the perl script will suppose we have exactly two names, for example, dc=idealx, dc=org. It also won't work if you have three names in your domain. (dc=mydept, dc=mycompany, dc=com) 3) run smbldap-populate it works perfectly to build the DIT 4) use smbldap-migrate-unix-accounts to migrate NIS accounts 5) use smbldap-migrate-unix-groups to migrate NIS group this time when I use smbclient with a NIS account, the log will show wrong password. So I run smbpasswd to give this account a new samba password and run smbclient again. it works. There are two problems here: 1) how to migrate NIS hosts into LDAP? 2) I checked the LDAP attributes and found three password fieds: SambaLMPassword SambaNTPassword userPassword How can I sync them so that I don't have to keep two or more password for one user account? Best Regards, Steve > Paul, > > I downloaded smbldap-tools-0.8.7 and tried the following: > > 1) run configure.pl > > 2) initialize LDAP base and then start LDAP server > dn: dc=mfelc > dc: mfelc > objectClass: top > objectClass: domain > > 3) run smbldap-populate > > 4) run the following migration tool to import users from NIS: > smbldap-migrate-unix-accounts -a -P /tmp/passwd.nis > > 5) run the following migration tool to import groups from NIS: > smbldap-migrate-unix-groups -a -G /tmp/group.nis > > 6) smbldap-useradd -a -m testuser1 > smbldap-passwd testuser1 > > 6) smbclient //enzo/testuser1 -U testuser1 > > > got the following errors: > ------------------------------------- > User testuser1 in passdb, but getpwnam() fails! > [2005/03/01 18:12:11, 5] auth/auth_util.c:free_server_info(1344) > attempting to free (and zero) a server_info structure [2005/03/01 > 18:12:11, 0] auth/auth_sam.c:check_sam_security(306) > check_sam_security: make_server_info_sam() failed with > 'NT_STATUS_NO_SUCH_USER' > [2005/03/01 18:12:11, 5] auth/auth.c:check_ntlm_password(271) > check_ntlm_password: sam authentication for user [testuser1] FAILED > with error NT_STATUS_NO_SUCH_USER > [2005/03/01 18:12:11, 3] auth/auth_winbind.c:check_winbind_security(80) > check_winbind_security: Not using winbind, requested domain [TESTDM] > was for this SAM. > [2005/03/01 18:12:11, 10] auth/auth.c:check_ntlm_password(259) > check_ntlm_password: winbind had nothing to say > [2005/03/01 18:12:11, 2] auth/auth.c:check_ntlm_password(312) > check_ntlm_password: Authentication for user [testuser1] -> > [testuser1] FAILED with error NT_STATUS_NO_SUCH_USER > -------------------------------------------------- > > No idea what is missing. Thanks a lot for any hints. > > Steve > >> Judicious snippage, post at the bottom. >> >>> I tried to let Samba authenticate against LDAP but could not figure >>> out how to build the LDAP tree for Samba. >>> >>> Fedora core 2 >>> Samba 3.0.10 >>> OpenLDAP 2.1.29 >>> >>> dc=mydomain >>> | >>> `--- ou=People : to store user accounts for Unix and Windows >>> | >>> `--- ou=Hosts : to store computer accounts for UNIXX & Windows >>> | >>> `--- ou=Groups : to store system groups for Unix and Windows >>> >>> >>> What I did were: >> >> >> >>> [global] >>> workgroup = TESTDM >>> passdb backend = ldapsam:ldap://10.10.0.101/ >>> log level = 1 passdb:8 auth:8 >>> domain logons = Yes >>> wins support = Yes >>> ldap admin dn = cn=root,dc=mydomain >>> ldap delete dn = Yes >>> ldap group suffix = ou=Group >>> ldap machine suffix = ou=Hosts >>> ldap user suffix = ou=People >>> ldap suffix = dc=mfelc >>> ldap passwd sync = Yes >>> ldap ssl = no >>> 3) start Samba server >>> >>> 4) run smbclient //smbserver -U myid >>> Password: >>> session setup failed: NT_STATUS_LOGON_FAILURE >> >> >> >>> Attached is the smbd.log, I deleted the normal log and keep failed >>> messages as below: >>> check_sam_security: Couldn't find user 'szeng' in passdb file. >>> auth/auth.c:check_ntlm_password(271) >>> check_ntlm_password: sam authentication for user [szeng] FAILED >>> with error NT_STATUS_NO_SUCH_USER >> >> >> >>> Is there anybody who might have some idea of what is wrong. >> >> >> >> Yep. You did nothing to create the samba attributes that will have to >> exist in each user account for the users to log in. I suggest you >> read the documentation on setting up an LDAP/PDC system that is on >> the >> samba.org web site. You've missed quite a few steps here, so you may >> want to read it through to get a complete idea. Your solution is >> going to include the following: >> >> 1. Obtain and configure the smbldap-tools package. >> 2. Run the smbldap-populate script >> 3. Make sure you've got a sambaDomain (I think that's the object >> type) >> in the base of your DIT. >> 4. Join the machine to the domain (since you appear to want a domain >> setup) >> 4. Add samba attributes to each user's account. >> >> Yes there are 2 #4 entries. Doesn't matter which one comes first. As >> far as I can remember, those will be the critical steps to not miss. >> If you've followed the documentation and not done those steps, you've >> missed something. >> >> > -- Regards, Steve Zeng Systems Administrator Mainframe Entertainment Inc T: (604) 628-1000 ext 5293 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
